gradle 配置：

andresguard version: 1.2.10

v2SigningEnabled true

use7zip = true useSign = true

执行./gradlew resguardRelease , 文件产出无XXX.signed_7zip_aligned.apk 文件，如图

There's a problem with the tool. when I compile my app release with Android studio without using the Andresguard tool, my app installs well on devices. however, when I use andResguard, I can't install the app on the same devices. the "App not installed" message shows up even after uninstalling the app previously.

看了下有个相关的issue关闭了。但现在我们这边会定义多个buildType，其中会有releaseLog，支持log输出，proguard和resguard，基本上和release包没区别，只是打开了log输出功能，用于方便跟踪crash，然后给qa测试。resguard目前只支持release吧，能否支持下指定buildType？

java.lang.ArrayIndexOutOfBoundsException at java.lang.System.arraycopy(Native Method) at com.tencent.mm.androlib.res.decoder.StringBlock.writeSpecNameStringBlock(StringBlock.java:155) at com.tencent.mm.androlib.res.decoder.ARSCDecoder.writePackage(ARSCDecoder.java:318) at com.tencent.mm.androlib.res.decoder.ARSCDecoder.writeTable(ARSCDecoder.java:224) at com.tencent.mm.androlib.res.decoder.ARSCDecoder.write(ARSCDecoder.java:127) at com.tencent.mm.androlib.ApkDecoder.decode(ApkDecoder.java:196) at com.tencent.mm.resourceproguard.Main.decodeResource(Main.java:93) at com.tencent.mm.resourceproguard.Main.resourceProguard(Main.java:77) at com.tencent.mm.resourceproguard.Main.run(Main.java:48) at com.tencent.mm.resourceproguard.Main.gradleRun(Main.java:36) at com.tencent.mm.resourceproguard.Main$gradleRun.call(Unknown Source) at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCall(CallSiteArray.java:48) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:113) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:125) at com.tencent.gradle.AndResGuardTask$_run_closure3.doCall(AndResGuardTask.groovy:108) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.codehaus.groovy.reflection.CachedMethod.invoke(CachedMethod.java:93) at groovy.lang.MetaMethod.doMethodInvoke(MetaMethod.java:325) at org.codehaus.groovy.runtime.metaclass.ClosureMetaClass.invokeMethod(ClosureMetaClass.java:294) at groovy.lang.MetaClassImpl.invokeMethod(MetaClassImpl.java:1024) at groovy.lang.Closure.call(Closure.java:414) at groovy.lang.Closure.call(Closure.java:430) at org.codehaus.groovy.runtime.DefaultGroovyMethods.each(DefaultGroovyMethods.java:2030) at org.codehaus.groovy.runtime.DefaultGroovyMethods.each(DefaultGroovyMethods.java:2015) at org.codehaus.groovy.runtime.DefaultGroovyMethods.each(DefaultGroovyMethods.java:2056) at org.codehaus.groovy.runtime.dgm$162.invoke(Unknown Source) at org.codehaus.groovy.runtime.callsite.PojoMetaMethodSite$PojoMetaMethodSiteNoUnwrapNoCoerce.invoke(PojoMetaMethodSite.java:274) at org.codehaus.groovy.runtime.callsite.PojoMetaMethodSite.call(PojoMetaMethodSite.java:56) at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCall(CallSiteArray.java:48) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:113) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:125) at com.tencent.gradle.AndResGuardTask.run(AndResGuardTask.groovy:70) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.gradle.internal.reflect.JavaMethod.invoke(JavaMethod.java:73)

华为push的版本为： "com.huawei:cloud_base_service:2.5.54", "com.huawei:cloud_push_service:2.5.54"

用了andresguard说找不到Task andresguardnot found in root project 'XXXX'.不能build完成之后自己就开始资源混淆么？我们的工程用了多渠道，并且自定义了apk的输出目录，还有就是使用的是jenkins自动化构建。即使上面的task不报错，但是能找到我的apk在哪么？我目前正在写jenkins的build插件。今天来github看看发现已经有了gradle插件了。所以试了试。

hi 我在做一个demo，关于使用AndResGuard+Tinker的，发现flavor>1时，使用 resguardFlavor1Flavor2Release这样的格式，AndResGuard会失效。task显示执行了，任务结果是ok，但实际没有执行，只有原始的apk输出。我以为是配置写错了，倒腾了半天，但最后删掉一个FlavorDimensions就好了。

