react-native-update 7.4.0 → 7.4.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/android/src/main/java/cn/reactnative/modules/update/SafeZipFile.java +34 -5
  2. package/android/src/main/java/cn/reactnative/modules/update/UpdateContext.java +2 -3
  3. package/package.json +1 -1
package/android/src/main/java/cn/reactnative/modules/update/SafeZipFile.java CHANGED
@@ -16,6 +16,40 @@ public class SafeZipFile extends ZipFile {
16
16
  super(file);
17
17
  }
18
18
 
19
+ @Override
20
+ public Enumeration<? extends ZipEntry> entries() {
21
+ return new SafeZipEntryIterator(super.entries());
22
+ }
23
+
24
+ private static class SafeZipEntryIterator implements Enumeration<ZipEntry> {
25
+
26
+ final private Enumeration<? extends ZipEntry> delegate;
27
+
28
+ private SafeZipEntryIterator(Enumeration<? extends ZipEntry> delegate) {
29
+ this.delegate = delegate;
30
+ }
31
+
32
+ @Override
33
+ public boolean hasMoreElements() {
34
+ return delegate.hasMoreElements();
35
+ }
36
+
37
+ @Override
38
+ public ZipEntry nextElement() {
39
+ ZipEntry entry = delegate.nextElement();
40
+ if (null != entry) {
41
+ String name = entry.getName();
42
+ /**
43
+ * avoid ZipperDown
44
+ */
45
+ if (null != name && (name.contains("../") || name.contains("..\\"))) {
46
+ throw new SecurityException("illegal entry: " + entry.getName());
47
+ }
48
+ }
49
+ return entry;
50
+ }
51
+ }
52
+
19
53
  public void unzipToFile(ZipEntry entry, File output) throws IOException {
20
54
  InputStream inputStream = null;
21
55
  try {
@@ -29,11 +63,6 @@ public class SafeZipFile extends ZipFile {
29
63
  }
30
64
 
31
65
  private void writeOutInputStream(File file, InputStream inputStream) throws IOException {
32
- // https://support.google.com/faqs/answer/9294009
33
- String canonicalPath = file.getCanonicalPath();
34
- if (!canonicalPath.startsWith(UpdateContext.getRootDir())) {
35
- throw new SecurityException("illegal entry: " + file.getName());
36
- }
37
66
  BufferedOutputStream output = null;
38
67
  try {
39
68
  output = new BufferedOutputStream(
package/android/src/main/java/cn/reactnative/modules/update/UpdateContext.java CHANGED
@@ -19,14 +19,13 @@ import java.io.File;
19
19
 
20
20
  public class UpdateContext {
21
21
  private Context context;
22
- private static File rootDir;
22
+ private File rootDir;
23
23
  private Executor executor;
24
24
 
25
25
  public static boolean DEBUG = false;
26
26
  private static ReactInstanceManager mReactInstanceManager;
27
27
  private static boolean isUsingBundleUrl = false;
28
28
 
29
-
30
29
  public UpdateContext(Context context) {
31
30
  this.context = context;
32
31
  this.executor = Executors.newSingleThreadExecutor();
@@ -50,7 +49,7 @@ public class UpdateContext {
50
49
  }
51
50
  }
52
51
 
53
- public static String getRootDir() {
52
+ public String getRootDir() {
54
53
  return rootDir.toString();
55
54
  }
56
55
 
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "react-native-update",
3
- "version": "7.4.0",
3
+ "version": "7.4.1",
4
4
  "description": "react-native hot update",
5
5
  "main": "lib/index.js",
6
6
  "scripts": {