Thanks so much for filing an issue or feature request! Please fill out the following (wherever relevant):
Steps to Reproduce
- Submit app to google play store with version ^6.2.0 (from my package.json)
What you expected to happen?
App is not rejected for security vulnerability
What actually happens?
Your app contains an unsafe unzipping pattern that may lead to a Path Traversal vulnerability. Please see [this Google Help Center article](https://support.google.com/faqs/answer/9294009) to learn how to fix the issue. - com.microsoft.codepush.react.FileUtils.unzipFile
Go into the source directory for email@example.com and run
grep -rnw . -e 'ZipInputStream'
./node_modules/react-native-code-push/android/app/src/main/java/com/microsoft/codepush/react/FileUtils.java:12:import java.util.zip.ZipInputStream; ./node_modules/react-native-code-push/android/app/src/main/java/com/microsoft/codepush/react/FileUtils.java:129: ZipInputStream zipStream = null; ./node_modules/react-native-code-push/android/app/src/main/java/com/microsoft/codepush/react/FileUtils.java:133: zipStream = new ZipInputStream(bufferedStream);
- react-native-code-push version:
- react-native version:
- iOS/Android/Windows version:
Specific to Android, not specific to version of Android OS
- Does this reproduce on a debug build or release build?
not applicable, but release
- Does this reproduce on a simulator, or only on a physical device?
not applicable, but both presumably
(The more info the faster we will be able to address it!)