From cc32370530dd4405ea1da0095cf407717188e69a Mon Sep 17 00:00:00 2001 From: tes Date: Tue, 12 May 2026 12:18:06 -0300 Subject: [PATCH] Merge commit from fork file_path from main_entry.txt inside the bugreport zip is device controlled and was used directly to open files on the host without validation. Validate the resolved path stays within extract_path using Path.resolve() + is_relative_to() before opening. Unsafe paths raise ValueError and abort the operation. Fixes GHSA-58fm-wv78-6929 --- src/mvt/android/modules/bugreport/base.py | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/mvt/android/modules/bugreport/base.py b/src/mvt/android/modules/bugreport/base.py index 70ede77..519ea70 100644 --- a/src/mvt/android/modules/bugreport/base.py +++ b/src/mvt/android/modules/bugreport/base.py @@ -6,6 +6,7 @@ import datetime import fnmatch import logging import os +from pathlib import Path from typing import List, Optional from zipfile import ZipFile @@ -70,7 +71,10 @@ class BugReportModule(MVTModule): else: if not self.extract_path: raise ValueError("extract_path is not set") - handle = open(os.path.join(self.extract_path, file_path), "rb") + joined = os.path.join(self.extract_path, file_path) + if not Path(joined).resolve().is_relative_to(Path(self.extract_path).resolve()): + raise ValueError("unsafe file_path") + handle = open(joined, "rb") data = handle.read() handle.close()