From ad0b5e58252eba56a5a3b22311a66ffa5e65cffe Mon Sep 17 00:00:00 2001
From: Vojtech Novak <vonovak@gmail.com>
Date: Mon, 5 Feb 2024 14:14:19 +0100
Subject: [PATCH] fix(android): path traversal vulnerability (#698)

* fix: path traversal vulnerability android

* docs: library update
---
 README.md                                              |  4 ++++
 .../DocumentPickerModule.java                          | 10 +++++++++-
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index debcb9f2..b2e7e48e 100644
--- a/README.md
+++ b/README.md
@@ -1,5 +1,9 @@
 # react-native-document-picker
 
+📣📣 A full rewrite of the library is in progress. 📣📣
+
+Please subscribe to [this issue](https://github.com/rnmods/react-native-document-picker/issues/603) to receive updates.
+
 🚧🚧 GH discussions available 🚧🚧
 
 If you want to ask questions, we opened [GH discussions](https://github.com/rnmods/react-native-document-picker/discussions) for that purpose! 🤗 Issue tracker is now reserved for bugs and feature requests only and issues not following the issue template can be closed. Thank you!
diff --git a/android/src/main/java/com/reactnativedocumentpicker/DocumentPickerModule.java b/android/src/main/java/com/reactnativedocumentpicker/DocumentPickerModule.java
index a14f6c6d..3c8ce5d6 100644
--- a/android/src/main/java/com/reactnativedocumentpicker/DocumentPickerModule.java
+++ b/android/src/main/java/com/reactnativedocumentpicker/DocumentPickerModule.java
@@ -311,7 +311,7 @@ private void copyFileToLocalStorage(Context context, WritableMap map, Uri uri) {
         if (fileName == null) {
           fileName = String.valueOf(System.currentTimeMillis());
         }
-        File destFile = new File(dir, fileName);
+        File destFile = safeGetDestination(new File(dir, fileName), dir.getCanonicalPath());
         Uri copyPath = copyFile(context, uri, destFile);
         map.putString(FIELD_FILE_COPY_URI, copyPath.toString());
       } catch (Exception e) {
@@ -321,6 +321,14 @@ private void copyFileToLocalStorage(Context context, WritableMap map, Uri uri) {
       }
     }
 
+    public File safeGetDestination(File destFile, String expectedDir) throws IllegalArgumentException, IOException {
+      String canonicalPath = destFile.getCanonicalPath();
+      if (!canonicalPath.startsWith(expectedDir)) {
+        throw new IllegalArgumentException("The copied file is attempting to write outside of the target directory.");
+      }
+      return destFile;
+    }
+
     public static Uri copyFile(Context context, Uri uri, File destFile) throws IOException {
       try(InputStream inputStream = context.getContentResolver().openInputStream(uri);
           FileOutputStream outputStream = new FileOutputStream(destFile)) {