react-native-update 9.1.4 → 9.1.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (6) hide show
  1. package/android/build.gradle +23 -0
  2. package/android/src/main/AndroidManifest.xml +0 -1
  3. package/android/src/main/AndroidManifestNew.xml +14 -0
  4. package/android/src/main/java/cn/reactnative/modules/update/DownloadTask.java +12 -36
  5. package/android/src/main/java/cn/reactnative/modules/update/SafeZipFile.java +35 -24
  6. package/package.json +1 -1
package/android/build.gradle CHANGED
@@ -9,6 +9,19 @@ def isNewArchitectureEnabled() {
9
9
  return project.hasProperty("newArchEnabled") && project.newArchEnabled == "true"
10
10
  }
11
11
 
12
+ def supportsNamespace() {
13
+ def parsed = com.android.Version.ANDROID_GRADLE_PLUGIN_VERSION.tokenize('.')
14
+ def major = parsed[0].toInteger()
15
+ def minor = parsed[1].toInteger()
16
+
17
+ // Namespace support was added in 7.3.0
18
+ if (major == 7 && minor >= 3) {
19
+ return true
20
+ }
21
+
22
+ return major >= 8
23
+ }
24
+
12
25
  apply plugin: 'com.android.library'
13
26
  if (isNewArchitectureEnabled()) {
14
27
  apply plugin: 'com.facebook.react'
@@ -16,6 +29,16 @@ if (isNewArchitectureEnabled()) {
16
29
 
17
30
 
18
31
  android {
32
+
33
+ if (supportsNamespace()) {
34
+ namespace "cn.reactnative.modules.update"
35
+
36
+ sourceSets {
37
+ main {
38
+ manifest.srcFile "src/main/AndroidManifestNew.xml"
39
+ }
40
+ }
41
+ }
19
42
  compileSdkVersion safeExtGet('compileSdkVersion', 28)
20
43
  buildToolsVersion safeExtGet('buildToolsVersion', '28.0.3')
21
44
 
package/android/src/main/AndroidManifest.xml CHANGED
@@ -1,4 +1,3 @@
1
- <?xml version="1.0" encoding="utf-8"?>
2
1
  <manifest xmlns:android="http://schemas.android.com/apk/res/android"
3
2
  package="cn.reactnative.modules.update">
4
3
  <application>
package/android/src/main/AndroidManifestNew.xml ADDED
@@ -0,0 +1,14 @@
1
+ <manifest xmlns:android="http://schemas.android.com/apk/res/android">
2
+ <application>
3
+ <meta-data android:name="pushy_build_time" android:value="@string/pushy_build_time" />
4
+ <provider
5
+ android:name=".PushyFileProvider"
6
+ android:authorities="${applicationId}.pushy.fileprovider"
7
+ android:exported="false"
8
+ android:grantUriPermissions="true">
9
+ <meta-data
10
+ android:name="android.support.FILE_PROVIDER_PATHS"
11
+ android:resource="@xml/pushy_file_paths" />
12
+ </provider>
13
+ </application>
14
+ </manifest>
package/android/src/main/java/cn/reactnative/modules/update/DownloadTask.java CHANGED
@@ -237,19 +237,7 @@ class DownloadTask extends AsyncTask<DownloadTaskParams, long[], Void> {
237
237
  while (entries.hasMoreElements()) {
238
238
  ZipEntry ze = entries.nextElement();
239
239
 
240
- String fn = ze.getName();
241
- File fmd = new File(param.unzipDirectory, fn);
242
-
243
- if (UpdateContext.DEBUG) {
244
- Log.d("RNUpdate", "Unzipping " + fn);
245
- }
246
-
247
- if (ze.isDirectory()) {
248
- fmd.mkdirs();
249
- continue;
250
- }
251
-
252
- zipFile.unzipToFile(ze, fmd);
240
+ zipFile.unzipToPath(ze, param.unzipDirectory);
253
241
  }
254
242
 
255
243
  zipFile.close();
@@ -324,8 +312,15 @@ class DownloadTask extends AsyncTask<DownloadTaskParams, long[], Void> {
324
312
  } else {
325
313
  target = copyList.get((from));
326
314
  }
327
- target.add(new File(param.unzipDirectory, to));
328
- //copyFromResource(from, new File(param.unzipDirectory, to));
315
+ File toFile = new File(param.unzipDirectory, to);
316
+
317
+ // Fixing a Zip Path Traversal Vulnerability
318
+ // https://support.google.com/faqs/answer/9294009
319
+ String canonicalPath = toFile.getCanonicalPath();
320
+ if (!canonicalPath.startsWith(param.unzipDirectory.getCanonicalPath() + File.separator)) {
321
+ throw new SecurityException("Illegal name: " + to);
322
+ }
323
+ target.add(toFile);
329
324
  }
330
325
  continue;
331
326
  }
@@ -339,18 +334,9 @@ class DownloadTask extends AsyncTask<DownloadTaskParams, long[], Void> {
339
334
  fout.close();
340
335
  continue;
341
336
  }
342
- File fmd = new File(param.unzipDirectory, fn);
343
337
 
344
- if (UpdateContext.DEBUG) {
345
- Log.d("RNUpdate", "Unzipping " + fn);
346
- }
347
338
 
