archive: support generic extraction in drawers

Author: yhs0602

app/src/main/java/com/kyhsgeekcode/Util.kt

@@ -115,54 +115,59 @@ suspend fun extract(
     publisher: (Long, Long) -> Unit = { current, total -> }
 ) =
     withContext(Dispatchers.IO) {
-        Log.v("extract", "File:${from.path}")
-        var archi: ArchiveInputStream? = null
-        val totalSize = from.length()
-        try {
-            archi =
-                ArchiveStreamFactory().createArchiveInputStream(BufferedInputStream(from.inputStream()))
-            var entry: ArchiveEntry?
+        extractSupportedArchive(from, toDir) { current, total ->
+            publisher(current, total)
+        }
+    }
 
+@Throws(IOException::class, SecurityException::class)
+fun extractSupportedArchive(
+    from: File,
+    toDir: File,
+    publisher: (Long, Long) -> Unit = { _, _ -> }
+) {
+    val totalSize = from.length()
+    try {
+        ArchiveStreamFactory().createArchiveInputStream(BufferedInputStream(from.inputStream())).use { archi ->
+            var entry: ArchiveEntry?
             while (archi.nextEntry.also { entry = it } != null) {
-                if (entry!!.name == "")
-                    continue
-                if (!archi.canReadEntryData(entry)) {
-                    // log something?
-                    Log.e("Extract archive", "Cannot read entry data")
+                val archiveEntry = entry ?: continue
+                if (archiveEntry.name.isBlank()) continue
+                if (!archi.canReadEntryData(archiveEntry)) {
                     continue
                 }
-                val f = toDir.resolve(entry?.name!!)
-                if (entry!!.isDirectory) {
-                    if (!f.isDirectory && !f.mkdirs()) {
-                        throw IOException("failed to create directory $f")
+
+                val outputFile = toDir.resolve(archiveEntry.name)
+                val canonicalPath = outputFile.canonicalPath
+                if (!canonicalPath.startsWith(toDir.canonicalPath)) {
+                    throw SecurityException(
+                        "The archive file may have a Zip Path Traversal Vulnerability." +
+                                "Is the archive file trusted?"
+                    )
+                }
+
+                if (archiveEntry.isDirectory) {
+                    if (!outputFile.isDirectory && !outputFile.mkdirs()) {
+                        throw IOException("failed to create directory $outputFile")
                     }
                 } else {
-                    val parent = f.parentFile
-                    if (!parent.isDirectory && !parent.mkdirs()) {
+                    val parent = outputFile.parentFile
+                    if (parent != null && !parent.isDirectory && !parent.mkdirs()) {
                         throw IOException("failed to create directory $parent")
                     }
-                    if (!f.canonicalPath.startsWith(toDir.canonicalPath)) {
-                        throw SecurityException(
-                            "The zip/apk file may have a Zip Path Traversal Vulnerability." +
-                                    "Is the zip/apk file trusted?"
-                        )
+                    outputFile.outputStream().use { output ->
+                        IOUtils.copy(archi, output)
                     }
-                    val o = f.outputStream()
-                    IOUtils.copy(archi, o)
-                    o.close()
-                }
-                withContext(Dispatchers.Main) {
-                    publisher(archi.bytesRead, totalSize)
                 }
+                publisher(archi.bytesRead, totalSize)
             }
-        } catch (e: ArchiveException) {
-            Log.e("Extract archive", "error inflating", e)
-        } catch (e: ZipException) {
-            Log.e("Extract archive", "error inflating", e)
-        } finally {
-            archi?.close()
         }
+    } catch (e: ArchiveException) {
+        throw IOException("error inflating archive", e)
+    } catch (e: ZipException) {
+        throw IOException("error inflating archive", e)
     }
+}
 
 fun String.toValidFileName(): String {
     return this.replace(Regex("[\\\\/:*?\"<>|]"), "")

app/src/main/java/com/kyhsgeekcode/disassembler/FileDrawerListAdapter.kt

@@ -17,18 +17,15 @@ import com.kyhsgeekcode.disassembler.project.ProjectDataStorage
 import com.kyhsgeekcode.disassembler.project.ProjectManager
 import com.kyhsgeekcode.disassembler.project.models.ProjectModel
 import com.kyhsgeekcode.disassembler.project.models.ProjectType
+import com.kyhsgeekcode.extractSupportedArchive
 import com.kyhsgeekcode.getDrawable
 import org.jf.baksmali.Main
 import splitties.init.appCtx
 import java.io.File
-import java.io.FileInputStream
-import java.io.FileOutputStream
 import java.io.IOException
 import java.nio.ByteBuffer
 import java.nio.ByteOrder
 import java.util.*
-import java.util.zip.ZipEntry
-import java.util.zip.ZipInputStream
 import kotlin.experimental.and
 import kotlin.math.roundToInt
 
