Prevent arbitrary file writes with malicious resource names. (#3484)

* refactor: rename sanitize function

* fix: expose getDir

* fix: safe handling of untrusted resource names

 - fixes: GHSA-2hqv-2xv4-5h5w

* test: sample file for GHSA-2hqv-2xv4-5h5w

* refactor: avoid detection of absolute files for resource check

* chore: enable info mode on gradle

* test: skip test on windows

* chore: debug windows handling

* fix: normalize entry with file separators

* fix: normalize filepath after cleansing

* chore: Android paths are not OS specific

* refactor: use java.nio for path traversal checking

* chore: align path separator on Windows for Zip files

* chore: rework towards basic directory traversal

* chore: remove '--info' on build.yml

brut.apktool/apktool-lib/src/test/java/brut/androlib/decode/ResourceDirectoryTraversalTest.java

@@ -0,0 +1,65 @@
+/*
+ *  Copyright (C) 2010 Ryszard Wiśniewski <brut.alll@gmail.com>
+ *  Copyright (C) 2010 Connor Tumbleson <connor.tumbleson@gmail.com>
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License");
+ *  you may not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *       https://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+package brut.androlib.decode;
+
+import brut.androlib.ApkDecoder;
+import brut.androlib.BaseTest;
+import brut.androlib.Config;
+import brut.androlib.TestUtils;
+import brut.common.BrutException;
+import brut.directory.ExtFile;
+import brut.util.OS;
+import brut.util.OSDetection;
+import org.junit.AfterClass;
+import org.junit.Assume;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+import java.io.File;
+import java.io.IOException;
+
+import static org.junit.Assert.assertTrue;
+
+public class ResourceDirectoryTraversalTest extends BaseTest {
+
+    @BeforeClass
+    public static void beforeClass() throws Exception {
+        TestUtils.cleanFrameworkFile();
+        sTmpDir = new ExtFile(OS.createTempDirectory());
+        TestUtils.copyResourceDir(ResourceDirectoryTraversalTest.class, "decode/arbitrary-write/", sTmpDir);
+        Assume.assumeFalse(OSDetection.isWindows());
+    }
+
+    @AfterClass
+    public static void afterClass() throws BrutException {
+        OS.rmdir(sTmpDir);
+    }
+
+    @Test
+    public void checkIfMaliciousRawFileIsDisassembledProperly() throws BrutException, IOException {
+        String apk = "GHSA-2hqv-2xv4-5h5w.apk";
+
+        Config config = Config.getDefaultConfig();
+        config.forceDelete = true;
+        ApkDecoder apkDecoder = new ApkDecoder(config, new File(sTmpDir + File.separator + apk));
+        File outDir = new File(sTmpDir + File.separator + apk + ".out");
+        apkDecoder.decode(outDir);
+
+        File pocTestFile =  new File(outDir,"res/raw/poc");
+        assertTrue(pocTestFile.exists());
+    }
+}

brut.apktool/apktool-lib/src/test/java/brut/androlib/util/UnknownDirectoryTraversalTest.java

@@ -51,7 +51,7 @@ public class UnknownDirectoryTraversalTest extends BaseTest {
 
     @Test
     public void validFileTest() throws IOException, BrutException {
-        String validFilename = BrutIO.sanitizeUnknownFile(sTmpDir, "file");
+        String validFilename = BrutIO.sanitizeFilepath(sTmpDir, "file");
         assertEquals(validFilename, "file");
 
         File validFile = new File(sTmpDir, validFilename);
@@ -60,18 +60,18 @@ public class UnknownDirectoryTraversalTest extends BaseTest {
 
     @Test(expected = TraversalUnknownFileException.class)
     public void invalidBackwardFileTest() throws IOException, BrutException {
-        BrutIO.sanitizeUnknownFile(sTmpDir, "../file");
+        BrutIO.sanitizeFilepath(sTmpDir, "../file");
     }
 
     @Test(expected = RootUnknownFileException.class)
     public void invalidRootFileTest() throws IOException, BrutException {
         String rootLocation = OSDetection.isWindows() ? "C:/" : File.separator;
-        BrutIO.sanitizeUnknownFile(sTmpDir, rootLocation + "file");
+        BrutIO.sanitizeFilepath(sTmpDir, rootLocation + "file");
     }
 
     @Test(expected = InvalidUnknownFileException.class)
     public void noFilePassedTest() throws IOException, BrutException {
-        BrutIO.sanitizeUnknownFile(sTmpDir, "");
+        BrutIO.sanitizeFilepath(sTmpDir, "");
     }
 
     @Test(expected = TraversalUnknownFileException.class)
@@ -83,12 +83,12 @@ public class UnknownDirectoryTraversalTest extends BaseTest {
             invalidPath = "..\\..\\app.exe";
         }
 
-        BrutIO.sanitizeUnknownFile(sTmpDir, invalidPath);
+        BrutIO.sanitizeFilepath(sTmpDir, invalidPath);
     }
 
     @Test
     public void validDirectoryFileTest() throws IOException, BrutException {
-        String validFilename = BrutIO.sanitizeUnknownFile(sTmpDir, "dir" + File.separator + "file");
+        String validFilename = BrutIO.sanitizeFilepath(sTmpDir, "dir" + File.separator + "file");
         assertEquals("dir" + File.separator + "file", validFilename);
     }
 }