不信任 ContentProvider 提供的文件名
使用集合让一切井井有条
根据您的偏好保存内容并对其进行分类。
OWASP 类别:MASVS-CODE:代码质量
概览
FileProvider 是 ContentProvider 的子类,旨在为应用(“服务器应用”)提供一种安全的方法来与其他应用共享文件(“客户端应用”)。不过,如果客户端应用未正确处理服务器应用提供的文件名,攻击者控制的服务器应用或许能够实现自己的恶意 FileProvider,以覆盖客户端应用的应用专用存储空间中的文件。
影响
如果攻击者可以覆盖应用的文件,这可能会导致恶意代码执行(通过覆盖应用的代码),或者允许以其他方式修改应用的行为(例如,通过覆盖应用的共享偏好设置或其他配置文件)。
缓解措施
在通过文件系统调用将接收到的文件写入存储空间时,生成唯一的文件名,以便在没有用户输入的情况下进行操作。
换句话说:当客户端应用将接收到的文件写入存储空间时,应忽略服务器应用提供的文件名,而是使用其自身内部生成的唯一标识符作为文件名。
此示例基于以下网址中的代码构建:https://developer.android.com/training/secure-file-sharing/request-file:
Kotlin
// Code in
// https://developer.android.com/training/secure-file-sharing/request-file#OpenFile
// used to obtain file descriptor (fd)
try {
val inputStream = FileInputStream(fd)
val tempFile = File.createTempFile("temp", null, cacheDir)
val outputStream = FileOutputStream(tempFile)
val buf = ByteArray(1024)
var len: Int
len = inputStream.read(buf)
while (len > 0) {
if (len != -1) {
outputStream.write(buf, 0, len)
len = inputStream.read(buf)
}
}
inputStream.close()
outputStream.close()
} catch (e: IOException) {
e.printStackTrace()
Log.e("MainActivity", "File copy error.")
return
}
Java
// Code in
// https://developer.android.com/training/secure-file-sharing/request-file#OpenFile
// used to obtain file descriptor (fd)
FileInputStream inputStream = new FileInputStream(fd);
// Create a temporary file
File tempFile = File.createTempFile("temp", null, getCacheDir());
// Copy the contents of the file to the temporary file
try {
OutputStream outputStream = new FileOutputStream(tempFile))
byte[] buffer = new byte[1024];
int length;
while ((length = inputStream.read(buffer)) > 0) {
outputStream.write(buffer, 0, length);
}
} catch (IOException e) {
e.printStackTrace();
Log.e("MainActivity", "File copy error.");
return;
}
清理提供的文件名
在将接收到的文件写入存储空间时,对提供的文件名进行清理。
此缓解措施不如上述缓解措施理想,因为处理所有潜在情况可能具有挑战性。不过:如果生成唯一的文件名不切实际,客户端应用应清理所提供的文件名。清理包括:
- 清理文件名中的路径遍历字符
- 执行规范化以确认没有路径遍历
此示例代码基于有关检索文件信息的指南:
Kotlin
protected fun sanitizeFilename(displayName: String): String {
val badCharacters = arrayOf("..", "/")
val segments = displayName.split("/")
var fileName = segments[segments.size - 1]
for (suspString in badCharacters) {
fileName = fileName.replace(suspString, "_")
}
return fileName
}
val displayName = returnCursor.getString(nameIndex)
val fileName = sanitizeFilename(displayName)
val filePath = File(context.filesDir, fileName).path
// saferOpenFile defined in Android developer documentation
val outputFile = saferOpenFile(filePath, context.filesDir.canonicalPath)
// fd obtained using Requesting a shared file from Android developer
// documentation
val inputStream = FileInputStream(fd)
// Copy the contents of the file to the new file
try {
val outputStream = FileOutputStream(outputFile)
val buffer = ByteArray(1024)
var length: Int
while (inputStream.read(buffer).also { length = it } > 0) {
outputStream.write(buffer, 0, length)
}
} catch (e: IOException) {
// Handle exception
}
Java
protected String sanitizeFilename(String displayName) {
String[] badCharacters = new String[] { "..", "/" };
String[] segments = displayName.split("/");
String fileName = segments[segments.length - 1];
for (String suspString : badCharacters) {
fileName = fileName.replace(suspString, "_");
}
return fileName;
}
String displayName = returnCursor.getString(nameIndex);
String fileName = sanitizeFilename(displayName);
String filePath = new File(context.getFilesDir(), fileName).getPath();
// saferOpenFile defined in Android developer documentation
File outputFile = saferOpenFile(filePath,
context.getFilesDir().getCanonicalPath());
// fd obtained using Requesting a shared file from Android developer
