Log in
Log in
Log in
Book a Demo
Get Started
629.2K 456.2K 7.8K
Back to Repositories

Validating Directory Traversal Security in APK Decoding for Apktool

This test suite validates the secure handling of parent directory traversal in APK decoding within Apktool. It specifically focuses on preventing potential security vulnerabilities related to path traversal during the resource extraction process.

Test Coverage Overview

The test suite provides coverage for secure APK decoding operations, specifically targeting potential directory traversal vulnerabilities. Key areas include:

  • Validation of drawable file decoding process
  • Security checks for path traversal attempts
  • Resource extraction safety verification
  • Handling of malformed APK structures

Implementation Analysis

The testing approach utilizes JUnit framework with a focus on security-critical scenarios. The implementation employs the ApkDecoder class with specific configuration parameters to validate resource decoding behavior.

  • Extends BaseTest for common testing infrastructure
  • Uses BeforeClass setup for test resource preparation
  • Implements Config parameters for controlled decoding

Technical Details

Testing infrastructure includes:

  • JUnit 4 testing framework
  • ExtFile utility for file operations
  • ApkDecoder for APK processing
  • Custom Config settings for resource decoding
  • TestUtils for resource management

Best Practices Demonstrated

The test suite exemplifies security-focused testing practices through:

  • Proper test isolation and resource cleanup
  • Specific test case targeting known vulnerability patterns
  • Clear test setup and configuration management
  • Structured test organization with appropriate annotations

ibotpeaches/apktool

brut.apktool/apktool-lib/src/test/java/brut/androlib/decode/ParentDirectoryTraversalTest.java

            
/*
 *  Copyright (C) 2010 Ryszard Wiśniewski <[email protected]>
 *  Copyright (C) 2010 Connor Tumbleson <[email protected]>
 *
 *  Licensed under the Apache License, Version 2.0 (the "License");
 *  you may not use this file except in compliance with the License.
 *  You may obtain a copy of the License at
 *
 *       https://www.apache.org/licenses/LICENSE-2.0
 *
 *  Unless required by applicable law or agreed to in writing, software
 *  distributed under the License is distributed on an "AS IS" BASIS,
 *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 */
package brut.androlib.decode;

import brut.androlib.ApkDecoder;
import brut.androlib.BaseTest;
import brut.androlib.Config;
import brut.androlib.TestUtils;
import brut.common.BrutException;
import brut.directory.ExtFile;

import org.junit.*;
import static org.junit.Assert.*;

public class ParentDirectoryTraversalTest extends BaseTest {
    private static final String apk = "issue1498.apk";

    @BeforeClass
    public static void beforeClass() throws Exception {
        TestUtils.copyResourceDir(ParentDirectoryTraversalTest.class, "decode/issue1498", sTmpDir);
    }

    @Test
    public void checkIfDrawableFileDecodesProperly() throws BrutException {
        sConfig.setForceDelete(true);
        sConfig.setDecodeResources(Config.DECODE_RESOURCES_NONE);

        ExtFile testApk = new ExtFile(sTmpDir, apk);
        ExtFile testDir = new ExtFile(testApk + ".out");
        new ApkDecoder(testApk, sConfig).decode(testDir);
    }
}