proguard resource for Android by wechat team

Related tags

Tools AndResGuard
Overview

AndResGuard

Build Status Download Android Arsenal

Read this in other languages: English, 简体中文.

AndResGuard is a tooling for reducing your apk size, it works like the ProGuard for Java source code, but only aim at the resource files. It changes res/drawable/wechat to r/d/a, and renames the resource file wechat.png to a.png. Finally, it repackages the apk with 7zip, which can reduce the package size obviously.

AndResGuard is fast, and it does NOT need the source codes. Input an Android apk, then we can get a 'ResGuard' apk in a few seconds.

Some uses of AndResGuard are:

  1. Obfuscate android resources. It contains all the resource type(such as drawable、layout、string...). It can prevent your apk from being reversed by Apktool.

  2. Shrinking the apk size. It can reduce the resources.arsc and the package size obviously.

  3. Repackage with 7zip. It supports repackage apk with 7zip, and we can specify the compression method for each file.

AndResGuard is a command-line tool, it supports Windows, Linux and Mac. We suggest you to use 7zip in Linux or Mac platform for a higher compression ratio.

How to use

With Gradle

This has been released on Bintray

apply plugin: 'AndResGuard'

buildscript {
    repositories {
        jcenter()
        google()
    }
    dependencies {
        classpath 'com.tencent.mm:AndResGuard-gradle-plugin:1.2.21'
    }
}

andResGuard {
    // mappingFile = file("./resource_mapping.txt")
    mappingFile = null
    use7zip = true
    useSign = true
    // It will keep the origin path of your resources when it's true
    keepRoot = false
    // If set, name column in arsc those need to proguard will be kept to this value
    fixedResName = "arg"
    // It will merge the duplicated resources, but don't rely on this feature too much.
    // it's always better to remove duplicated resource from repo
    mergeDuplicatedRes = true
    whiteList = [
        // your icon
        "R.drawable.icon",
        // for fabric
        "R.string.com.crashlytics.*",
        // for google-services
        "R.string.google_app_id",
        "R.string.gcm_defaultSenderId",
        "R.string.default_web_client_id",
        "R.string.ga_trackingId",
        "R.string.firebase_database_url",
        "R.string.google_api_key",
        "R.string.google_crash_reporting_api_key",
        "R.string.project_id",
    ]
    compressFilePattern = [
        "*.png",
        "*.jpg",
        "*.jpeg",
        "*.gif",
    ]
    sevenzip {
        artifact = 'com.tencent.mm:SevenZip:1.2.21'
        //path = "/usr/local/bin/7za"
    }

    /**
    * Optional: if finalApkBackupPath is null, AndResGuard will overwrite final apk
    * to the path which assemble[Task] write to
    **/
    // finalApkBackupPath = "${project.rootDir}/final.apk"

    /**
    * Optional: Specifies the name of the message digest algorithm to user when digesting the entries of JAR file
    * Only works in V1signing, default value is "SHA-1"
    **/
    // digestalg = "SHA-256"
}

Wildcard

The whiteList and compressFilePattern support wildcard include ? * +.

?	Zero or one character
*	Zero or more of character
+	One or more of character

WhiteList

You need put all resource which access via getIdentifier into whiteList. You can find more whitsList configs of third-part SDK in white_list.md. Welcome PR your configs which is not included in white_list.md

The whiteList only works on the specsName of resources, it wouldn't keep the path of resource. If you wanna keeping the path, please use mappingFile to implement it.

For example, we wanna keeping the path of icon, we need add below into our mappingFile.

res path mapping:
    res/mipmap-hdpi-v4 -> res/mipmap-hdpi-v4
    res/mipmap-mdpi-v4 -> res/mipmap-mdpi-v4
    res/mipmap-xhdpi-v4 -> res/mipmap-xhdpi-v4
    res/mipmap-xxhdpi-v4 -> res/mipmap-xxhdpi-v4
    res/mipmap-xxxhdpi-v4 -> res/mipmap-xxxhdpi-v4

How to Launch

If you are using Android Studio, you can find the generate task option in andresguard group. Or alternatively, you run ./gradlew resguard[BuildType | Flavor] in your terminal. The format of task name is as same as assemble.

Sevenzip

The sevenzip in gradle file can be set by path or artifact. Multiple assignments are allowed, but the winner is always path.

Result

If finalApkBackupPath is null, AndResGuard will overwrite final APK to the path which assemble[Task] write. Otherwise, it will store in the path you assigned.