虽然实际使用很少有这样的情况，发现了还是汇报一下。

com.tencent.mm.androlib.AndrolibException: spec proguard name duplicate in a singal type drawable, spec name: pk known issue: if you write a whilte list R.drawable.ab, and you have a png named ab.png, these may cost duplicate of ab

    at com.tencent.mm.androlib.res.data.ResType.putSpecProguardName(ResType.java:42)
    at com.tencent.mm.androlib.res.decoder.ARSCDecoder.readEntry(ARSCDecoder.java:520)
    at com.tencent.mm.androlib.res.decoder.ARSCDecoder.readConfig(ARSCDecoder.java:458)
    at com.tencent.mm.androlib.res.decoder.ARSCDecoder.readTableTypeSpec(ARSCDecoder.java:410)
    at com.tencent.mm.androlib.res.decoder.ARSCDecoder.readPackage(ARSCDecoder.java:300)
    at com.tencent.mm.androlib.res.decoder.ARSCDecoder.readTable(ARSCDecoder.java:203)
    at com.tencent.mm.androlib.res.decoder.ARSCDecoder.decode(ARSCDecoder.java:118)
    at com.tencent.mm.androlib.ApkDecoder.decode(ApkDecoder.java:189)
    at com.tencent.mm.resourceproguard.Main.decodeResource(Main.java:99)
    at com.tencent.mm.resourceproguard.Main.resourceProguard(Main.java:84)
    at com.tencent.mm.resourceproguard.cli.CliMain.run(CliMain.java:205)
    at com.tencent.mm.resourceproguard.cli.CliMain.main(CliMain.java:41)

崩溃log,自己有一个图片文件pk.png加入了白名单，混淆的时候，另一个文件被混淆成了pk.png，导致重复。

Error:Could not find com.tencent.mm:AndResGuard-gradle-plugin:1.2.3. Searched in the following locations: https://repo1.maven.org/maven2/com/tencent/mm/AndResGuard-gradle-plugin/1.2.3/AndResGuard-gradle-plugin-1.2.3.pom https://repo1.maven.org/maven2/com/tencent/mm/AndResGuard-gradle-plugin/1.2.3/AndResGuard-gradle-plugin-1.2.3.jar https://jcenter.bintray.com/com/tencent/mm/AndResGuard-gradle-plugin/1.2.3/AndResGuard-gradle-plugin-1.2.3.pom https://jcenter.bintray.com/com/tencent/mm/AndResGuard-gradle-plugin/1.2.3/AndResGuard-gradle-plugin-1.2.3.jar

一个issue（#130） 提一个问题，所以我分开下！

操作环境:

• cygwin
• 7-Zip (a) [64] 16.04 : Copyright (c) 1999-2016 Igor Pavlov : 2016-10-04
• tool_output/ 下的 7z 可执行文件
• andResGuard 1.1.16

系统已经正确配置 7z 和 zipalign 的环境变量

1. 【在 cygwin中操作】使用 build_apk.sh 对一个将近 90MB 的apk（代码部分混淆过） 处理 在 repackage 7z时候会出错 偶发性报错（apk体积小的到没出现过该情况，是否和 -mx0 有关) ，对于可能是 7za 版本不同导致，我也分别测试了 均会偶发如下的 exception

$ ./build_apk.sh
special configFile file path: D:\AndResGuard\tool_output\config.xml
special output directory path: D:\AndResGuard\tool_output\outapk
reading config file, D:\AndResGuard\tool_output\config.xml
mKeepRoot false
[AndResGuard] begin: outapk, qinjingling.apk
unziping apk to D:\AndResGuard\tool_output\outapk\temp
decoding resources.arsc
parse to get the exist names in the resouces.arsc first
reading packagename fxyy.fjnuit.Activity
resources mapping file D:\AndResGuard\tool_output\outapk\resource_mapping_qinjingling.txt done
writing new resources.arsc
resources.arsc Character Encoding: utf-8
general unsigned apk: qinjingling_unsigned.apk
DestResDir 3359 rawResDir 3359
signing apk: qinjingling_signed.apk
signature Algorithm is: SHA1withRSA
use 7zip to repackage: qinjingling_signed_7zip.apk, will cost much more time
[addStoredFileIn7Zip]rewrite the stored file into the 7zip, file count:308
java.io.IOException: [use7zApk]7z repackage signed apk fail,you must install 7z command line version first, linux: p7zip, window: 7za, path=D:\AndResGuard\tool_output\outapk\qinjingling_signed_7zip.apk
        at com.tencent.mm.androlib.ResourceApkBuilder.use7zApk(ResourceApkBuilder.java:97)
        at com.tencent.mm.androlib.ResourceApkBuilder.buildApk(ResourceApkBuilder.java:50)
        at com.tencent.mm.resourceproguard.Main.buildApk(Main.java:94)
        at com.tencent.mm.resourceproguard.Main.resourceProguard(Main.java:71)
        at com.tencent.mm.resourceproguard.cli.CliMain.run(CliMain.java:193)
        at com.tencent.mm.resourceproguard.cli.CliMain.main(CliMain.java:37)

