Skip to content

Fix Refactor file path handling to use Path API #3007

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
odaysec wants to merge 1 commit into
base: release
Choose a base branch
from
Open

Fix Refactor file path handling to use Path API #3007

odaysec wants to merge 1 commit into from
+5 −4

Conversation

@odaysec
Copy link

@odaysec odaysec commented Jan 12, 2026

General fix approach

When checking whether a user-supplied path is within a given directory, ensure you are comparing normalized Path objects or, if using strings, that directory paths are slash-terminated before using startsWith. In Java, Path#startsWith performs a component-wise check and avoids the partial-prefix issue.

Best concrete fix here

We only need to adjust Util.isAppSpecificStorageFileUri in Util.java. Currently it does:

String filePath = new File(uriPath).getCanonicalPath();
String internalAppDirectoryPath = activity.getFilesDir().getCanonicalPath();
@Nullable File externalAppDirectory = activity.getExternalFilesDir(/* type= */ null);
@Nullable
String externalAppDirectoryPath =
    externalAppDirectory == null ? null : externalAppDirectory.getCanonicalPath();
return filePath.startsWith(internalAppDirectoryPath)
    || (externalAppDirectoryPath != null && filePath.startsWith(externalAppDirectoryPath));

We will convert these to Path objects and use startsWith on normalized paths:

Path filePath = new File(uriPath).toPath().toRealPath();
Path internalAppDirectoryPath = activity.getFilesDir().toPath().toRealPath();
@Nullable File externalAppDirectory = activity.getExternalFilesDir(/* type= */ null);
@Nullable Path externalAppDirectoryPath =
    externalAppDirectory == null ? null : externalAppDirectory.toPath().toRealPath();
return filePath.startsWith(internalAppDirectoryPath)
    || (externalAppDirectoryPath != null && filePath.startsWith(externalAppDirectoryPath));

This keeps the original behavior (checking “inside app-specific internal or external storage”) but removes the partial-prefix issue. toRealPath() is roughly the Path equivalent of getCanonicalPath(), resolving symlinks and ...

We must add the necessary imports at the top of Util.java:

import java.nio.file.Path;
import java.nio.file.Paths;

(We actually only need Path; Paths is not strictly required, so we will only import Path.)

References

Partial Path Traversal
CVE-2022-23457: ESAPI Vulnerability Report

@microkatz microkatz self-assigned this Jan 19, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@microkatz microkatz

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@odaysec @microkatz