Merge pull request #132 from hotwired/prevent-file-symlinks

Reject file URIs whose origin points to app resource files through symlinks
hotwired · Jan 20, 2021 · b389337 · b389337
2 parents 96b8b2a + d4849e2
commit b389337
Showing 1 changed file with 18 additions and 1 deletion.
diff --git a/turbo/src/main/kotlin/dev/hotwire/turbo/util/TurboUriHelper.kt b/turbo/src/main/kotlin/dev/hotwire/turbo/util/TurboUriHelper.kt
@@ -5,9 +5,9 @@ import android.database.Cursor
 import android.net.Uri
 import android.provider.OpenableColumns
 import android.webkit.MimeTypeMap
-import kotlinx.coroutines.Dispatchers
 import kotlinx.coroutines.withContext
 import java.io.File
+import java.io.IOException
 
 class TurboUriHelper(val context: Context) {
     @Suppress("BlockingMethodInNonBlockingContext") // https://youtrack.jetbrains.com/issue/KT-39684
@@ -44,6 +44,10 @@ class TurboUriHelper(val context: Context) {
     private fun getFileUriAttributes(uri: Uri): TurboUriAttributes? {
         val file = uri.getFile() ?: return null
 
+        if (file.originIsAppResource()) {
+            return null
+        }
+
         return TurboUriAttributes(
             fileName = file.name,
             mimeType = uri.mimeType(),
@@ -94,6 +98,19 @@ class TurboUriHelper(val context: Context) {
             fileSize = 0
         )
     }
+
+    /**
+     * Determine if the file points to an app resource. Symbolic link
+     * attacks can target app resource files to steal private data.
+     */
+    private fun File.originIsAppResource(): Boolean {
+        return try {
+            canonicalPath.contains(context.packageName)
+        } catch (e: IOException) {
+            TurboLog.e("${e.message}")
+            false
+        }
+    }
 
     private fun Uri.fileExtension(): String? {
         return lastPathSegment?.extract("\\.([0-9a-z]+)$")