// documentation
FileInputStream inputStream = new FileInputStream(fd);
// Copy the contents of the file to the new file
try {
OutputStream outputStream = new FileOutputStream(outputFile))
byte[] buffer = new byte[1024];
int length;
while ((length = inputStream.read(buffer)) > 0) {
outputStream.write(buffer, 0, length);
}
} catch (IOException e) {
// Handle exception
}
贡献者:Microsoft 威胁情报的 Dimitrios Valsamaras 和 Michael Peck
资源
本页面上的内容和代码示例受内容许可部分所述许可的限制。Java 和 OpenJDK 是 Oracle 和/或其关联公司的注册商标。
最后更新时间 (UTC):2025-07-27。
[null,null,["最后更新时间 (UTC):2025-07-27。"],[],[],null,["# Improperly trusting ContentProvider-provided filename\n\n\u003cbr /\u003e\n\n**OWASP category:** [MASVS-CODE: Code Quality](https://mas.owasp.org/MASVS/10-MASVS-CODE)\n\n\nOverview\n--------\n\n[*FileProvider*](/reference/androidx/core/content/FileProvider), a subclass of [*ContentProvider*](/reference/android/content/ContentProvider), is intended to\nprovide a secure method for an application (\"server application\") to [share\nfiles with another application](/training/secure-file-sharing) (\"client application\"). However, if the\nclient application does not properly handle the filename provided by the server\napplication, an attacker-controlled server application may be able to implement\nits own malicious *FileProvider* to overwrite files in the client application's\napp-specific storage.\n\nImpact\n------\n\nIf an attacker can overwrite an application's files, this can lead to malicious\ncode execution (by overwriting the application's code), or allow otherwise\nmodifying the application's behavior (for example, by overwriting the\napplication's shared preferences or other configuration files).\n\nMitigations\n-----------\n\n### Don't Trust User Input\n\nPrefer working without user input when using file system calls by generating a\nunique filename when writing the received file to storage.\n\nIn other words: When the client application writes the received file to storage,\nit should ignore the filename provided by the server application and instead use\nits own internally generated unique identifier as the filename.\n\nThis example builds upon the code found at\n[https://developer.android.com/training/secure-file-sharing/request-file](/training/secure-file-sharing/request-file#java): \n\n### Kotlin\n\n // Code in\n // https://developer.android.com/training/secure-file-sharing/request-file#OpenFile\n // used to obtain file descriptor (fd)\n\n try {\n val inputStream = FileInputStream(fd)\n val tempFile = File.createTempFile(\"temp\", null, cacheDir)\n val outputStream = FileOutputStream(tempFile)\n val buf = ByteArray(1024)\n var len: Int\n len = inputStream.read(buf)\n while (len \u003e 0) {\n if (len != -1) {\n outputStream.write(buf, 0, len)\n len = inputStream.read(buf)\n }\n }\n inputStream.close()\n outputStream.close()\n } catch (e: IOException) {\n e.printStackTrace()\n Log.e(\"MainActivity\", \"File copy error.\")\n return\n }\n\n### Java\n\n // Code in\n // https://developer.android.com/training/secure-file-sharing/request-file#OpenFile\n // used to obtain file descriptor (fd)\n\n FileInputStream inputStream = new FileInputStream(fd);\n\n // Create a temporary file\n File tempFile = File.createTempFile(\"temp\", null, getCacheDir());\n\n // Copy the contents of the file to the temporary file\n try {\n OutputStream outputStream = new FileOutputStream(tempFile))\n byte[] buffer = new byte[1024];\n int length;\n while ((length = inputStream.read(buffer)) \u003e 0) {\n outputStream.write(buffer, 0, length);\n }\n } catch (IOException e) {\n e.printStackTrace();\n Log.e(\"MainActivity\", \"File copy error.