Merge pull request #12577 from nextcloud/fix/internal-file-exfiltration

Fix Path Traversal To Internal File ExFiltration

app/src/androidTest/java/com/owncloud/android/ui/helpers/UriUploaderIT.kt

@@ -5,11 +5,14 @@ import androidx.test.core.app.launchActivity
 import com.nextcloud.client.jobs.upload.FileUploadWorker
 import com.nextcloud.test.TestActivity
 import com.owncloud.android.AbstractIT
+import com.owncloud.android.lib.common.utils.Log_OC
 import org.junit.Assert
 import org.junit.Test
 
 class UriUploaderIT : AbstractIT() {
 
+    private val tag = "UriUploaderIT"
+
     @Test
     fun testUploadPrivatePathSharedPreferences() {
         launchActivity<TestActivity>().use { scenario ->
@@ -43,6 +46,9 @@ class UriUploaderIT : AbstractIT() {
             null
         )
         val uploadResult = sut.uploadUris()
+
+        Log_OC.d(tag, "Upload Result: ${uploadResult.name}")
+
         Assert.assertEquals(
             "Wrong result code",
             UriUploader.UriUploaderResultCode.ERROR_SENSITIVE_PATH,

app/src/main/java/com/owncloud/android/ui/helpers/UriUploader.kt

@@ -20,6 +20,8 @@
 package com.owncloud.android.ui.helpers
 
 import android.content.ContentResolver
+import android.content.Context
+import android.content.pm.ProviderInfo
 import android.net.Uri
 import android.os.Parcelable
 import com.nextcloud.client.account.User
@@ -70,7 +72,7 @@ class UriUploader(
         try {
             val anySensitiveUri = mUrisToUpload
                 .filterNotNull()
-                .any { isSensitiveUri((it as Uri)) }
+                .any { belongsToCurrentApplication(mActivity, it as Uri) }
             if (anySensitiveUri) {
                 Log_OC.e(TAG, "Sensitive URI detected, aborting upload.")
                 code = UriUploaderResultCode.ERROR_SENSITIVE_PATH
@@ -111,7 +113,11 @@ class UriUploader(
         return mUploadPath + displayName
     }
 
-    private fun isSensitiveUri(uri: Uri): Boolean = uri.toString().contains(mActivity.packageName)
+    private fun belongsToCurrentApplication(ctx: Context, uri: Uri): Boolean {
+        val authority: String = uri.authority.toString()
+        val info: ProviderInfo = ctx.packageManager.resolveContentProvider(authority, 0) ?: return true
+        return ctx.packageName.equals(info.packageName)
+    }
 
     /**
      * Requests the upload of a file in the local file system to [FileUploadHelper] service.