2. 【疑问】【同cygwin 操作】和 #76 的 issue 有点类似， 在检查了微信 , 网易云音乐 (好像是对 APP 图标 进行白名单保护(因为res 根路径是被混淆了 )，我也尝试在 config.xml 添加

<issue id="whitelist" isactive="true">
  <!-- 全部位于  mipmap-<qualifiers>中 -->
  <path value="<your_package_name>.R.drawable.ic_launcher"/> 
 </issue>

通过shell 命令，再安装apk，无法正确显示 ic_launcher (我在公司的三四个项目上试验过均出现), 但是如果改用 keepmapping 来控制（设置 whitelist中 isactive="false"） 如下

 <issue id="keepmapping" isactive="true">
        <!-- 来自 AndResGuard-example\app-->
        <path value="resource_mapping.txt"/>
 </issue>

再次执行完 build_apk.sh 。再安装 图标均可以正常显示，但 res/*** 根路径被保留 和 微信/网易云音乐 的不一样, 这里就不太理解（你们是怎么配置的 实现 混淆了根路径 但 图标还可以显示出来）,

还有一个疑点 上面 path value 使用下面 的 resource_mapping_bak.txt替代 也是可以（正常显示图标），似乎图标存放( 在mipmap-<qualifiers> )的位置和 该 资源 mapping文件 配置的内容( drawable-<qualifiers> 不混淆 父路径)无关系。

resource_mapping_bak.txt文件

res path mapping:
    res/drawable-hdpi-v4 -> res/drawable-hdpi-v4
    res/drawable-mdpi-v4 -> res/drawable-mdpi-v4
    res/drawable-xhdpi-v4 -> res/drawable-xhdpi-v4
    res/drawable-xxhdpi-v4 -> res/drawable-xxhdpi-v4
    res/drawable-xxxhdpi-v4 -> res/drawable-xxxhdpi-v4

PS: 第2点的问题 git clone 下来项目 在AS中 也类似配置测试过，也会出现该点描述的疑问

andResGuard {
    //  method1:放开这句 注释下句 logo的图标且白名单不做保护， 安装完可以正常显示
    //mappingFile = file("./resource_mapping.txt")
    mappingFile = null
    use7zip = true
    useSign = true
    keepRoot = false
    // add <yourpackagename>.R.drawable.icon into whitelist.
    // because the launcher will get the icon with his name
    whiteList = [
             //method2: 上面 mappingFile =null ,添加 图标到白名单 安装完，不能正常显示
            "R.mipmap.ic_launcher",
            //https://docs.fabric.io/android/crashlytics/build-tools.html
            "R.string.com.crashlytics.*"
    ]
    compressFilePattern = [
            "*.png",
            "*.jpg",
            "*.jpeg",
            "*.gif",
            "resources.arsc"
    ]
    sevenzip {
       //这里也是 分别测试 以下两种7z 版本
        artifact = 'com.tencent.mm:SevenZip:1.1.16'//(v15.04)
        ///usr/local/bin/7za
        //path = "D:\\E.D.K.Supremacy\\7-Zip\\x64\\7za.exe"(v16.04)
    }
} 

为zipalign设置了环境变量，但是报错java.io.IOException: Cannot run program "zipalign": error=2, No such file or directory，该怎么手动设置zipalign？在config.xml可以设置？

之前1.2.15版本没问题，就升级了1.2.16版本 错误日常

Task :app:resguardRelease FAILED

FAILURE: Build failed with an exception.

• What went wrong: Execution failed for task ':app:resguardRelease'.

null

• Try: Run with --stacktrace option to get the stack trace. Run with --info or --debug option to get more log output. Run with --scan to get full insights.

• Get more help at https://help.gradle.org

BUILD FAILED in 2s 28 actionable tasks: 1 executed, 27 up-to-date

Hi @shwenzhang,

I wanted to flag to you that the source of AndResGuard has a file that is incompatible with the Apache-2.0 license you've chosen for the project:

• https://github.com/shwenzhang/AndResGuard/blob/master/AndResGuard-core/src/main/java/com/mindprod/ledatastream/LEDataInputStream.java

This license has a field of use restriction, so it's not an open source license.

• What went wrong: Some problems were found with the configuration of task ':app:resguardRelease' (type 'AndResGuardTask').

  • In plugin 'AndResGuard' type 'com.tencent.gradle.AndResGuardTask' property 'android' is missing an input or output annotation.

