Merge pull request #12577 from nextcloud/fix/internal-file-exfiltration

Fix Path Traversal To Internal File ExFiltration
2024-11-23 13:45:35 +03:00 · 2024-03-04 11:46:35 +01:00 · 2024-03-04 11:46:35 +01:00 · c2d8c02de3
commit c2d8c02de3
parent 0c95d5a77d 89770f0de2
2 changed files with 14 additions and 2 deletions
--- a/app/src/androidTest/java/com/owncloud/android/ui/helpers/UriUploaderIT.kt
+++ b/app/src/androidTest/java/com/owncloud/android/ui/helpers/UriUploaderIT.kt
@ -5,11 +5,14 @@ import androidx.test.core.app.launchActivity
 import com.nextcloud.client.jobs.upload.FileUploadWorker
 import com.nextcloud.test.TestActivity
 import com.owncloud.android.AbstractIT
+import com.owncloud.android.lib.common.utils.Log_OC
 import org.junit.Assert
 import org.junit.Test

 class UriUploaderIT : AbstractIT() {

+    private val tag = "UriUploaderIT"
+
    @Test
    fun testUploadPrivatePathSharedPreferences() {
        launchActivity<TestActivity>().use { scenario ->
@ -43,6 +46,9 @@ class UriUploaderIT : AbstractIT() {
            null
        )
        val uploadResult = sut.uploadUris()
+
+        Log_OC.d(tag, "Upload Result: ${uploadResult.name}")
+
        Assert.assertEquals(
            "Wrong result code",
            UriUploader.UriUploaderResultCode.ERROR_SENSITIVE_PATH,
--- a/app/src/main/java/com/owncloud/android/ui/helpers/UriUploader.kt
+++ b/app/src/main/java/com/owncloud/android/ui/helpers/UriUploader.kt
@ -20,6 +20,8 @@
 package com.owncloud.android.ui.helpers

 import android.content.ContentResolver
+import android.content.Context
+import android.content.pm.ProviderInfo
 import android.net.Uri
 import android.os.Parcelable
 import com.nextcloud.client.account.User
@ -70,7 +72,7 @@ class UriUploader(
        try {
            val anySensitiveUri = mUrisToUpload
                .filterNotNull()
-                .any { isSensitiveUri((it as Uri)) }
+                .any { belongsToCurrentApplication(mActivity, it as Uri) }
            if (anySensitiveUri) {
                Log_OC.e(TAG, "Sensitive URI detected, aborting upload.")
                code = UriUploaderResultCode.ERROR_SENSITIVE_PATH
@ -111,7 +113,11 @@ class UriUploader(
        return mUploadPath + displayName
    }

-    private fun isSensitiveUri(uri: Uri): Boolean = uri.toString().contains(mActivity.packageName)
+    private fun belongsToCurrentApplication(ctx: Context, uri: Uri): Boolean {
+        val authority: String = uri.authority.toString()
+        val info: ProviderInfo = ctx.packageManager.resolveContentProvider(authority, 0) ?: return true
+        return ctx.packageName.equals(info.packageName)
+    }

    /**
     * Requests the upload of a file in the local file system to [FileUploadHelper] service.