Zip Traversal Vulernability related to react-native-code-push

[alita-moore]

Thanks so much for filing an issue or feature request! Please fill out the following (wherever relevant):

Steps to Reproduce

1. Submit app to google play store with version ^6.2.0 (from my package.json)

Expected Behavior

What you expected to happen?
App is not rejected for security vulnerability

Actual Behavior

What actually happens?

Your app contains an unsafe unzipping pattern that may lead to a Path Traversal vulnerability. Please see [this Google Help Center article](https://support.google.com/faqs/answer/9294009) to learn how to fix the issue.
- com.microsoft.codepush.react.FileUtils.unzipFile

Reproducible Demo

Go into the source directory for react-native-code-push@6.2.0 and run

grep -rnw . -e 'ZipInputStream'

It outputs

./node_modules/react-native-code-push/android/app/src/main/java/com/microsoft/codepush/react/FileUtils.java:12:import java.util.zip.ZipInputStream;
./node_modules/react-native-code-push/android/app/src/main/java/com/microsoft/codepush/react/FileUtils.java:129:        ZipInputStream zipStream = null;
./node_modules/react-native-code-push/android/app/src/main/java/com/microsoft/codepush/react/FileUtils.java:133:            zipStream = new ZipInputStream(bufferedStream);

Environment

• react-native-code-push version: ^6.2.0
• react-native version: ^0.63.4
• iOS/Android/Windows version: Specific to Android, not specific to version of Android OS
• Does this reproduce on a debug build or release build? not applicable, but release
• Does this reproduce on a simulator, or only on a physical device? not applicable, but both presumably

(The more info the faster we will be able to address it!)

[alita-moore]

checked on v7.0.0 and files are the same, could this be specific to my gradle files? I'll follow the instructions again and see if something has become out of date (haven't changed since initial integration 3 years ago)

[alita-moore]

Here are the integrations from my gradle integrations:

settings.gradle

include ':app', ':react-native-code-push'
project(':react-native-code-push').projectDir = new File(rootProject.projectDir, '../node_modules/react-native-code-push/android/app')

app/build.gradle

apply from: "../../node_modules/react-native/react.gradle"
apply from: "../../node_modules/react-native-code-push/android/codepush.gradle"

MainApplication.java

...
import com.microsoft.codepush.react.CodePush;
public class MainApplication extends Application implements ReactApplication {
    ...
    private final ReactNativeHost mReactNativeHost = new ReactNativeHost(this) {
        ... 
        @Override
        protected String getJSBundleFile() {
           return CodePush.getJSBundleFile();
        }
        ... 
        @Override
         protected String getJSMainModuleName() {
            return "index";
         }
    }
}
...

strings.xml

<resources>
    <string name="app_name">App</string>
</resources>

Could the difference between the current setups cause this vulnerability?

[alita-moore]

appears that the issue is we're on 6.2.1 and there was a fix for this which was included in 6.3.0; so the solution is to update to 6.4.1 or greater

[builtbyproxy]

Thanks @alita-moore we've just come across this and It's very refreshing to see it solved!! 🎉

[phongbksneep]

I use react native 0.59.9 and react native code push 5.7.0, can not update to 6.4.1