From 3b413044611d5f88d27d1a7e75dfb6d7f1cfc501 Mon Sep 17 00:00:00 2001
From: akrcc <ak@clage.de>
Date: Mon, 4 Mar 2024 10:48:09 +0100
Subject: [PATCH] Fix zip path traversal vulnerability

inspired by:
* https://github.com/MobileChromeApps/cordova-plugin-zip/pull/92
---
 src/android/Zip.java | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/src/android/Zip.java b/src/android/Zip.java
index 4b5de862d..deccd0aaf 100644
--- a/src/android/Zip.java
+++ b/src/android/Zip.java
@@ -121,11 +121,20 @@ private void unzipSync(CordovaArgs args, CallbackContext callbackContext) {
                 anyEntries = true;
                 String compressedName = ze.getName();
 
+                File file = new File(outputDirectory + compressedName);
+
+                String canonicalPath = file.getCanonicalPath();
+                String canonicalOutputPath = (new File(outputDirectory)).getCanonicalPath();
+                if (!canonicalPath.startsWith(canonicalOutputPath)) {
+                    String errorMessage = "Zip traversal security error";
+                    callbackContext.error(errorMessage);
+                    Log.e(LOG_TAG, errorMessage);
+                    return;
+                }
+
                 if (ze.isDirectory()) {
-                   File dir = new File(outputDirectory + compressedName);
-                   dir.mkdirs();
+                   file.mkdirs();
                 } else {
-                    File file = new File(outputDirectory + compressedName);
                     file.getParentFile().mkdirs();
                     if(file.exists() || file.createNewFile()){
                         Log.w("Zip", "extracting: " + file.getPath());