Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

False positive: Path traversal attack detected #750

Closed
jpstotz opened this issue Sep 11, 2019 · 2 comments · Fixed by #1698
Closed

False positive: Path traversal attack detected #750

jpstotz opened this issue Sep 11, 2019 · 2 comments · Fixed by #1698
Labels
bug Core Issues in jadx-core module

Comments

@jpstotz
Copy link
Collaborator

jpstotz commented Sep 11, 2019
edited
Loading

While decompiling the latest Facbook Messenger app com.facebook.orca_230.0.0.12.117 (169378234) I encountered an messages on path traversal attacks that looks like a false positive:

Path traversal attack detected, invalid name: r/con.g.png

It seems that the path traversal detection system does not work reliable on Windows in case the file name starts with a con (which is a reserved word on Windows and can't therefore be used as a file name).

The canonical value of a path containing such a file always is converted to \\.\con.

From my understanding this may be a bug in Java (tested with Oracle Java 1.8 and OpenJDK 11.0.4).

Is there anything we can do about this?
@jpstotz jpstotz added bug Core Issues in jadx-core module labels Sep 11, 2019
@Nurlyy
Copy link

Nurlyy commented Oct 5, 2022

Did you solve this bug?

@jpstotz jpstotz mentioned this issue Oct 6, 2022
Merged
@jpstotz
Copy link
Collaborator Author

jpstotz commented Oct 6, 2022

@Nurlyy In the end I wouldn't cal it a bug. It is simply a misleading logging text that emphasizes the path traversal attack part and disconnects the invalid file-name part.

I created a PR that in my opinions improves those logging messages in a way that the Jadx users not stop reading on the "path traversal" part.

skylot pushed a commit that referenced this issue Oct 6, 2022
@jpstotz
fix: improve logging messages for zip security errors (#750)(PR #1698)
8a45602 
Logging error messages on invalid file-names or path traversal attacks improved
@anantshri anantshri mentioned this issue Oct 20, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Core Issues in jadx-core module
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Logging error messages improved jpstotz/jadx
2 participants
@jpstotz @Nurlyy