Other

Looking for more detail

Known Issue

  1. The first element of list which returned by AssetManager#list(String path) is empty string when you're using the APK which is compressed by 7zip. #162

Best Practise

  1. Do NOT add resources.arsc into compressFilePattern unless the app size is really matter to you.(#84 #233)
  2. Do NOT enable 7zip compression(use7zip) when you distribute your APP on Google Play. It'll prevent the file-by-file patch when updating your APP. (#233)

Thanks

Apktool Connor Tumbleson

v2sig @jonyChina162

Comments
  • 为什么无signed_7zip_aligned.apk 文件????????

    为什么无signed_7zip_aligned.apk 文件????????

    gradle 配置:

    andresguard version: 1.2.10

    v2SigningEnabled true

    use7zip = true useSign = true

    执行./gradlew resguardRelease , 文件产出无XXX.signed_7zip_aligned.apk 文件,如图

    image

    opened by wuhaiyang 33
  • App not installed

    App not installed

    Screenshot_20200525-011013_1590358347858

    There's a problem with the tool. when I compile my app release with Android studio without using the Andresguard tool, my app installs well on devices. however, when I use andResguard, I can't install the app on the same devices. the "App not installed" message shows up even after uninstalling the app previously.

    opened by mukswilly 20
  • 能否支持下指定buildType?

    能否支持下指定buildType?

    看了下有个相关的issue关闭了。但现在我们这边会定义多个buildType,其中会有releaseLog支持log输出,proguard和resguard,基本上和release包没区别,只是打开了log输出功能,用于方便跟踪crash,然后给qa测试。resguard目前只支持release吧,能否支持下指定buildType?

    opened by hacket 18
  • 集成新版本的华为push导致打包失败

    集成新版本的华为push导致打包失败

    java.lang.ArrayIndexOutOfBoundsException at java.lang.System.arraycopy(Native Method) at com.tencent.mm.androlib.res.decoder.StringBlock.writeSpecNameStringBlock(StringBlock.java:155) at com.tencent.mm.androlib.res.decoder.ARSCDecoder.writePackage(ARSCDecoder.java:318) at com.tencent.mm.androlib.res.decoder.ARSCDecoder.writeTable(ARSCDecoder.java:224) at com.tencent.mm.androlib.res.decoder.ARSCDecoder.write(ARSCDecoder.java:127) at com.tencent.mm.androlib.ApkDecoder.decode(ApkDecoder.java:196) at com.tencent.mm.resourceproguard.Main.decodeResource(Main.java:93) at com.tencent.mm.resourceproguard.Main.resourceProguard(Main.java:77) at com.tencent.mm.resourceproguard.Main.run(Main.java:48) at com.tencent.mm.resourceproguard.Main.gradleRun(Main.java:36) at com.tencent.mm.resourceproguard.Main$gradleRun.call(Unknown Source) at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCall(CallSiteArray.java:48) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:113) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:125) at com.tencent.gradle.AndResGuardTask$_run_closure3.doCall(AndResGuardTask.groovy:108) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.codehaus.groovy.reflection.CachedMethod.invoke(CachedMethod.java:93) at groovy.lang.MetaMethod.doMethodInvoke(MetaMethod.java:325) at org.codehaus.groovy.runtime.metaclass.ClosureMetaClass.invokeMethod(ClosureMetaClass.java:294) at groovy.lang.MetaClassImpl.invokeMethod(MetaClassImpl.java:1024) at groovy.lang.Closure.call(Closure.java:414) at groovy.lang.Closure.call(Closure.java:430) at org.codehaus.groovy.runtime.DefaultGroovyMethods.each(DefaultGroovyMethods.java:2030) at org.codehaus.groovy.runtime.DefaultGroovyMethods.each(DefaultGroovyMethods.java:2015) at org.codehaus.groovy.runtime.DefaultGroovyMethods.each(DefaultGroovyMethods.java:2056) at org.codehaus.groovy.runtime.dgm$162.invoke(Unknown Source) at org.codehaus.groovy.runtime.callsite.PojoMetaMethodSite$PojoMetaMethodSiteNoUnwrapNoCoerce.invoke(PojoMetaMethodSite.java:274) at org.codehaus.groovy.runtime.callsite.PojoMetaMethodSite.call(PojoMetaMethodSite.java:56) at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCall(CallSiteArray.java:48) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:113) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:125) at com.tencent.gradle.AndResGuardTask.run(AndResGuardTask.groovy:70) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.gradle.internal.reflect.JavaMethod.invoke(JavaMethod.java:73)