@@ -103,36 +100,9 @@ class FileDrawerListAdapter(val progressHandler: ProgressHandler) {
                 targetDirectory.mkdirs()
                 val total = File(path).length() * 2
                 progressHandler.publishProgress(0, total.toInt())
-                var read = 0
                 try {
-                    val zi = ZipInputStream(FileInputStream(path))
-                    var entry: ZipEntry? = null
-                    val buffer = ByteArray(2048)
-                    while (zi.nextEntry?.also { entry = it } != null) {
-                        val outfile = File(targetDirectory, entry!!.name)
-                        val canonicalPath = outfile.canonicalPath
-                        if (!canonicalPath.startsWith(targetDirectory.canonicalPath)) {
-                            throw SecurityException(
-                                "The file may have a Zip Path Traversal Vulnerability." +
-                                        "Is the file trusted?"
-                            )
-                        }
-                        outfile.parentFile.mkdirs()
-                        var output: FileOutputStream? = null
-                        try {
-                            if (entry!!.name == "")
-                                continue
-                            Log.d(TAG, "entry: $entry, outfile:$outfile")
-                            output = FileOutputStream(outfile)
-                            var len = 0
-                            while (zi.read(buffer).also { len = it } > 0) {
-                                output.write(buffer, 0, len)
-                            }
-                            read += len
-                        } finally { // we must always close the output file
-                            output?.close()
-                        }
-                        progressHandler.publishProgress(read)
+                    extractSupportedArchive(File(path), targetDirectory) { current, totalBytes ->
+                        progressHandler.publishProgress(current.toInt(), totalBytes.toInt())
                     }
                     progressHandler.finishProgress()
                     return getSubObjects(FileDrawerListItem(targetDirectory, initialLevel))

app/src/main/java/com/kyhsgeekcode/disassembler/FileDrawerListItem.kt

@@ -14,6 +14,7 @@ import com.kyhsgeekcode.disassembler.project.ProjectDataStorage
 import com.kyhsgeekcode.disassembler.project.ProjectManager
 import com.kyhsgeekcode.disassembler.project.models.ProjectModel
 import com.kyhsgeekcode.disassembler.project.models.ProjectType
+import com.kyhsgeekcode.extractSupportedArchive
 import com.kyhsgeekcode.filechooser.model.getValueFromTypeKindAndBytes
 import com.kyhsgeekcode.getDrawable
 import com.kyhsgeekcode.isArchive
@@ -22,8 +23,6 @@ import org.jf.baksmali.Main
 import timber.log.Timber
 import java.io.*
 import java.util.*
-import java.util.zip.ZipEntry
-import java.util.zip.ZipInputStream
 
 class FileDrawerListItem {
     var caption: String
@@ -301,36 +300,9 @@ class FileDrawerListItem {
                 targetDirectory.mkdirs()
                 val total = File(path).length() * 2
                 progressHandler(0, total.toInt())
-                var read = 0
                 try {
-                    val zi = ZipInputStream(FileInputStream(path))
-                    var entry: ZipEntry? = null
-                    val buffer = ByteArray(2048)
-                    while (zi.nextEntry?.also { entry = it } != null) {
-                        val outfile = File(targetDirectory, entry!!.name)
-                        val canonicalPath = outfile.canonicalPath
-                        if (!canonicalPath.startsWith(targetDirectory.canonicalPath)) {
-                            throw SecurityException(
-                                "The file may have a Zip Path Traversal Vulnerability." +
-                                        "Is the file trusted?"
-                            )
-                        }
-                        outfile.parentFile.mkdirs()
-                        var output: FileOutputStream? = null
-                        try {
-                            if (entry!!.name == "")
-                                continue
-                            Timber.d("entry: " + entry + ", outfile:" + outfile)
-                            output = FileOutputStream(outfile)
-                            var len = 0
-                            while (zi.read(buffer).also { len = it } > 0) {
-                                output.write(buffer, 0, len)
-                            }
-                            read += len
-                        } finally { // we must always close the output file
-                            output?.close()
-                        }
-                        progressHandler(read, 100)
+                    extractSupportedArchive(File(path), targetDirectory) { current, totalBytes ->
+                        progressHandler(current.toInt(), totalBytes.toInt())
                     }
                     finishHandler()
                     return FileDrawerListItem(targetDirectory, initialLevel).getSubObjects()

