scanner: open DEX/ZIP by file magic; throw errors on bad filenames

2025-11-05 06:50:29 +03:00 · 2022-09-29 17:21:03 +02:00 · 2022-09-29 17:21:03 +02:00 · 3de6063a01
commit 3de6063a01
parent aa190d532f
2 changed files with 113 additions and 3 deletions
--- a/fdroidserver/scanner.py
+++ b/fdroidserver/scanner.py
@ -144,11 +144,21 @@ def get_embedded_classes(apkfile, depth=0):
        with TemporaryDirectory() as tmp_dir, zipfile.ZipFile(apkfile, 'r') as apk_zip:
            for info in apk_zip.infolist():
                # apk files can contain apk files, again
-                if archive_regex.search(info.filename):
-                    with apk_zip.open(info) as apk_fp:
+                with apk_zip.open(info) as apk_fp:
+                    if zipfile.is_zipfile(apk_fp):
                        classes = classes.union(get_embedded_classes(apk_fp, depth + 1))
+                        if not archive_regex.search(info.filename):
+                            classes.add(
+                                'ZIP file without proper file extension: %s'
+                                % info.filename
+                            )
+                        continue

-                elif class_regex.search(info.filename):
+                with apk_zip.open(info.filename) as fp:
+                    file_magic = fp.read(3)
+                if file_magic == b'dex':
+                    if not class_regex.search(info.filename):
+                        classes.add('DEX file with fake name: %s' % info.filename)
                    apk_zip.extract(info, tmp_dir)
                    run = common.SdkToolsPopen(
                        ["dexdump", '{}/{}'.format(tmp_dir, info.filename)],