    华为push的版本为: "com.huawei:cloud_base_service:2.5.54", "com.huawei:cloud_push_service:2.5.54"

    opened by getandset 16
  • 用gradle怎么玩?求教

    用gradle怎么玩?求教

    用了andresguard说找不到Task andresguardnot found in root project 'XXXX'.不能build完成之后自己就开始资源混淆么?我们的工程用了多渠道,并且自定义了apk的输出目录,还有就是使用的是jenkins自动化构建。即使上面的task不报错,但是能找到我的apk在哪么?我目前正在写jenkins的build插件。今天来github看看发现已经有了gradle插件了。所以试了试。

    opened by wangkunlin 16
  • 多Flavor+buildType 构建失效

    多Flavor+buildType 构建失效

    hi 我在做一个demo,关于使用AndResGuard+Tinker的,发现flavor>1时,使用 resguardFlavor1Flavor2Release这样的格式,AndResGuard会失效。task显示执行了,任务结果是ok,但实际没有执行,只有原始的apk输出。我以为是配置写错了,倒腾了半天,但最后删掉一个FlavorDimensions就好了。

    虽然实际使用很少有这样的情况,发现了还是汇报一下。

    enhancement 
    opened by sunsteam 15
  • if you write a whilte list R.drawable.ab, and you have a png named ab.png, these may cost duplicate of ab

    if you write a whilte list R.drawable.ab, and you have a png named ab.png, these may cost duplicate of ab

    com.tencent.mm.androlib.AndrolibException: spec proguard name duplicate in a singal type drawable, spec name: pk known issue: if you write a whilte list R.drawable.ab, and you have a png named ab.png, these may cost duplicate of ab

        at com.tencent.mm.androlib.res.data.ResType.putSpecProguardName(ResType.java:42)
        at com.tencent.mm.androlib.res.decoder.ARSCDecoder.readEntry(ARSCDecoder.java:520)
        at com.tencent.mm.androlib.res.decoder.ARSCDecoder.readConfig(ARSCDecoder.java:458)
        at com.tencent.mm.androlib.res.decoder.ARSCDecoder.readTableTypeSpec(ARSCDecoder.java:410)
        at com.tencent.mm.androlib.res.decoder.ARSCDecoder.readPackage(ARSCDecoder.java:300)
        at com.tencent.mm.androlib.res.decoder.ARSCDecoder.readTable(ARSCDecoder.java:203)
        at com.tencent.mm.androlib.res.decoder.ARSCDecoder.decode(ARSCDecoder.java:118)
        at com.tencent.mm.androlib.ApkDecoder.decode(ApkDecoder.java:189)
        at com.tencent.mm.resourceproguard.Main.decodeResource(Main.java:99)
        at com.tencent.mm.resourceproguard.Main.resourceProguard(Main.java:84)
        at com.tencent.mm.resourceproguard.cli.CliMain.run(CliMain.java:205)
        at com.tencent.mm.resourceproguard.cli.CliMain.main(CliMain.java:41)
    

    崩溃log,自己有一个图片文件pk.png加入了白名单,混淆的时候,另一个文件被混淆成了pk.png,导致重复。

    bug 
    opened by zhuzhumouse 12
  • AndResGuard-gradle-plugin gradle could not sync

    AndResGuard-gradle-plugin gradle could not sync

    Error:Could not find com.tencent.mm:AndResGuard-gradle-plugin:1.2.3. Searched in the following locations: https://repo1.maven.org/maven2/com/tencent/mm/AndResGuard-gradle-plugin/1.2.3/AndResGuard-gradle-plugin-1.2.3.pom https://repo1.maven.org/maven2/com/tencent/mm/AndResGuard-gradle-plugin/1.2.3/AndResGuard-gradle-plugin-1.2.3.jar https://jcenter.bintray.com/com/tencent/mm/AndResGuard-gradle-plugin/1.2.3/AndResGuard-gradle-plugin-1.2.3.pom https://jcenter.bintray.com/com/tencent/mm/AndResGuard-gradle-plugin/1.2.3/AndResGuard-gradle-plugin-1.2.3.jar

    opened by Dwan-xie 12
  • 混淆后,安装apk ic_launcher 不显示 & 大体积apk 进行资源混淆操作偶发性失败

    混淆后,安装apk ic_launcher 不显示 & 大体积apk 进行资源混淆操作偶发性失败

    一个issue(#130) 提一个问题,所以我分开下!

