From 2df9d1c262b794f7412ff23a0046fd0ea4fe9cc5 Mon Sep 17 00:00:00 2001
From: Federico Iosue <federico.iosue@gmail.com>
Date: Sun, 12 Nov 2023 18:38:45 +0100
Subject: [PATCH] Improved path traversal mitigation as by security advisory

https://github.com/federicoiosue/Omni-Notes/security/advisories/GHSA-g38r-4cf6-3v32
---
 .../it/feio/android/omninotes/utils/SecurityTest.kt  | 12 ++++++++++--
 .../java/it/feio/android/omninotes/utils/Security.kt |  2 +-
 2 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/omniNotes/src/androidTest/java/it/feio/android/omninotes/utils/SecurityTest.kt b/omniNotes/src/androidTest/java/it/feio/android/omninotes/utils/SecurityTest.kt
index 05d4da440..5bef4b06b 100644
--- a/omniNotes/src/androidTest/java/it/feio/android/omninotes/utils/SecurityTest.kt
+++ b/omniNotes/src/androidTest/java/it/feio/android/omninotes/utils/SecurityTest.kt
@@ -30,7 +30,8 @@ import org.junit.runner.RunWith
 
 @RunWith(AndroidJUnit4::class)
 class SecurityTest : BaseAndroidTestCase() {
-    private val LOREM = ("Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor"
+
+    private val exampleText = ("Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor"
             + " incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco"
             + " laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit "
             + "esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa "
@@ -57,7 +58,7 @@ class SecurityTest : BaseAndroidTestCase() {
 
     @Test
     fun decryptUnencrypted() {
-        assertNotEquals(0, decrypt(LOREM, PASS)!!.length.toLong())
+        assertNotEquals(0, decrypt(exampleText, PASS)!!.length.toLong())
     }
 
     @Test
@@ -74,6 +75,13 @@ class SecurityTest : BaseAndroidTestCase() {
         assertThrows(ContentSecurityException::class.java) { validatePath(path) }
     }
 
+    @Test
+    fun validatePath_pathTraversal2() {
+        val path = "file:////////data/data/it.feio.android.omninotes.foss/shared_prefs/it.feio.android.omninotes.foss_preferences.xml"
+
+        assertThrows(ContentSecurityException::class.java) { validatePath(path) }
+    }
+
     @Test
     fun validatePath_valid() {
         val path = "/images/screenshot/16844742322307525633366385236595.jpg"
diff --git a/omniNotes/src/main/java/it/feio/android/omninotes/utils/Security.kt b/omniNotes/src/main/java/it/feio/android/omninotes/utils/Security.kt
index 97b63b7e7..33d4043fd 100644
--- a/omniNotes/src/main/java/it/feio/android/omninotes/utils/Security.kt
+++ b/omniNotes/src/main/java/it/feio/android/omninotes/utils/Security.kt
@@ -90,7 +90,7 @@ class Security private constructor() {
         @JvmStatic
         @Throws(ContentSecurityException::class)
         fun validatePath(path: String?) {
-            val uri = Uri.parse(path).path
+            val uri = Uri.parse(path).path?.replace("/+".toRegex(), "/")
             if (uri?.startsWith("/data")!! || uri.contains("../")) {
                 throw ContentSecurityException("Invalid")
             }