React-native-code-push: Zip Traversal Vulernability related to react-native-code-push

Created on 3 Mar 2021  路  4Comments  路  Source: microsoft/react-native-code-push

Thanks so much for filing an issue or feature request! Please fill out the following (wherever relevant):

Steps to Reproduce

  1. Submit app to google play store with version ^6.2.0 (from my package.json)

Expected Behavior

What you expected to happen?
App is not rejected for security vulnerability

Actual Behavior

What actually happens?

Your app contains an unsafe unzipping pattern that may lead to a Path Traversal vulnerability. Please see [this Google Help Center article](https://support.google.com/faqs/answer/9294009) to learn how to fix the issue.
- com.microsoft.codepush.react.FileUtils.unzipFile

Reproducible Demo

Go into the source directory for [email protected] and run

grep -rnw . -e 'ZipInputStream'

It outputs

./node_modules/react-native-code-push/android/app/src/main/java/com/microsoft/codepush/react/FileUtils.java:12:import java.util.zip.ZipInputStream;
./node_modules/react-native-code-push/android/app/src/main/java/com/microsoft/codepush/react/FileUtils.java:129:        ZipInputStream zipStream = null;
./node_modules/react-native-code-push/android/app/src/main/java/com/microsoft/codepush/react/FileUtils.java:133:            zipStream = new ZipInputStream(bufferedStream);

Environment

  • react-native-code-push version: ^6.2.0
  • react-native version: ^0.63.4
  • iOS/Android/Windows version: Specific to Android, not specific to version of Android OS
  • Does this reproduce on a debug build or release build? not applicable, but release
  • Does this reproduce on a simulator, or only on a physical device? not applicable, but both presumably

(The more info the faster we will be able to address it!)

picture alita-moore

Most helpful comment

appears that the issue is we're on 6.2.1 and there was a fix for this which was included in 6.3.0; so the solution is to update to 6.4.1 or greater

picture alita-moore on 3 Mar 2021
🎉4

All 4 comments

checked on v7.0.0 and files are the same, could this be specific to my gradle files? I'll follow the instructions again and see if something has become out of date (haven't changed since initial integration 3 years ago)

alita-moore picture alita-moore on 3 Mar 2021

Here are the integrations from my gradle integrations:

settings.gradle

include ':app', ':react-native-code-push'
project(':react-native-code-push').projectDir = new File(rootProject.projectDir, '../node_modules/react-native-code-push/android/app')

app/build.gradle

apply from: "../../node_modules/react-native/react.gradle"
apply from: "../../node_modules/react-native-code-push/android/codepush.gradle"

MainApplication.java

...
import com.microsoft.codepush.react.CodePush;
public class MainApplication extends Application implements ReactApplication {
    ...
    private final ReactNativeHost mReactNativeHost = new ReactNativeHost(this) {
        ... 
        @Override
        protected String getJSBundleFile() {
           return CodePush.getJSBundleFile();
        }
        ... 
        @Override
         protected String getJSMainModuleName() {
            return "index";
         }
    }
}
...

strings.xml

<resources>
    <string name="app_name">App</string>
</resources>

Could the difference between the current setups cause this vulnerability?

alita-moore picture alita-moore on 3 Mar 2021

appears that the issue is we're on 6.2.1 and there was a fix for this which was included in 6.3.0; so the solution is to update to 6.4.1 or greater

alita-moore picture alita-moore on 3 Mar 2021
🎉4

Thanks @alita-moore we've just come across this and It's very refreshing to see it solved!! 馃帀

builtbyproxy picture builtbyproxy on 4 Mar 2021
2
Was this page helpful?
0 / 5 - 0 ratings

Related issues

EdmundMai picture EdmundMai  路  4Comments
chrisjrex picture chrisjrex  路  4Comments
djw27 picture djw27  路  3Comments
Fuhrmann picture Fuhrmann  路  3Comments
ninjz picture ninjz  路  4Comments