Malicious symlinked APK can lead to arbitrary file read
This is not a threat given current use cases and setups, but it will be important to address as we work to spread the tools to more people, and to people with less technical skill. The open question is how best to address it:
- use
--copy-linkswhen rsyncing infdroid server update - use
--safe-linkswhen rsyncing infdroid server update - make
fdroid updatefail with error when a symlink.apkis found - something else?
Here's the full description from the audit:
Upon testing with symlinks9 and file privileges, an issue with processing maliciously hidden symlinks was discovered. Importantly, the problem permits arbitrary file disclosure. An attacker can provide a malicious APK file (which actually is a symlink) to read arbitrary files from the webserver, thus leading to a local file disclosure.
When building the repository index with the use of the command fdroid update -c, an error for the provided fake APK is thrown. Regrettably, if one does not perform a careful inspection of the output or checks the files by hand, the error notification can easily be missed.
local$ ls -l repo/
lrwxr-xr-x
1 user staff
11 Jan 6 11:17 sym.apk -> /etc/passwd
local$ fdroid update -c
Failed to get apk information, skipping repo/sym.apk
local$ fdroid server update
local$ curl http://107.178.220.225/repo/sym.apk
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/shThe desirable setup is for the repository to be stored locally. In addition, new files should be checked thoroughly before being pushed to a live server. For further protection, a supplementary feature could be implemented to make some basic sanity checks of whether the repository is clean. Keep in mind, however, that security comes down to the dependability of the admin, who ideally should always ensure that no accidental malicious files (PHP scripts, symlinks,
.htaccessfiles, etc.) are pushed to the server.