Log in
Log in
Log in
Book a Demo
Get Started
629.2K 456.2K 7.8K
Back to Repositories

Validating Directory Traversal Security Controls in Apktool

This test suite validates directory traversal security measures in the Apktool library, focusing on preventing unauthorized file access through path manipulation. It ensures robust file path sanitization across different operating systems.

Test Coverage Overview

The test suite provides comprehensive coverage for file path sanitization functionality:

  • Valid file path validation in standard scenarios
  • Directory traversal attack prevention
  • Root directory access restrictions
  • Cross-platform path handling (Windows/Unix)
  • Empty path handling

Implementation Analysis

The testing approach employs JUnit framework with systematic validation of BrutIO.sanitizePath() method. It implements both positive and negative test cases using expected exceptions pattern for security validations.

The suite leverages TestUtils for resource setup and OSDetection for platform-specific testing.

Technical Details

  • JUnit 4 testing framework
  • Custom exception types for different security scenarios
  • TestUtils for test resource management
  • OSDetection for platform-specific path handling
  • BeforeClass setup for test directory preparation

Best Practices Demonstrated

The test suite exemplifies security-focused testing practices with clear separation of concerns and thorough edge case coverage.

  • Systematic exception testing
  • Platform-independent test cases
  • Proper test setup and resource management
  • Clear test method naming conventions

ibotpeaches/apktool

brut.apktool/apktool-lib/src/test/java/brut/androlib/util/UnknownDirectoryTraversalTest.java

            
/*
 *  Copyright (C) 2010 Ryszard Wiśniewski <[email protected]>
 *  Copyright (C) 2010 Connor Tumbleson <[email protected]>
 *
 *  Licensed under the Apache License, Version 2.0 (the "License");
 *  you may not use this file except in compliance with the License.
 *  You may obtain a copy of the License at
 *
 *       https://www.apache.org/licenses/LICENSE-2.0
 *
 *  Unless required by applicable law or agreed to in writing, software
 *  distributed under the License is distributed on an "AS IS" BASIS,
 *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 */
package brut.androlib.util;

import brut.androlib.BaseTest;
import brut.androlib.TestUtils;
import brut.common.BrutException;
import brut.common.InvalidUnknownFileException;
import brut.common.RootUnknownFileException;
import brut.common.TraversalUnknownFileException;
import brut.directory.ExtFile;
import brut.util.BrutIO;
import brut.util.OSDetection;

import java.io.File;
import java.io.IOException;

import org.junit.*;
import static org.junit.Assert.*;

public class UnknownDirectoryTraversalTest extends BaseTest {

    @BeforeClass
    public static void beforeClass() throws Exception {
        TestUtils.copyResourceDir(UnknownDirectoryTraversalTest.class, "util/traversal", sTmpDir);
    }

    @Test
    public void validFileTest() throws BrutException, IOException {
        String validFileName = BrutIO.sanitizePath(sTmpDir, "file");
        assertEquals(validFileName, "file");
        assertTrue(new File(sTmpDir, validFileName).isFile());
    }

    @Test(expected = TraversalUnknownFileException.class)
    public void invalidBackwardFileTest() throws BrutException, IOException {
        BrutIO.sanitizePath(sTmpDir, "../file");
    }

    @Test(expected = RootUnknownFileException.class)
    public void invalidRootFileTest() throws BrutException, IOException {
        String rootLocation = OSDetection.isWindows() ? "C:/" : File.separator;
        BrutIO.sanitizePath(sTmpDir, rootLocation + "file");
    }

    @Test(expected = InvalidUnknownFileException.class)
    public void noFilePassedTest() throws BrutException, IOException {
        BrutIO.sanitizePath(sTmpDir, "");
    }

    @Test(expected = TraversalUnknownFileException.class)
    public void invalidBackwardPathOnWindows() throws BrutException, IOException {
        String invalidPath = OSDetection.isWindows() ? "..\\..\\app.exe" : "../../app";
        BrutIO.sanitizePath(sTmpDir, invalidPath);
    }

    @Test
    public void validDirectoryFileTest() throws BrutException, IOException {
        String fileName = "dir" + File.separator + "file";
        String validFileName = BrutIO.sanitizePath(sTmpDir, fileName);
        assertEquals(fileName, validFileName);
    }
}