348
- if (ze.isDirectory()) {
349
- fmd.mkdirs();
350
- continue;
351
- }
352
-
353
- zipFile.unzipToFile(ze, fmd);
339
+ zipFile.unzipToPath(ze, param.unzipDirectory);
354
340
  }
355
341
 
356
342
  zipFile.close();
@@ -419,18 +405,8 @@ class DownloadTask extends AsyncTask<DownloadTaskParams, long[], Void> {
419
405
  fout.close();
420
406
  continue;
421
407
  }
422
- File fmd = new File(param.unzipDirectory, fn);
423
-
424
- if (UpdateContext.DEBUG) {
425
- Log.d("RNUpdate", "Unzipping " + fn);
426
- }
427
-
428
- if (ze.isDirectory()) {
429
- fmd.mkdirs();
430
- continue;
431
- }
432
408
 
433
- zipFile.unzipToFile(ze, fmd);
409
+ zipFile.unzipToPath(ze, param.unzipDirectory);
434
410
  }
435
411
 
436
412
  zipFile.close();
package/android/src/main/java/cn/reactnative/modules/update/SafeZipFile.java CHANGED
@@ -1,5 +1,7 @@
1
1
  package cn.reactnative.modules.update;
2
2
 
3
+ import android.util.Log;
4
+
3
5
  import java.io.BufferedInputStream;
4
6
  import java.io.BufferedOutputStream;
5
7
  import java.io.File;
@@ -10,12 +12,15 @@ import java.util.Enumeration;
10
12
  import java.util.zip.ZipEntry;
11
13
  import java.util.zip.ZipFile;
12
14
 
15
+
13
16
  public class SafeZipFile extends ZipFile {
14
17
 
15
18
  public SafeZipFile(File file) throws IOException {
16
19
  super(file);
17
20
  }
18
21
 
22
+ private static final int BUFFER_SIZE = 8192;
23
+
19
24
  @Override
20
25
  public Enumeration<? extends ZipEntry> entries() {
21
26
  return new SafeZipEntryIterator(super.entries());
@@ -43,40 +48,46 @@ public class SafeZipFile extends ZipFile {
43
48
  * avoid ZipperDown
44
49
  */
45
50
  if (null != name && (name.contains("../") || name.contains("..\\"))) {
46
- throw new SecurityException("illegal entry: " + entry.getName());
51
+ throw new SecurityException("illegal entry: " + name);
47
52
  }
48
53
  }
49
54
  return entry;
50
55
  }
51
56
  }
52
57
 
53
- public void unzipToFile(ZipEntry entry, File output) throws IOException {
54
- InputStream inputStream = null;
55
- try {
56
- inputStream = getInputStream(entry);
57
- writeOutInputStream(output, inputStream);
58
- } finally {
59
- if (inputStream != null) {
60
- inputStream.close();
61
- }
58
+ public void unzipToPath(ZipEntry ze, File targetPath) throws IOException {
59
+ String name = ze.getName();
60
+ File target = new File(targetPath, name);
61
+
62
+ // Fixing a Zip Path Traversal Vulnerability
63
+ // https://support.google.com/faqs/answer/9294009
64
+ String canonicalPath = target.getCanonicalPath();
65
+ if (!canonicalPath.startsWith(targetPath.getCanonicalPath() + File.separator)) {
66
+ throw new SecurityException("Illegal name: " + name);
67
+ }
68
+
69
+ if (UpdateContext.DEBUG) {
70
+ Log.d("RNUpdate", "Unzipping " + name);
71
+ }
72
+
73
+ if (ze.isDirectory()) {
74
+ target.mkdirs();
75
+ return;
62
76
  }
77
+ unzipToFile(ze, target);
63
78
  }
64
79
 
65
- private void writeOutInputStream(File file, InputStream inputStream) throws IOException {
66
- BufferedOutputStream output = null;
67
- try {
68
- output = new BufferedOutputStream(
69
- new FileOutputStream(file));
70
- BufferedInputStream input = new BufferedInputStream(inputStream);
71
- byte b[] = new byte[8192];
72
- int n;
73
- while ((n = input.read(b, 0, 8192)) >= 0) {
74
- output.write(b, 0, n);
75
- }
76
- } finally {
77
- if (output != null) {
78
- output.close();
80
+ public void unzipToFile(ZipEntry ze, File target) throws IOException {
81
+ try (InputStream inputStream = getInputStream(ze)) {
82
+ try (BufferedOutputStream output = new BufferedOutputStream(new FileOutputStream(target));
83
+ BufferedInputStream input = new BufferedInputStream(inputStream)) {
84
+ byte[] buffer = new byte[BUFFER_SIZE];
85
+ int n;
86
+ while ((n = input.read(buffer, 0, BUFFER_SIZE)) >= 0) {
87
+ output.write(buffer, 0, n);
88
+ }
79
89
  }
80
90
  }
81
91
  }
92
+
82
93
  }
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "react-native-update",
3
- "version": "9.1.4",
3
+ "version": "9.1.6",
4
4
  "description": "react-native hot update",
5
5
  "main": "lib/index.ts",
6
6
  "scripts": {