From c8a9899d8162b537e5814a73950c5d2067cbeaf8 Mon Sep 17 00:00:00 2001
From: "pixeebot[bot]" <23113631+pixeebot@users.noreply.github.com>
Date: Wed, 20 Sep 2023 11:31:05 +0000
Subject: [PATCH 1/2] Introduced protections against "zip slip"  attacks

---
 .../opentracks/io/file/importer/KmzTrackImporter.java        | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/main/java/de/dennisguse/opentracks/io/file/importer/KmzTrackImporter.java b/src/main/java/de/dennisguse/opentracks/io/file/importer/KmzTrackImporter.java
index e8fda73a5..a6f0fe16b 100644
--- a/src/main/java/de/dennisguse/opentracks/io/file/importer/KmzTrackImporter.java
+++ b/src/main/java/de/dennisguse/opentracks/io/file/importer/KmzTrackImporter.java
@@ -21,6 +21,7 @@
 import android.util.Log;
 
 import androidx.annotation.NonNull;
+import io.github.pixee.security.ZipSecurity;
 
 import java.io.File;
 import java.io.FileOutputStream;
@@ -84,7 +85,7 @@ public List<Track.Id> importFile(Uri fileUri) throws IOException {
      */
     private boolean copyKmzImages(Uri uri, Track.Id trackId) throws IOException {
         try (InputStream inputStream = context.getContentResolver().openInputStream(uri);
-             ZipInputStream zipInputStream = new ZipInputStream(inputStream)) {
+             ZipInputStream zipInputStream = ZipSecurity.createHardenedInputStream(inputStream)) {
             ZipEntry zipEntry;
 
             while ((zipEntry = zipInputStream.getNextEntry()) != null) {
@@ -145,7 +146,7 @@ private boolean hasImageExtension(String fileName) {
 
     private List<Track.Id> findAndParseKmlFile(Uri uri) throws IOException {
         try (InputStream inputStream = context.getContentResolver().openInputStream(uri);
-             ZipInputStream zipInputStream = new ZipInputStream(inputStream)) {
+             ZipInputStream zipInputStream = ZipSecurity.createHardenedInputStream(inputStream)) {
             ZipEntry zipEntry;
             ArrayList<Track.Id> trackIds = new ArrayList<>();
 

From 56a44ef798353fb60a1b9cd471fcb53e22149dbd Mon Sep 17 00:00:00 2001
From: Zach Carroll <zachcarroll2015@gmail.com>
Date: Wed, 20 Sep 2023 07:57:09 -0400
Subject: [PATCH 2/2] Update build.gradle

---
 build.gradle | 1 +
 1 file changed, 1 insertion(+)

diff --git a/build.gradle b/build.gradle
index 71b18b53c..fe0a135f8 100644
--- a/build.gradle
+++ b/build.gradle
@@ -135,6 +135,7 @@ dependencies {
     implementation 'androidx.constraintlayout:constraintlayout:2.1.4'
     implementation 'androidx.core:core-splashscreen:1.0.1'
     implementation 'androidx.mediarouter:mediarouter:1.4.0'
+    implementation("io.github.pixee:java-security-toolkit:1.0.7")
 
     androidTestImplementation 'androidx.test:core:1.5.0'
     androidTestImplementation 'androidx.test.ext:junit:1.1.5'