Thanks so much for filing an issue or feature request! Please fill out the following (wherever relevant):
Steps to Reproduce
- Submit app to google play store with version ^6.2.0 (from my package.json)
Expected Behavior
What you expected to happen?
App is not rejected for security vulnerability
Actual Behavior
What actually happens?
Your app contains an unsafe unzipping pattern that may lead to a Path Traversal vulnerability. Please see [this Google Help Center article](https://support.google.com/faqs/answer/9294009) to learn how to fix the issue.
- com.microsoft.codepush.react.FileUtils.unzipFile
Reproducible Demo
Go into the source directory for react-native-code-push@6.2.0 and run
grep -rnw . -e 'ZipInputStream'
It outputs
./node_modules/react-native-code-push/android/app/src/main/java/com/microsoft/codepush/react/FileUtils.java:12:import java.util.zip.ZipInputStream;
./node_modules/react-native-code-push/android/app/src/main/java/com/microsoft/codepush/react/FileUtils.java:129: ZipInputStream zipStream = null;
./node_modules/react-native-code-push/android/app/src/main/java/com/microsoft/codepush/react/FileUtils.java:133: zipStream = new ZipInputStream(bufferedStream);
Environment
- react-native-code-push version:
^6.2.0 - react-native version:
^0.63.4 - iOS/Android/Windows version:
Specific to Android, not specific to version of Android OS - Does this reproduce on a debug build or release build?
not applicable, but release - Does this reproduce on a simulator, or only on a physical device?
not applicable, but both presumably
(The more info the faster we will be able to address it!)
appears that the issue is we’re on
6.2.1and there was a fix for this which was included in6.3.0; so the solution is to update to6.4.1or greater