    操作环境:

    • cygwin
    • 7-Zip (a) [64] 16.04 : Copyright (c) 1999-2016 Igor Pavlov : 2016-10-04
    • tool_output/ 下的 7z 可执行文件
    • andResGuard 1.1.16

    系统已经正确配置 7z 和 zipalign 的环境变量

    1. 【在 cygwin中操作】使用 build_apk.sh 对一个将近 90MB 的apk(代码部分混淆过) 处理 在 repackage 7z时候会出错 偶发性报错(apk体积小的到没出现过该情况,是否和 -mx0 有关) ,对于可能是 7za 版本不同导致,我也分别测试了 均会偶发如下的 exception
    $ ./build_apk.sh
    special configFile file path: D:\AndResGuard\tool_output\config.xml
    special output directory path: D:\AndResGuard\tool_output\outapk
    reading config file, D:\AndResGuard\tool_output\config.xml
    mKeepRoot false
    [AndResGuard] begin: outapk, qinjingling.apk
    unziping apk to D:\AndResGuard\tool_output\outapk\temp
    decoding resources.arsc
    parse to get the exist names in the resouces.arsc first
    reading packagename fxyy.fjnuit.Activity
    resources mapping file D:\AndResGuard\tool_output\outapk\resource_mapping_qinjingling.txt done
    writing new resources.arsc
    resources.arsc Character Encoding: utf-8
    general unsigned apk: qinjingling_unsigned.apk
    DestResDir 3359 rawResDir 3359
    signing apk: qinjingling_signed.apk
    signature Algorithm is: SHA1withRSA
    use 7zip to repackage: qinjingling_signed_7zip.apk, will cost much more time
    [addStoredFileIn7Zip]rewrite the stored file into the 7zip, file count:308
    java.io.IOException: [use7zApk]7z repackage signed apk fail,you must install 7z command line version first, linux: p7zip, window: 7za, path=D:\AndResGuard\tool_output\outapk\qinjingling_signed_7zip.apk
            at com.tencent.mm.androlib.ResourceApkBuilder.use7zApk(ResourceApkBuilder.java:97)
            at com.tencent.mm.androlib.ResourceApkBuilder.buildApk(ResourceApkBuilder.java:50)
            at com.tencent.mm.resourceproguard.Main.buildApk(Main.java:94)
            at com.tencent.mm.resourceproguard.Main.resourceProguard(Main.java:71)
            at com.tencent.mm.resourceproguard.cli.CliMain.run(CliMain.java:193)
            at com.tencent.mm.resourceproguard.cli.CliMain.main(CliMain.java:37)
    
    
    1. 【疑问】【同cygwin 操作】和 #76 的 issue 有点类似, 在检查了微信 , 网易云音乐 (好像是对 APP 图标 进行白名单保护(因为res 根路径是被混淆了 ),我也尝试在 config.xml 添加
    
    <issue id="whitelist" isactive="true">
      <!-- 全部位于  mipmap-<qualifiers>中 -->
      <path value="<your_package_name>.R.drawable.ic_launcher"/> 
     </issue>
    
    

    通过shell 命令,再安装apk,无法正确显示 ic_launcher (我在公司的三四个项目上试验过均出现), 但是如果改用 keepmapping 来控制(设置 whitelistisactive="false") 如下

     <issue id="keepmapping" isactive="true">
            <!-- 来自 AndResGuard-example\app-->
            <path value="resource_mapping.txt"/>
     </issue>
    

    再次执行完 build_apk.sh 。再安装 图标均可以正常显示,但 res/*** 根路径被保留 和 微信/网易云音乐 的不一样, 这里就不太理解(你们是怎么配置的 实现 混淆了根路径 但 图标还可以显示出来),

    还有一个疑点 上面 path value 使用下面 的 resource_mapping_bak.txt替代 也是可以(正常显示图标),似乎图标存放( 在mipmap-<qualifiers> )的位置和 该 资源 mapping文件 配置的内容( drawable-<qualifiers> 不混淆 父路径)无关系。

    resource_mapping_bak.txt文件

    res path mapping:
        res/drawable-hdpi-v4 -> res/drawable-hdpi-v4
        res/drawable-mdpi-v4 -> res/drawable-mdpi-v4
        res/drawable-xhdpi-v4 -> res/drawable-xhdpi-v4
        res/drawable-xxhdpi-v4 -> res/drawable-xxhdpi-v4
        res/drawable-xxxhdpi-v4 -> res/drawable-xxxhdpi-v4
    

