Merge pull request #1979 from miguelpruivo/feature/path-traversal-vulnerability-in-file-name-handling

fix(android): mitigate CWE-22 path traversal vulnerability in FileUtils

Author: navaronbracke

.gitignore

@@ -2,6 +2,9 @@
 .atom/
 .idea/
 .vscode/
+.project
+.classpath
+.settings/
 
 .packages
 .pub/

CHANGELOG.md

@@ -1,4 +1,7 @@
 ## 11.0.2
+### Android
+- Fixed a Path Traversal vulnerability (CWE-22) when resolving file paths from external content providers. [#1967](https://github.com/miguelpruivo/flutter_file_picker/issues/1967)
+
 ### Linux
 - Fixed "Cannot add to a fixed-length list" crash when opening or saving files with an initial directory on Linux. [#1976](https://github.com/miguelpruivo/flutter_file_picker/issues/1976)
 

android/.classpath

@@ -63,48 +63,52 @@ object FileUtils {
 
             val files = mutableListOf<FileInfo>()
 
-            when {
-                data.clipData != null -> {
-                    for (i in 0 until data.clipData!!.itemCount) {
-                        var uri = data.clipData!!.getItemAt(i).uri
-                        uri = processUri(activity, uri, compressionQuality)
-                        addFile(activity, uri, loadDataToMemory, files)
+            try {
+                when {
+                    data.clipData != null -> {
+                        for (i in 0 until data.clipData!!.itemCount) {
+                            var uri = data.clipData!!.getItemAt(i).uri
+                            uri = processUri(activity, uri, compressionQuality)
+                            addFile(activity, uri, loadDataToMemory, files)
+                        }
+                        finishWithSuccess(files)
                     }
-                    finishWithSuccess(files)
-                }
 
-                data.data != null -> {
-                    var uri = processUri(activity, data.data!!, compressionQuality)
-
-                    if (type == "dir") {
-                        uri = DocumentsContract.buildDocumentUriUsingTree(
-                            uri,
-                            DocumentsContract.getTreeDocumentId(uri)
-                        )
-                        val dirPath = getFullPathFromTreeUri(uri, activity)
-                        if (dirPath != null) {
-                            finishWithSuccess(dirPath)
+                    data.data != null -> {
+                        var uri = processUri(activity, data.data!!, compressionQuality)
+
+                        if (type == "dir") {
+                            uri = DocumentsContract.buildDocumentUriUsingTree(
+                                uri,
+                                DocumentsContract.getTreeDocumentId(uri)
+                            )
+                            val dirPath = getFullPathFromTreeUri(uri, activity)
+                            if (dirPath != null) {
+                                finishWithSuccess(dirPath)
+                            } else {
+                                finishWithError("unknown_path", "Failed to retrieve directory path.")
+                            }
                         } else {
-                            finishWithError("unknown_path", "Failed to retrieve directory path.")
+                            addFile(activity, uri, loadDataToMemory, files)
+                            handleFileResult(files)
                         }
-                    } else {
-                        addFile(activity, uri, loadDataToMemory, files)
-                        handleFileResult(files)
                     }
-                }
 
-                data.extras?.containsKey("selectedItems") == true -> {
-                    val fileUris = getSelectedItems(data.extras!!)
-                    fileUris?.filterIsInstance<Uri>()?.forEach { uri ->
-                        addFile(activity, uri, loadDataToMemory, files)
+                    data.extras?.containsKey("selectedItems") == true -> {
+                        val fileUris = getSelectedItems(data.extras!!)
+                        fileUris?.filterIsInstance<Uri>()?.forEach { uri ->
+                            addFile(activity, uri, loadDataToMemory, files)
+                        }
+                        finishWithSuccess(files)
                     }
-                    finishWithSuccess(files)
-                }
 
-                else -> finishWithError(
-                    "unknown_activity",
-                    "Unknown activity error, please fill an issue."
-                )
+                    else -> finishWithError(
+                        "unknown_activity",
+                        "Unknown activity error, please fill an issue."
+                    )
+                }
+            } catch (e: Exception) {
+                finishWithError("file_picker_error", e.message ?: "Unknown error")
             }
         }
     }
@@ -536,6 +540,11 @@ object FileUtils {
                 ?: "unamed")
 
         val file = File(path)
+        
+        val safeDir = File(context.cacheDir.absolutePath + "/file_picker/").canonicalPath
+        if (!file.canonicalPath.startsWith(safeDir)) {
+            throw SecurityException("Path traversal detected. Escaping the intended cache directory is not allowed.")
+        }
 
         if (!file.exists()) {
             try {