🔒 fix: Zip Path Traversal (ZipperDown) via Incomplete Sanitization

[sunnylqm]

🎯 What: Zip Path Traversal (ZipperDown) fixed

Implemented a robust path validation mechanism in the Android native module.

⚠️ Risk: The potential impact if left unfixed

Malicious update packages or untrusted inputs from the JavaScript side could exploit incomplete sanitization to perform arbitrary file writes outside the intended update directory. This could lead to code execution or sensitive data exposure on the device.

🛡️ Solution: How the fix addresses the vulnerability

• SafeZipFile.java: Introduced a validatePath static helper that ensures any target file resolved during extraction or copy strictly resides within its intended base directory, correctly handling canonical paths and trailing separators.
• DownloadTask.java: Consistently applied validatePath to all file copy and extraction operations, replacing insecure manual checks.
• UpdateContext.java: Added validation for the fileName parameter in downloadFile to prevent path traversal originating from JavaScript.

---

PR created automatically by Jules for task 5541180321825854582 started by @sunnylqm

Summary by CodeRabbit

Release Notes

• Bug Fixes
  • Strengthened path validation to prevent unsafe file operations during app update and resource extraction processes.
  • Implemented centralized security checks for file path handling across update workflows.
  • Improved error logging for failed resource operations, providing better visibility into update process issues.

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[coderabbitai]

📝 Walkthrough

Walkthrough

The changes introduce a centralized path traversal security validation method across the update system. A new validatePath() utility in SafeZipFile replaces inline path checks in DownloadTask and UpdateContext, alongside a refactored unzipToFile() signature that accepts an explicit base directory parameter for enhanced safety.

Changes

Cohort / File(s)	Summary
Path Validation Extraction android/src/main/java/cn/reactnative/modules/update/SafeZipFile.java	Introduced public static validatePath(File target, File baseDir) method to centralize path traversal validation. Updated unzipToFile signature to accept baseDir parameter and call validatePath. Replaced inlined path checks with validatePath calls in unzipToPath.
Security Check Integration android/src/main/java/cn/reactnative/modules/update/DownloadTask.java, android/src/main/java/cn/reactnative/modules/update/UpdateContext.java	Updated call sites to use new validatePath method for file operations. Modified resource extraction to pass unzip directory to unzipToFile. Added validation in patch-from-APK and patch-from-PPK flows. Enhanced error handling with warning logs on copy failures.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐰 A rabbit hops through paths so grand,
With zip-slip guards on every land,
Validation rules now stand united,
Security and safety braided,
Safe files extracted, threats deleted! 🔐

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main security fix: addressing Zip Path Traversal (ZipperDown) vulnerability through improved path sanitization across multiple files.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch security-fix-zipper-down-path-traversal-5541180321825854582

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

android/src/main/java/cn/reactnative/modules/update/UpdateContext.java (1)

116-120: Exception handling is misleading but functionally correct.

validatePath declares throws IOException but actually throws SecurityException (a RuntimeException) when a path traversal is detected. The catch (IOException) block only catches I/O errors from getCanonicalPath(), not the security violation itself.

This works because SecurityException propagates uncaught in both cases, and per the context in DownloadTask.doInBackground (lines 668-694), all Throwables are caught and routed to onDownloadFailed. However, the pattern is confusing.

Consider simplifying to let the SecurityException propagate directly:

♻️ Suggested refactor

         } else {
             params.targetFile = new File(rootDir, fileName);
-            try {
-                SafeZipFile.validatePath(params.targetFile, rootDir);
-            } catch (IOException e) {
-                throw new SecurityException("Illegal fileName: " + fileName);
-            }
+            try {
+                SafeZipFile.validatePath(params.targetFile, rootDir);
+            } catch (IOException e) {
+                throw new SecurityException("Illegal fileName: " + fileName, e);
+            }
         }

At minimum, chain the original exception for better debugging. The current implementation swallows the root cause.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@android/src/main/java/cn/reactnative/modules/update/UpdateContext.java`
around lines 116 - 120, The current try/catch around
SafeZipFile.validatePath(params.targetFile, rootDir) in UpdateContext.java
swallows the original IOException and throws a new SecurityException with no
cause; either let SecurityException propagate by removing the catch block or, if
you must convert, rethrow a SecurityException that chains the original
IOException (e.g., include the caught exception as the cause) so callers of
UpdateContext (and DownloadTask.doInBackground) can see the root cause; update
the handling around SafeZipFile.validatePath and the thrown SecurityException to
preserve the original exception information.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@android/src/main/java/cn/reactnative/modules/update/UpdateContext.java`:
- Around line 116-120: The current try/catch around
SafeZipFile.validatePath(params.targetFile, rootDir) in UpdateContext.java
swallows the original IOException and throws a new SecurityException with no
cause; either let SecurityException propagate by removing the catch block or, if
you must convert, rethrow a SecurityException that chains the original
IOException (e.g., include the caught exception as the cause) so callers of
UpdateContext (and DownloadTask.doInBackground) can see the root cause; update
the handling around SafeZipFile.validatePath and the thrown SecurityException to
preserve the original exception information.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 5e70691a-01ee-4ae5-b2e1-7d486ecbb936

📥 Commits

Reviewing files that changed from the base of the PR and between 5fa4b4d and 3e5fd72.

📒 Files selected for processing (3)

• android/src/main/java/cn/reactnative/modules/update/DownloadTask.java
• android/src/main/java/cn/reactnative/modules/update/SafeZipFile.java
• android/src/main/java/cn/reactnative/modules/update/UpdateContext.java