Zip Traversal Vulernability related to react-native-code-push

Thanks so much for filing an issue or feature request! Please fill out the following (wherever relevant):

Steps to Reproduce

  1. Submit app to google play store with version ^6.2.0 (from my package.json)

Expected Behavior

What you expected to happen?
App is not rejected for security vulnerability

Actual Behavior

What actually happens?

Your app contains an unsafe unzipping pattern that may lead to a Path Traversal vulnerability. Please see [this Google Help Center article](https://support.google.com/faqs/answer/9294009) to learn how to fix the issue.
- com.microsoft.codepush.react.FileUtils.unzipFile

Reproducible Demo

Go into the source directory for react-native-code-push@6.2.0 and run

grep -rnw . -e 'ZipInputStream'

It outputs

./node_modules/react-native-code-push/android/app/src/main/java/com/microsoft/codepush/react/FileUtils.java:12:import java.util.zip.ZipInputStream;
./node_modules/react-native-code-push/android/app/src/main/java/com/microsoft/codepush/react/FileUtils.java:129:        ZipInputStream zipStream = null;
./node_modules/react-native-code-push/android/app/src/main/java/com/microsoft/codepush/react/FileUtils.java:133:            zipStream = new ZipInputStream(bufferedStream);

Environment

  • react-native-code-push version: ^6.2.0
  • react-native version: ^0.63.4
  • iOS/Android/Windows version: Specific to Android, not specific to version of Android OS
  • Does this reproduce on a debug build or release build? not applicable, but release
  • Does this reproduce on a simulator, or only on a physical device? not applicable, but both presumably

(The more info the faster we will be able to address it!)

1 possible answer(s) on “Zip Traversal Vulernability related to react-native-code-push

  1. appears that the issue is we’re on 6.2.1 and there was a fix for this which was included in 6.3.0; so the solution is to update to 6.4.1 or greater