From 7ec39057341aa0c73d7088bf6a3a56d30f4209db Mon Sep 17 00:00:00 2001
From: Jochen Sprickerhof <git@jochen.sprickerhof.de>
Date: Thu, 28 Apr 2022 12:49:25 +0200
Subject: [PATCH] Log zip recursion limit

---
 fdroidserver/scanner.py | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/fdroidserver/scanner.py b/fdroidserver/scanner.py
index 27a4f04a..35ad9556 100644
--- a/fdroidserver/scanner.py
+++ b/fdroidserver/scanner.py
@@ -110,22 +110,29 @@ def get_embedded_classes(apkfile, depth=0):
     """
     apk_regex = re.compile(r'.*\.apk')
     class_regex = re.compile(r'classes.*\.dex')
+
     with TemporaryDirectory() as tmp_dir:
         apk_classes = set()
+
         with zipfile.ZipFile(apkfile, 'r') as apk_zip:
             # apk files can contain apk files, again
-            if depth < 10:  # zipbomb protection
+            if depth > 10:  # zipbomb protection
+                logging.error(_('max recursion depth in zip file reached: %s') % apk_zip)
+            else:
                 for apk in [name for name in apk_zip.namelist() if apk_regex.search(name)]:
                     with apk_zip.open(apk) as apk_fp:
                         apk_classes = apk_classes.union(get_embedded_classes(apk_fp, depth + 1))
+
             dexes = [name for name in apk_zip.namelist() if class_regex.search(name)]
             for name in dexes:
                 apk_zip.extract(name, tmp_dir)
         if not dexes:
             return apk_classes
+
         tmp_dexes = ['{}/{}'.format(tmp_dir, dex) for dex in dexes]
         run = common.SdkToolsPopen(["dexdump"] + tmp_dexes)
         classes = set(re.findall(r'[A-Z]+((?:\w+\/)+\w+)', run.output))
+
         return classes.union(apk_classes)