    PS: 第2点的问题 git clone 下来项目 在AS中 也类似配置测试过,也会出现该点描述的疑问

    andResGuard {
        //  method1:放开这句 注释下句 logo的图标且白名单不做保护, 安装完可以正常显示
        //mappingFile = file("./resource_mapping.txt")
        mappingFile = null
        use7zip = true
        useSign = true
        keepRoot = false
        // add <yourpackagename>.R.drawable.icon into whitelist.
        // because the launcher will get the icon with his name
        whiteList = [
                 //method2: 上面 mappingFile =null ,添加 图标到白名单 安装完,不能正常显示
                "R.mipmap.ic_launcher",
                //https://docs.fabric.io/android/crashlytics/build-tools.html
                "R.string.com.crashlytics.*"
        ]
        compressFilePattern = [
                "*.png",
                "*.jpg",
                "*.jpeg",
                "*.gif",
                "resources.arsc"
        ]
        sevenzip {
           //这里也是 分别测试 以下两种7z 版本
            artifact = 'com.tencent.mm:SevenZip:1.1.16'//(v15.04)
            ///usr/local/bin/7za
            //path = "D:\\E.D.K.Supremacy\\7-Zip\\x64\\7za.exe"(v16.04)
        }
    } 
    
    opened by zhEdward 12
  • 通过插件的话怎么手动设置zipalign?

    通过插件的话怎么手动设置zipalign?

    为zipalign设置了环境变量,但是报错java.io.IOException: Cannot run program "zipalign": error=2, No such file or directory,该怎么手动设置zipalign?在config.xml可以设置?

    opened by pengwei1024 12
  • gradlew resguardRelease命令运行出错 1.2.16版本

    gradlew resguardRelease命令运行出错 1.2.16版本

    之前1.2.15版本没问题,就升级了1.2.16版本 错误日常

    Task :app:resguardRelease FAILED

    FAILURE: Build failed with an exception.

    • What went wrong: Execution failed for task ':app:resguardRelease'.

    null

    • Try: Run with --stacktrace option to get the stack trace. Run with --info or --debug option to get more log output. Run with --scan to get full insights.

    • Get more help at https://help.gradle.org

    BUILD FAILED in 2s 28 actionable tasks: 1 executed, 27 up-to-date

    opened by farsunset 11
  • Non-compatible licensing

    Non-compatible licensing

    Hi @shwenzhang,

    I wanted to flag to you that the source of AndResGuard has a file that is incompatible with the Apache-2.0 license you've chosen for the project:

    • https://github.com/shwenzhang/AndResGuard/blob/master/AndResGuard-core/src/main/java/com/mindprod/ledatastream/LEDataInputStream.java

    This license has a field of use restriction, so it's not an open source license.

    opened by hyandell 0
  • update gradle 7.4 error

    update gradle 7.4 error

    • What went wrong: Some problems were found with the configuration of task ':app:resguardRelease' (type 'AndResGuardTask').
      • In plugin 'AndResGuard' type 'com.tencent.gradle.AndResGuardTask' property 'android' is missing an input or output annotation.

        Reason: A property without annotation isn't considered during up-to-date checking.

        Possible solutions:

        1. Add an input or output annotation.
        2. Mark it as @Internal.

        Please refer to https://docs.gradle.org/7.4/userguide/validation_problems.html#missing_annotation for more details about this problem.

      • In plugin 'AndResGuard' type 'com.tencent.gradle.AndResGuardTask' property 'buildConfigs' is missing an input or output annotation.

        Reason: A property without annotation isn't considered during up-to-date checking.

        Possible solutions:

        1. Add an input or output annotation.
        2. Mark it as @Internal.

        Please refer to https://docs.gradle.org/7.4/userguide/validation_problems.html#missing_annotation for more details about this problem.

      • In plugin 'AndResGuard' type 'com.tencent.gradle.AndResGuardTask' property 'configuration' is missing an input or output annotation.

        Reason: A property without annotation isn't considered during up-to-date checking.