    Reason: A property without annotation isn't considered during up-to-date checking.

    Possible solutions:

    1. Add an input or output annotation.
    2. Mark it as @Internal.

    Please refer to https://docs.gradle.org/7.4/userguide/validation_problems.html#missing_annotation for more details about this problem.

  • In plugin 'AndResGuard' type 'com.tencent.gradle.AndResGuardTask' property 'buildConfigs' is missing an input or output annotation.

    Reason: A property without annotation isn't considered during up-to-date checking.

    Possible solutions:

    1. Add an input or output annotation.
    2. Mark it as @Internal.

    Please refer to https://docs.gradle.org/7.4/userguide/validation_problems.html#missing_annotation for more details about this problem.

  • In plugin 'AndResGuard' type 'com.tencent.gradle.AndResGuardTask' property 'configuration' is missing an input or output annotation.

    Reason: A property without annotation isn't considered during up-to-date checking.

    Possible solutions:

    1. Add an input or output annotation.
    2. Mark it as @Internal.

    Please refer to https://docs.gradle.org/7.4/userguide/validation_problems.html#missing_annotation for more details about this problem.

  • In plugin 'AndResGuard' type 'com.tencent.gradle.AndResGuardTask' property 'zipAlignPath' is missing an input or output annotation.

    Reason: A property without annotation isn't considered during up-to-date checking.

    Possible solutions:

    1. Add an input or output annotation.
    2. Mark it as @Internal.

fix build error, when app open aapt custom packageId(--package-id) feature

open custom packageId:

aaptOptions {
        additionalParameters '--allow-reserved-package-id','--package-id','0x15'
}

stacktrace:

com.tencent.mm.androlib.AndrolibException: Could not decode arsc file
  at com.tencent.mm.androlib.res.decoder.ARSCDecoder.write(ARSCDecoder.java:131)
  at com.tencent.mm.androlib.ApkDecoder.decode(ApkDecoder.java:197)
  at com.tencent.mm.resourceproguard.Main.decodeResource(Main.java:114)
  at com.tencent.mm.resourceproguard.Main.resourceProguard(Main.java:98)
  at com.tencent.mm.resourceproguard.Main.resourceProguard(Main.java:84)
  at com.tencent.mm.resourceproguard.cli.CliMain.run(CliMain.java:243)
  at com.tencent.mm.resourceproguard.cli.CliMain.main(CliMain.java:38)
Caused by: java.io.EOFException
  at java.base/java.io.DataInputStream.readFully(DataInputStream.java:202)
  at com.mindprod.ledatastream.LEDataInputStream.readFully(LEDataInputStream.java:180)

cause: when app open custom packageId, aapt generates more content when generating arsc file than not open custom packageId, so we need read it , and write it to new arsc file

用Compose实现FontFamily的时候可以可以直接使用FontFamily(Font(R.font.xxx))很方便 用咱们插件设置了keepRoot = false混淆路径，发现会有问题。 排查发现 sdk实现加载字体的时候前缀设置了必须“res/”开头 问下咱们有方式可以实现keepRoot = false的同时针对特定的路径比如res/font做路径保留设置？

Security Vulnerability Fix

This pull request fixes a Zip Slip vulnerability either due to an insufficient, or missing guard when unzipping zip files.

Even if you deem, as the maintainer of this project, this is not necessarily fixing a security vulnerability, it is still, most likely, a valid security hardening.

Preamble

Impact

This issue allows a malicious zip file to potentially break out of the expected destination directory, writing contents into arbitrary locations on the file system. Overwriting certain files/directories could allow an attacker to achieve remote code execution on a target system by exploiting this vulnerability.

Why?

The best description of Zip-Slip can be found in the white paper published by Snyk: Zip Slip Vulnerability

But I had a guard in place, why wasn't it sufficient?

If the changes you see are a change to the guard, not the addition of a new guard, this is probably because this code contains a Zip-Slip vulnerability due to a partial path traversal vulnerability.

To demonstrate this vulnerability, consider "/usr/outnot".startsWith("/usr/out"). The check is bypassed although /outnot is not under the /out directory. It's important to understand that the terminating slash may be removed when using various String representations of the File object. For example, on Linux, println(new File("/var")) will print /var, but println(new File("/var", "/") will print /var/; however, println(new File("/var", "/").getCanonicalPath()) will print /var.

The Fix

Implementing a guard comparing paths with the method java.nio.files.Path#startsWith will adequately protect against this vulnerability.

