Skip to content

fix(security): Add path traversal guards to icon file reading#622

Merged
runningcode merged 3 commits into
mainfrom
no/fix-icon-path-traversal
May 15, 2026
Merged

fix(security): Add path traversal guards to icon file reading#622
runningcode merged 3 commits into
mainfrom
no/fix-icon-path-traversal

Conversation

@runningcode
Copy link
Copy Markdown
Contributor

@runningcode runningcode commented May 15, 2026
edited
Loading

Summary

  • Zip extraction already validates paths via is_safe_path(), but after extraction, icon reading code constructed file paths from attacker-controlled manifest/plist data without checking for directory traversal
  • Adds is_safe_path() checks to APK, AAB, and iOS icon reading, plus the icon parser's _find_file() method

Fixes EME-1152

🤖 Generated with Claude Code

@runningcode @claude
fix(security): Add path traversal guards to icon file reading
5302629 
Zip extraction already validates paths via is_safe_path(), but after
extraction, icon reading code constructed file paths from manifest data
without checking for traversal. A malicious manifest could reference
"../../../etc/passwd" as the icon path and escape the extract directory.

Add is_safe_path() checks to:
- APK.get_app_icon() (manifest icon_path)
- AAB.get_app_icon() (manifest icon_path)
- IconParser._find_file() (drawable references from parsed XML)
- ZippedXCArchive.get_app_icon() (plist icon names)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@sentry
Copy link
Copy Markdown
Contributor

sentry Bot commented May 15, 2026
edited
Loading

📲 Install Builds

iOS

🔗 App Name App ID Version Configuration
HackerNews com.emergetools.hackernews 3.8 (1) Release

Android

🔗 App Name App ID Version Configuration
Hacker News com.emergetools.hackernews 1.0.2 (13) Release

⚙️ launchpad-test-android Build Distribution Settings

@runningcode @claude
fix(security): Raise UnsafePathError consistently for all path traversal
7a95f24 
All is_safe_path() callsites now raise UnsafePathError instead of some
logging warnings and returning None. Matches the behavior in
zip_provider._safe_extract().

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
sentry[bot]
sentry Bot reviewed May 15, 2026
View reviewed changes
Comment thread src/launchpad/parsers/android/icon/icon_parser.py
chromy
chromy approved these changes May 15, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@chromy chromy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@runningcode @claude
fix(security): Re-raise UnsafePathError through except Exception blocks
fad39ac 
The broad except Exception blocks in render_from_path, APK.get_app_icon,
and AAB.get_app_icon were silently catching and swallowing UnsafePathError,
undermining the path traversal guards. Add explicit re-raise clauses so
the security error propagates to callers.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@linear-code
Copy link
Copy Markdown

linear-code Bot commented May 15, 2026

EME-1152

@runningcode runningcode merged commit c84dec5 into main May 15, 2026
24 checks passed
@runningcode runningcode deleted the no/fix-icon-path-traversal branch May 15, 2026 12:29
@runningcode runningcode mentioned this pull request May 15, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sentry sentry[bot] sentry[bot] left review comments

@chromy chromy chromy approved these changes

@NicoHinderling NicoHinderling Awaiting requested review from NicoHinderling

@noahsmartin noahsmartin Awaiting requested review from noahsmartin

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@runningcode @chromy