From 000aa61ecc6bc7d37ecaf8dff944627a74c53d30 Mon Sep 17 00:00:00 2001
From: ego <painld6@hotmail.com>
Date: Wed, 18 Aug 2021 16:20:09 +0800
Subject: [PATCH] =?UTF-8?q?fix:=20zip=20=E8=B7=AF=E5=BE=84=E7=A9=BF?=
 =?UTF-8?q?=E9=80=8F=E7=9B=91=E6=B5=8B?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../java/com/opensource/svgaplayer/SVGACache.kt     |  2 +-
 .../java/com/opensource/svgaplayer/SVGAParser.kt    | 13 ++++++++++++-
 2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/library/src/main/java/com/opensource/svgaplayer/SVGACache.kt b/library/src/main/java/com/opensource/svgaplayer/SVGACache.kt
index d8fc61a..8e7b503 100644
--- a/library/src/main/java/com/opensource/svgaplayer/SVGACache.kt
+++ b/library/src/main/java/com/opensource/svgaplayer/SVGACache.kt
@@ -56,7 +56,7 @@ object SVGACache {
     }
 
     // 清除目录下的所有文件
-    private fun clearDir(path: String) {
+    internal fun clearDir(path: String) {
         try {
             val dir = File(path)
             dir.takeIf { it.exists() }?.let { parentDir ->
diff --git a/library/src/main/java/com/opensource/svgaplayer/SVGAParser.kt b/library/src/main/java/com/opensource/svgaplayer/SVGAParser.kt
index bad4bb1..07d151f 100644
--- a/library/src/main/java/com/opensource/svgaplayer/SVGAParser.kt
+++ b/library/src/main/java/com/opensource/svgaplayer/SVGAParser.kt
@@ -154,7 +154,7 @@ class SVGAParser(context: Context?) {
                             playCallback
                     )
                 }
-            } catch (e: java.lang.Exception) {
+            } catch (e: Exception) {
                 this.invokeErrorCallback(e, callback)
             }
         }
@@ -501,6 +501,7 @@ class SVGAParser(context: Context?) {
                             continue
                         }
                         val file = File(cacheDir, zipItem.name)
+                        ensureUnzipSafety(file, cacheDir.absolutePath)
                         FileOutputStream(file).use { fileOutputStream ->
                             val buff = ByteArray(2048)
                             while (true) {
@@ -519,8 +520,18 @@ class SVGAParser(context: Context?) {
         } catch (e: Exception) {
             LogUtils.error(TAG, "================ unzip error ================")
             LogUtils.error(TAG, "error", e)
+            SVGACache.clearDir(cacheDir.absolutePath)
             cacheDir.delete()
             throw e
         }
     }
+
+    // 检查 zip 路径穿透
+    private fun ensureUnzipSafety(outputFile: File, dstDirPath: String) {
+        val dstDirCanonicalPath = File(dstDirPath).canonicalPath
+        val outputFileCanonicalPath = outputFile.canonicalPath
+        if (!outputFileCanonicalPath.startsWith(dstDirCanonicalPath)) {
+            throw IOException("Found Zip Path Traversal Vulnerability with $dstDirCanonicalPath")
+        }
+    }
 }