        Possible solutions:

        1. Add an input or output annotation.
        2. Mark it as @Internal.

        Please refer to https://docs.gradle.org/7.4/userguide/validation_problems.html#missing_annotation for more details about this problem.

      • In plugin 'AndResGuard' type 'com.tencent.gradle.AndResGuardTask' property 'zipAlignPath' is missing an input or output annotation.

        Reason: A property without annotation isn't considered during up-to-date checking.

        Possible solutions:

        1. Add an input or output annotation.
        2. Mark it as @Internal.
    opened by onexuan 0
  • [fix] fix Could not decode arsc file build error (#450)

    [fix] fix Could not decode arsc file build error (#450)

    fix build error, when app open aapt custom packageId(--package-id) feature

    open custom packageId:

    aaptOptions {
            additionalParameters '--allow-reserved-package-id','--package-id','0x15'
    }
    

    stacktrace:

    com.tencent.mm.androlib.AndrolibException: Could not decode arsc file
      at com.tencent.mm.androlib.res.decoder.ARSCDecoder.write(ARSCDecoder.java:131)
      at com.tencent.mm.androlib.ApkDecoder.decode(ApkDecoder.java:197)
      at com.tencent.mm.resourceproguard.Main.decodeResource(Main.java:114)
      at com.tencent.mm.resourceproguard.Main.resourceProguard(Main.java:98)
      at com.tencent.mm.resourceproguard.Main.resourceProguard(Main.java:84)
      at com.tencent.mm.resourceproguard.cli.CliMain.run(CliMain.java:243)
      at com.tencent.mm.resourceproguard.cli.CliMain.main(CliMain.java:38)
    Caused by: java.io.EOFException
      at java.base/java.io.DataInputStream.readFully(DataInputStream.java:202)
      at com.mindprod.ledatastream.LEDataInputStream.readFully(LEDataInputStream.java:180)
    

    cause: when app open custom packageId, aapt generates more content when generating arsc file than not open custom packageId, so we need read it , and write it to new arsc file

    opened by linsir6 0
  • 系统自定义字体实现方式引发的问题。

    系统自定义字体实现方式引发的问题。

    用Compose实现FontFamily的时候可以可以直接使用FontFamily(Font(R.font.xxx))很方便 用咱们插件设置了keepRoot = false混淆路径,发现会有问题。 排查发现 wecom-temp-107958-8867d782a2c786ede06e429875cfde8f sdk实现加载字体的时候前缀设置了必须“res/”开头 问下咱们有方式可以实现keepRoot = false的同时针对特定的路径比如res/font做路径保留设置?

    opened by toxop-element 1
  • [SECURITY] Fix Zip Slip Vulnerability

    [SECURITY] Fix Zip Slip Vulnerability

    Security Vulnerability Fix

    This pull request fixes a Zip Slip vulnerability either due to an insufficient, or missing guard when unzipping zip files.

    Even if you deem, as the maintainer of this project, this is not necessarily fixing a security vulnerability, it is still, most likely, a valid security hardening.

    Preamble

    Impact

    This issue allows a malicious zip file to potentially break out of the expected destination directory, writing contents into arbitrary locations on the file system. Overwriting certain files/directories could allow an attacker to achieve remote code execution on a target system by exploiting this vulnerability.

    Why?

    The best description of Zip-Slip can be found in the white paper published by Snyk: Zip Slip Vulnerability

    But I had a guard in place, why wasn't it sufficient?

    If the changes you see are a change to the guard, not the addition of a new guard, this is probably because this code contains a Zip-Slip vulnerability due to a partial path traversal vulnerability.

    To demonstrate this vulnerability, consider "/usr/outnot".startsWith("/usr/out"). The check is bypassed although /outnot is not under the /out directory. It's important to understand that the terminating slash may be removed when using various String representations of the File object. For example, on Linux, println(new File("/var")) will print /var, but println(new File("/var", "/") will print /var/; however, println(new File("/var", "/").getCanonicalPath()) will print /var.

    The Fix

    Implementing a guard comparing paths with the method java.nio.files.Path#startsWith will adequately protect against this vulnerability.

    For example: file.getCanonicalFile().toPath().startsWith(BASE_DIRECTORY) or file.getCanonicalFile().toPath().startsWith(BASE_DIRECTORY_FILE.getCanonicalFile().toPath())

    Other Examples

    :arrow_right: Vulnerability Disclosure :arrow_left:

    :wave: Vulnerability disclosure is a super important part of the vulnerability handling process and should not be skipped! This may be completely new to you, and that's okay, I'm here to assist!