\");\n return;\n }\n\n### Sanitize Provided Filenames\n\nSanitize the provided filename when writing the received file to storage.\n\nThis mitigation is less desirable than the preceding mitigation because it can\nbe challenging to handle all potential cases. Nonetheless: If generating a\nunique filename is not practical, the client application should sanitize the\nprovided filename. Sanitization includes:\n\n- Sanitizing path traversal characters in the filename\n- Performing a canonicalization to confirm there are no path traversals\n\nThis example code builds upon the guidance on [retrieving file information](/training/secure-file-sharing/retrieve-info): \n\n### Kotlin\n\n protected fun sanitizeFilename(displayName: String): String {\n val badCharacters = arrayOf(\"..\", \"/\")\n val segments = displayName.split(\"/\")\n var fileName = segments[segments.size - 1]\n for (suspString in badCharacters) {\n fileName = fileName.replace(suspString, \"_\")\n }\n return fileName\n }\n\n val displayName = returnCursor.getString(nameIndex)\n val fileName = sanitizeFilename(displayName)\n val filePath = File(context.filesDir, fileName).path\n\n // saferOpenFile defined in Android developer documentation\n val outputFile = saferOpenFile(filePath, context.filesDir.canonicalPath)\n\n // fd obtained using Requesting a shared file from Android developer\n // documentation\n\n val inputStream = FileInputStream(fd)\n\n // Copy the contents of the file to the new file\n try {\n val outputStream = FileOutputStream(outputFile)\n val buffer = ByteArray(1024)\n var length: Int\n while (inputStream.read(buffer).also { length = it } \u003e 0) {\n outputStream.write(buffer, 0, length)\n }\n } catch (e: IOException) {\n // Handle exception\n }\n\n### Java\n\n protected String sanitizeFilename(String displayName) {\n String[] badCharacters = new String[] { \"..\", \"/\" };\n String[] segments = displayName.split(\"/\");\n String fileName = segments[segments.length - 1];\n for (String suspString : badCharacters) {\n fileName = fileName.replace(suspString, \"_\");\n }\n return fileName;\n }\n\n String displayName = returnCursor.getString(nameIndex);\n String fileName = sanitizeFilename(displayName);\n String filePath = new File(context.getFilesDir(), fileName).getPath();\n\n // saferOpenFile defined in Android developer documentation\n\n File outputFile = saferOpenFile(filePath,\n context.getFilesDir().getCanonicalPath());\n\n // fd obtained using Requesting a shared file from Android developer\n // documentation\n\n FileInputStream inputStream = new FileInputStream(fd);\n\n // Copy the contents of the file to the new file\n try {\n OutputStream outputStream = new FileOutputStream(outputFile))\n byte[] buffer = new byte[1024];\n int length;\n while ((length = inputStream.read(buffer)) \u003e 0) {\n outputStream.write(buffer, 0, length);\n }\n } catch (IOException e) {\n // Handle exception\n }\n\nContributors: Dimitrios Valsamaras and Michael Peck of Microsoft Threat\nIntelligence\n\nResources\n---------\n\n- [Dirty Stream Attack: Turning Android Share Targets Into Attack Vectors](https://i.blackhat.com/Asia-23/AS-23-Valsamaras-Dirty-Stream-Attack-Turning-Android.pdf)\n- [Secure File Sharing](/training/secure-file-sharing)\n- [Request a Shared File documentation](/training/secure-file-sharing/request-file)\n- [Retrieve Info](/training/secure-file-sharing/retrieve-info)\n- [FileProvider](/reference/androidx/core/content/FileProvider)\n- [Path Traversal](/topic/security/risks/path-traversal)\n- [CWE-73 External Control of Filename or Path](https://cwe.mitre.org/data/definitions/73)"]]