Skip to content

Latest commit

 

History

History
47 lines (40 loc) · 6.97 KB

threat-modeling.md

File metadata and controls

47 lines (40 loc) · 6.97 KB

Threat Model Analysis for blankj/androidutilcode

Threat: Zip Slip Vulnerability

  • Description: An attacker provides a maliciously crafted ZIP archive containing files with paths designed to overwrite files outside the intended extraction directory. For example, a ZIP entry might have a name like ../../../../system/bin/somefile. When ZipUtils.unzipFile (or related functions) is used to extract this archive without proper validation of the entry paths, it could overwrite system files or application files, leading to code execution or denial of service. The vulnerability lies in ZipUtils not inherently performing sufficient path sanitization.
    • Impact:
      • Arbitrary Code Execution: Overwriting critical system files or application libraries could allow the attacker to inject and execute malicious code.
      • Application Compromise: Modification of application files could lead to altered behavior or complete control of the application.
      • Denial of Service: Overwriting essential files could render the application or even the device unusable.
    • Affected Component: ZipUtils: Specifically, the unzipFile function and any other functions that handle ZIP archive extraction without built-in, robust path validation.
    • Risk Severity: Critical
    • Mitigation Strategies:
      • Path Validation: Before extracting each entry from the ZIP archive, thoroughly validate its path. Ensure that the extracted file path, when combined with the destination directory, does not contain ../ or resolve to a location outside the intended extraction directory. This is crucial and must be implemented by the developer; ZipUtils does not do this automatically.
      • Canonical Path Check: Resolve the combined path (destination directory + entry path) to its canonical form using File.getCanonicalPath() and verify it's within the expected bounds. This helps prevent bypasses using symbolic links or other tricks.
      • Secure ZIP Library: Strongly consider using a dedicated, security-hardened ZIP library specifically designed to prevent Zip Slip vulnerabilities. This is the most reliable mitigation. Examples include libraries that perform automatic path sanitization and validation.
      • Untrusted Source Restriction: Avoid extracting ZIP archives from untrusted sources (e.g., downloaded files, data received via Intents) unless absolutely necessary and with extreme caution.

Threat: Path Traversal via File Operations

  • Description: If the application uses FileUtils functions (like readFile2String, writeFileFromString, deleteFile, etc.) with filenames or paths directly derived from user input without proper sanitization, an attacker can craft a malicious path (e.g., ../../../../data/data/com.example.app/databases/mydb.db) to access, modify, or delete files outside the intended directory. The vulnerability is that FileUtils functions themselves do not inherently prevent path traversal; they operate on the provided path.
    • Impact:
      • Data Breach: Exposure of sensitive user data or application configuration stored in files.
      • Application Compromise: Modification or deletion of critical application files, leading to crashes or altered behavior.
      • Denial of Service: Deletion of essential files, rendering the application unusable.
    • Affected Component: FileUtils: Any function that takes a file path as input, including readFile2String, writeFileFromString, deleteFile, copyFile, etc.
    • Risk Severity: High
    • Mitigation Strategies:
      • Strict Input Validation: Always validate and sanitize user-supplied filenames and paths before passing them to FileUtils functions. Use a whitelist of allowed characters (alphanumeric, underscore, hyphen are generally safe). Reject any input containing ../, ./, or absolute paths. This is the primary defense.
      • Canonical Path Resolution: Before using a file path with FileUtils, resolve it to its canonical form using File.getCanonicalPath(). Compare the canonical path to an expected base directory to ensure it's within the allowed bounds. This prevents bypasses using symbolic links or other tricks.
      • Use Android Framework APIs: Whenever possible, prefer using Android's built-in file handling methods like Context.getFilesDir(), Context.getExternalFilesDir(), and Context.getCacheDir(). These APIs provide a more secure and controlled environment for file access, and they inherently limit access to the application's designated directories.
      • Least Privilege: Ensure the application only requests the minimum necessary file access permissions. Avoid requesting broad read/write access to external storage unless absolutely required.

Threat: Server-Side Request Forgery (SSRF) via HttpUtils

  • Description: If HttpUtils is used to make requests to URLs directly provided by the user without robust validation, an attacker could craft a URL to access internal network resources (e.g., http://192.168.1.1), loopback addresses (http://localhost), or other unintended external services. The vulnerability is that HttpUtils functions will execute the request to whatever URL is provided, without inherent restrictions.
    • Impact:
      • Information Disclosure: Access to internal network resources or sensitive data exposed by internal APIs.
      • Network Scanning: The attacker could use the application as a proxy to scan for open ports and vulnerabilities.
      • Further Attacks: Potentially launch attacks against other systems if the targeted service is vulnerable.
    • Affected Component: HttpUtils: Functions that make HTTP requests based on URLs, such as doGet, doPost, and any other functions that accept a URL as a parameter.
    • Risk Severity: High
    • Mitigation Strategies:
      • Strict URL Whitelisting: Maintain a strict whitelist of allowed domains and protocols (e.g., https://example.com). Reject any URL that doesn't match the whitelist. This is the most effective mitigation.
      • Robust Input Validation: Thoroughly validate and sanitize all user-supplied URLs before passing them to HttpUtils. Reject URLs containing internal IP addresses (e.g., 192.168.x.x, 10.x.x.x, 172.16.x.x), loopback addresses (127.0.0.1, localhost), or suspicious schemes.
      • Network Security Configuration: Use Android's Network Security Configuration to restrict the application's network access to only the necessary domains. This provides an additional layer of defense.
      • Avoid User-Controlled URLs: If possible, avoid making HTTP requests to URLs directly provided by the user. Instead, use predefined URLs or construct URLs based on validated parameters.