    First question, do we need to perform vulnerability disclosure? It depends!

    1. Is the vulnerable code only in tests or example code? No disclosure required!
    2. Is the vulnerable code in code shipped to your end users? Vulnerability disclosure is probably required!

    For partial path traversal, consider if user-supplied input could ever flow to this logic. If user-supplied input could reach this conditional, it's insufficient and, as such, most likely a vulnerability.

    Vulnerability Disclosure How-To

    You have a few options options to perform vulnerability disclosure. However, I'd like to suggest the following 2 options:

    1. Request a CVE number from GitHub by creating a repository-level GitHub Security Advisory. This has the advantage that, if you provide sufficient information, GitHub will automatically generate Dependabot alerts for your downstream consumers, resolving this vulnerability more quickly.
    2. Reach out to the team at Snyk to assist with CVE issuance. They can be reached at the Snyk's Disclosure Email. Note: Please include JLLeitschuh Disclosure in the subject of your email so it is not missed.

    Detecting this and Future Vulnerabilities

    You can automatically detect future vulnerabilities like this by enabling the free (for open-source) GitHub Action.

    I'm not an employee of GitHub, I'm simply an open-source security researcher.

    Source

    This contribution was automatically generated with an OpenRewrite refactoring recipe, which was lovingly handcrafted to bring this security fix to your repository.

    The source code that generated this PR can be found here: Zip Slip

    Why didn't you disclose privately (ie. coordinated disclosure)?

    This PR was automatically generated, in-bulk, and sent to this project as well as many others, all at the same time.

    This is technically what is called a "Full Disclosure" in vulnerability disclosure, and I agree it's less than ideal. If GitHub offered a way to create private pull requests to submit pull requests, I'd leverage it, but that infrastructure, sadly, doesn't exist yet.

    The problem is that, as an open source software security researcher, I (exactly like open source maintainers), I only have so much time in a day. I'm able to find vulnerabilities impacting hundreds, or sometimes thousands of open source projects with tools like GitHub Code Search and CodeQL. The problem is that my knowledge of vulnerabilities doesn't scale very well.

    Individualized vulnerability disclosure takes time and care. It's a long and tedious process, and I have a significant amount of experience with it (I have over 50 CVEs to my name). Even tracking down the reporting channel (email, Jira, etc..) can take time and isn't automatable. Unfortunately, when facing problems of this scale, individual reporting doesn't work well either.

    Additionally, if I just spam out emails or issues, I'll just overwhelm already over-taxed maintainers, I don't want to do this either.

    By creating a pull request, I am aiming to provide maintainers something highly actionable to actually fix the identified vulnerability; a pull request.

    There's a larger discussion on this topic that can be found here: https://github.com/JLLeitschuh/security-research/discussions/12

    Opting Out

    If you'd like to opt out of future automated security vulnerability fixes like this, please consider adding a file called .github/GH-ROBOTS.txt to your repository with the line:

    User-agent: JLLeitschuh/security-research
    Disallow: *
    

    This bot will respect the ROBOTS.txt format for future contributions.

    Alternatively, if this project is no longer actively maintained, consider archiving the repository.

    CLA Requirements

    This section is only relevant if your project requires contributors to sign a Contributor License Agreement (CLA) for external contributions.

    It is unlikely that I'll be able to directly sign CLAs. However, all contributed commits are already automatically signed off.

    The meaning of a signoff depends on the project, but it typically certifies that committer has the rights to submit this work under the same license and agrees to a Developer Certificate of Origin (see https://developercertificate.org/ for more information).

    - Git Commit Signoff documentation

    If signing your organization's CLA is a strict-requirement for merging this contribution, please feel free to close this PR.

    Sponsorship & Support

    This contribution is sponsored by HUMAN Security Inc. and the new Dan Kaminsky Fellowship, a fellowship created to celebrate Dan's memory and legacy by funding open-source work that makes the world a better (and more secure) place.

    This PR was generated by Moderne, a free-for-open source SaaS offering that uses format-preserving AST transformations to fix bugs, standardize code style, apply best practices, migrate library versions, and fix common security vulnerabilities at scale.