app/src/main/java/com/kyhsgeekcode/disassembler/ui/FileDrawerTree.kt

@@ -11,19 +11,16 @@ import com.kyhsgeekcode.disassembler.project.ProjectManager
 import com.kyhsgeekcode.disassembler.project.models.ProjectModel
 import com.kyhsgeekcode.disassembler.project.models.ProjectType
 import com.kyhsgeekcode.disassembler.ui.components.TreeNode
+import com.kyhsgeekcode.extractSupportedArchive
 import com.kyhsgeekcode.filechooser.model.getValueFromTypeKindAndBytes
 import com.kyhsgeekcode.getDrawable
 import com.kyhsgeekcode.isArchive
 import org.boris.pecoff4j.io.PEParser
 import org.jf.baksmali.Main
 import timber.log.Timber
 import java.io.File
-import java.io.FileInputStream
-import java.io.FileOutputStream
 import java.io.IOException
 import java.util.*
-import java.util.zip.ZipEntry
-import java.util.zip.ZipInputStream
 
 // TODO: Cache children before invalidating
 class FileDrawerTreeItem : TreeNode<FileDrawerTreeItem> {
@@ -214,40 +211,8 @@ class FileDrawerTreeItem : TreeNode<FileDrawerTreeItem> {
 //                appCtx.filesDir.resolve("extracted").resolve()
                 targetDirectory.deleteRecursively()
                 targetDirectory.mkdirs()
-                val total = File(path).length() * 2
-                // progressHandler(0, total.toInt())
-                var read = 0
                 try {
-                    val zi = ZipInputStream(FileInputStream(path))
-                    var entry: ZipEntry? = null
-                    val buffer = ByteArray(2048)
-                    while (zi.nextEntry?.also { entry = it } != null) {
-                        val outfile = File(targetDirectory, entry!!.name)
-                        val canonicalPath = outfile.canonicalPath
-                        if (!canonicalPath.startsWith(targetDirectory.canonicalPath)) {
-                            throw SecurityException(
-                                "The file may have a Zip Path Traversal Vulnerability." +
-                                        "Is the file trusted?"
-                            )
-                        }
-                        outfile.parentFile.mkdirs()
-                        var output: FileOutputStream? = null
-                        try {
-                            if (entry!!.name == "")
-                                continue
-                            Timber.d("entry: " + entry + ", outfile:" + outfile)
-                            output = FileOutputStream(outfile)
-                            var len = 0
-                            while (zi.read(buffer).also { len = it } > 0) {
-                                output.write(buffer, 0, len)
-                            }
-                            read += len
-                        } finally { // we must always close the output file
-                            output?.close()
-                        }
-                        // progressHandler(read, 100)
-                    }
-                    // finishHandler()
+                    extractSupportedArchive(File(path), targetDirectory)
                     return FileDrawerTreeItem(targetDirectory, initialLevel).getChildren()
                 } catch (e: IOException) {
                     Log.e("FileAdapter", "", e)