For example: file.getCanonicalFile().toPath().startsWith(BASE_DIRECTORY) or file.getCanonicalFile().toPath().startsWith(BASE_DIRECTORY_FILE.getCanonicalFile().toPath())

Other Examples

• CVE-2018-1002201 - zeroturnaround/zt-zip
• CVE-2018-1002202 - srikanth-lingala/zip4j
• CVE-2018-8009 - apache/hadoop

:arrow_right: Vulnerability Disclosure :arrow_left:

:wave: Vulnerability disclosure is a super important part of the vulnerability handling process and should not be skipped! This may be completely new to you, and that's okay, I'm here to assist!

First question, do we need to perform vulnerability disclosure? It depends!

1. Is the vulnerable code only in tests or example code? No disclosure required!
2. Is the vulnerable code in code shipped to your end users? Vulnerability disclosure is probably required!

For partial path traversal, consider if user-supplied input could ever flow to this logic. If user-supplied input could reach this conditional, it's insufficient and, as such, most likely a vulnerability.

Vulnerability Disclosure How-To

You have a few options options to perform vulnerability disclosure. However, I'd like to suggest the following 2 options:

1. Request a CVE number from GitHub by creating a repository-level GitHub Security Advisory. This has the advantage that, if you provide sufficient information, GitHub will automatically generate Dependabot alerts for your downstream consumers, resolving this vulnerability more quickly.
2. Reach out to the team at Snyk to assist with CVE issuance. They can be reached at the Snyk's Disclosure Email. Note: Please include JLLeitschuh Disclosure in the subject of your email so it is not missed.

Detecting this and Future Vulnerabilities

You can automatically detect future vulnerabilities like this by enabling the free (for open-source) GitHub Action.

I'm not an employee of GitHub, I'm simply an open-source security researcher.

Source

This contribution was automatically generated with an OpenRewrite refactoring recipe, which was lovingly handcrafted to bring this security fix to your repository.

The source code that generated this PR can be found here: Zip Slip

Why didn't you disclose privately (ie. coordinated disclosure)?

This PR was automatically generated, in-bulk, and sent to this project as well as many others, all at the same time.

This is technically what is called a "Full Disclosure" in vulnerability disclosure, and I agree it's less than ideal. If GitHub offered a way to create private pull requests to submit pull requests, I'd leverage it, but that infrastructure, sadly, doesn't exist yet.

The problem is that, as an open source software security researcher, I (exactly like open source maintainers), I only have so much time in a day. I'm able to find vulnerabilities impacting hundreds, or sometimes thousands of open source projects with tools like GitHub Code Search and CodeQL. The problem is that my knowledge of vulnerabilities doesn't scale very well.

Individualized vulnerability disclosure takes time and care. It's a long and tedious process, and I have a significant amount of experience with it (I have over 50 CVEs to my name). Even tracking down the reporting channel (email, Jira, etc..) can take time and isn't automatable. Unfortunately, when facing problems of this scale, individual reporting doesn't work well either.

Additionally, if I just spam out emails or issues, I'll just overwhelm already over-taxed maintainers, I don't want to do this either.

By creating a pull request, I am aiming to provide maintainers something highly actionable to actually fix the identified vulnerability; a pull request.

There's a larger discussion on this topic that can be found here: https://github.com/JLLeitschuh/security-research/discussions/12

Opting Out

If you'd like to opt out of future automated security vulnerability fixes like this, please consider adding a file called .github/GH-ROBOTS.txt to your repository with the line:

User-agent: JLLeitschuh/security-research
Disallow: *

This bot will respect the ROBOTS.txt format for future contributions.

Alternatively, if this project is no longer actively maintained, consider archiving the repository.

CLA Requirements

This section is only relevant if your project requires contributors to sign a Contributor License Agreement (CLA) for external contributions.

It is unlikely that I'll be able to directly sign CLAs. However, all contributed commits are already automatically signed off.

The meaning of a signoff depends on the project, but it typically certifies that committer has the rights to submit this work under the same license and agrees to a Developer Certificate of Origin (see https://developercertificate.org/ for more information).

- Git Commit Signoff documentation

If signing your organization's CLA is a strict-requirement for merging this contribution, please feel free to close this PR.

Sponsorship & Support

This contribution is sponsored by HUMAN Security Inc. and the new Dan Kaminsky Fellowship, a fellowship created to celebrate Dan's memory and legacy by funding open-source work that makes the world a better (and more secure) place.

This PR was generated by Moderne, a free-for-open source SaaS offering that uses format-preserving AST transformations to fix bugs, standardize code style, apply best practices, migrate library versions, and fix common security vulnerabilities at scale.

Tracking

All PR's generated as part of this fix are tracked here: https://github.com/JLLeitschuh/security-research/issues/16