    Tracking

    All PR's generated as part of this fix are tracked here: https://github.com/JLLeitschuh/security-research/issues/16

    opened by JLLeitschuh 2
Releases(1.2.20)
Owner
shwenzhang
shwenzhang
SVG to Android VectorDrawable XML resource file

svg2android [Deprecated - use official Vector Asset Studio directly from Android Studio] Convert SVG to Android VectorDrawable XML resource file. Extr

INLOOPX 1.7k Dec 29, 2022
TaggerString is very light library which allows to build dynamic string resource in much more readable way.

TaggerString TaggerString is very light library which allows to build dynamic string resource in much more readable way. I guess that every Android de

polok 241 Jun 3, 2022
A tool to install components of the Android SDK into a Maven repository or repository manager to use with the Android Maven Plugin, Gradle and other tools.

Maven Android SDK Deployer Original author including numerous fixes and changes: Manfred Moser [email protected] at simpligility technologies i

simpligility 1.4k Dec 27, 2022
A simple utility to remove unused resources in your Android app to lower the size of the APK. It's based on the Android lint tool output.

android-resource-remover android-resource-remover is utility that removes unused resources reported by Android Lint from your project. The goal is to

Keepsafe 1.3k Dec 16, 2022
This is a Android Studio/ IntelliJ IDEA plugin to localize your Android app, translate your string resources automactically.

#Android Localizationer This is a Android Studio/ IntelliJ IDEA plugin to localize your Android app, translate your string resources automactically. T

Wesley Lin 822 Dec 8, 2022
A tool to install components of the Android SDK into a Maven repository or repository manager to use with the Android Maven Plugin, Gradle and other tools.

Maven Android SDK Deployer Original author including numerous fixes and changes: Manfred Moser [email protected] at simpligility technologies i

simpligility 1.4k Dec 27, 2022
Automated-build-android-app-with-github-action - CI/CD Automated Build Android App Bundle / APK / Signed With Github Action

Automated Build Android With Using Github Action Project Github Action Script Us

Faisal Amir 34 Dec 19, 2022
A super fast build tool for Android, an alternative to Instant Run

Freeline Freeline is a super fast build tool for Android and an alternative to Instant Run. Caching reusable class files and resource indices, it enab

Alibaba 5.5k Jan 2, 2023
Command-line tool to count per-package methods in Android .dex files

dex-method-counts Simple tool to output per-package method counts in an Android DEX executable grouped by package, to aid in getting under the 65,536

Mihai Parparita 2.6k Nov 25, 2022
View Inspection Toolbar for Android Development

View Inspector Plugin View inspection toolbar for android development. Features Boundary show outlines show margins show paddings Layer Scalpel featur

Fumihiro Xue (Peter Hsieh) 2.2k Nov 14, 2022
Make Android screenshots of scrollable screen content

scrollscreenshot Make Android screenshots of scrollable screen content - brought to you by PGS Software SA This tool makes a number of screenshots, sc

PGS Software 714 Dec 7, 2022
🍼Debug Bottle is an Android runtime debug / develop tools written using kotlin language.

???? 中文 / ???? 日本語 / ???? English ?? Debug Bottle An Android debug / develop tools written using Kotlin language. All the features in Debug bottle are

Yuriel Arlencloyn 846 Nov 14, 2022
[] Dissect layout traversals on Android

Probe Dissect layout traversals on Android. Features Intercept View methods. onMeasure(int, int) onLayout(boolean, int, int, int, int) draw(Canvas) an

Lucas Rocha 555 Nov 25, 2022
Android Library Finder

alfi Android Library Finder Search through thousands of android libraries that can help you scale your projects elegantly Usage Search for something a

César Ferreira 509 Dec 8, 2022
Annotation based simple API flavored with AOP to handle new Android runtime permission model

Let Annotation based simple API flavoured with AOP to handle new Android runtime permission model. If you check Google's Samples about the new permiss

Can Elmas 530 Nov 25, 2022
Combines tools for fast android app devlopment

Android - Rapid Test Driven Development Combine tools to generate most of the boilerplate code. Examples how to test different aspects of an android a

Nico Küchler 379 Nov 25, 2022
Make mosaic effect on android

ProMosaic Make mosaic for image on android. Features Select Mode Follow finger Select rectangle Effect Mode Grid color based on original image Blur Im

dawson 359 Dec 29, 2022
A set of Android tools that facilitate apps development

A set of Android tools that facilitate apps development Well, this repo contains pretty much code used internally at Stanfy to develop Android apps. S

Stanfy 183 Dec 3, 2022