app/src/test/java/com/kyhsgeekcode/disassembler/ArchiveExtractionTest.kt

@@ -0,0 +1,72 @@
+package com.kyhsgeekcode.disassembler
+
+import com.kyhsgeekcode.extractSupportedArchive
+import org.apache.commons.compress.archivers.ar.ArArchiveEntry
+import org.apache.commons.compress.archivers.ar.ArArchiveOutputStream
+import org.junit.jupiter.api.Assertions.assertEquals
+import org.junit.jupiter.api.Assertions.assertTrue
+import org.junit.jupiter.api.Test
+import org.junit.jupiter.api.io.TempDir
+import java.io.FileOutputStream
+import java.nio.file.Path
+import java.util.zip.ZipEntry
+import java.util.zip.ZipOutputStream
+
+class ArchiveExtractionTest {
+    @TempDir
+    lateinit var tempDir: Path
+
+    @Test
+    fun `extractSupportedArchive extracts zip archives`() {
+        val archive = tempDir.resolve("sample.zip")
+        ZipOutputStream(FileOutputStream(archive.toFile())).use { zip ->
+            zip.putNextEntry(ZipEntry("nested/readme.txt"))
+            zip.write("hello zip".encodeToByteArray())
+            zip.closeEntry()
+        }
+        val outputDir = tempDir.resolve("zip-out").toFile()
+
+        extractSupportedArchive(archive.toFile(), outputDir)
+
+        assertEquals(
+            "hello zip",
+            outputDir.resolve("nested/readme.txt").readText()
+        )
+    }
+
+    @Test
+    fun `extractSupportedArchive extracts ar archives`() {
+        val archive = tempDir.resolve("sample.ar")
+        ArArchiveOutputStream(FileOutputStream(archive.toFile())).use { ar ->
+            val content = "hello ar".encodeToByteArray()
+            ar.putArchiveEntry(ArArchiveEntry("readme.txt", content.size.toLong()))
+            ar.write(content)
+            ar.closeArchiveEntry()
+        }
+        val outputDir = tempDir.resolve("ar-out").toFile()
+
+        extractSupportedArchive(archive.toFile(), outputDir)
+
+        assertEquals(
+            "hello ar",
+            outputDir.resolve("readme.txt").readText()
+        )
+    }
+
+    @Test
+    fun `extractSupportedArchive rejects path traversal entries`() {
+        val archive = tempDir.resolve("evil.zip")
+        ZipOutputStream(FileOutputStream(archive.toFile())).use { zip ->
+            zip.putNextEntry(ZipEntry("../escape.txt"))
+            zip.write("nope".encodeToByteArray())
+            zip.closeEntry()
+        }
+        val outputDir = tempDir.resolve("evil-out").toFile()
+
+        val error = org.junit.jupiter.api.assertThrows<SecurityException> {
+            extractSupportedArchive(archive.toFile(), outputDir)
+        }
+
+        assertTrue(error.message!!.contains("Path Traversal"))
+    }
+}

docs/maintenance/backlog-triage.ko.md

@@ -45,7 +45,7 @@
 | `.so`/ELF/autosetup | `#514`, `#543`, `#576`, `#137` | `covered-by-open-pr` | `#728`에서 64-bit ELF machine type 매핑과 override autosetup 재적용 경로를 먼저 수정했다 | `#728` 병합 후 실제 `.so` 샘플로 재검증하고 남는 parser 문제만 분리 |
 | crash report 저신호 묶음 | `#716`, `#672`, `#512`, `#508`, `#507`, `#490`, `#438`, `#376`, `#280` | `needs-repro` | 제목만으로는 원인 판단이 어렵고 재현 자료가 부족하다 | 공통 템플릿으로 추가 정보 요청 후 재현 안 되면 정리 |
 | SWF 요청 중복 | `#721`, `#112` | `planned-fast-follow` | 같은 방향의 기능 요청이다 | 최신 요청 `#721` 중심으로 정리하고 하나는 중복 처리 검토 |
-| 포맷 확장 요청 | `#120`, `#116`, `#124`, `#129` | `planned-fast-follow` | 유효한 확장 요청이지만 기준선 복구 후가 맞다 | 포맷별 난이도와 수요를 다시 평가 |
+| 포맷 확장 요청 | `#120`, `#116`, `#124`, `#129` | `planned-fast-follow` | `#129`는 `#728`에서 generic archive extraction으로 먼저 흡수했고, 나머지는 기준선 복구 후가 맞다 | `#129`는 `#728` 병합 후 정리하고 나머지는 포맷별 난이도와 수요를 다시 평가 |
 | export/저장 유틸 | `#123`, `#159`, `#720` | `covered-by-open-pr` | `#728`에서 project ZIP export, detail `.txt` 저장, import 파일명 정규화/테스트를 함께 정리했다 | `#728` 병합 후 실제 기기에서 export/save 동작 확인하고 정리 |
 | 재컴파일/대형 기능 요청 | `#529`, `#706` | `obsolete-or-policy-invalid` | 유지보수 범위를 넘어서는 별도 제품 수준 요구에 가깝다 | 현재 유지보수 스코프에서는 보류 또는 종료 후보 |
 | 모호한 기능 요청 | `#717`, `#710`, `#596`, `#582`, `#532`, `#491`, `#425`, `#162`, `#158` | `obsolete-or-policy-invalid` | 설명이 너무 넓거나 현재 제품 방향과 맞지 않는 항목이 많다 | 구체화 요청 후 근거 없으면 정리 |