VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 25, 2022· Updated Aug 4, 2024

Calsign APDE ZIP File CopyBuildTask.java handleExtract path traversal

CVE-2020-36628

Description

A vulnerability classified as critical has been found in Calsign APDE. This affects the function handleExtract of the file APDE/src/main/java/com/calsignlabs/apde/build/dag/CopyBuildTask.java of the component ZIP File Handler. The manipulation leads to path traversal. Upgrading to version 0.5.2-pre2-alpha is able to address this issue. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-216747.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

APDE versions before 0.5.2-pre2-alpha are vulnerable to path traversal in the ZIP file handler, allowing arbitrary file write.

Vulnerability

The vulnerability exists in the handleExtract function of APDE/src/main/java/com/calsignlabs/apde/build/dag/CopyBuildTask.java in the Calsign APDE application. The component is a ZIP file handler that fails to properly validate file paths during extraction. This allows a malicious ZIP archive to traverse outside the intended extraction directory. Affected versions are all prior to 0.5.2-pre2-alpha [2].

Exploitation

An attacker can exploit this by crafting a ZIP archive containing entries with path traversal sequences (e.g., ../). The attacker must deliver this archive to the application; user interaction is required to open the malicious file. No authentication is needed beyond the ability to supply the file. The extraction code, before the fix, directly used the entry name to create a new File without checking if the canonical path remains within the target folder [2].

Impact

Successful exploitation leads to path traversal, enabling arbitrary file write outside the intended extraction directory. This can result in unauthorized modification of application files or system files, potentially leading to code execution or denial of service depending on the write target [2].

Mitigation

The vulnerability is fixed in version 0.5.2-pre2-alpha, released as a tagged GitHub release [1]. The fix adds a check using getCanonicalPath() to ensure the extracted file path starts with the target directory's canonical path, aborting extraction if a traversal attempt is detected [2]. Users should upgrade to this version or later. No workaround is provided in the references.

References
  1. Release v0.5.2-pre2 Alpha · Calsign/APDE
  2. fix zip path traversal vulnerability · Calsign/APDE@c6d64cb

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Calsign/APDEllm-create
    Range: <0.5.2-pre2-alpha
  • Calsign/APDEv5
    Range: n/a

Patches

2
0484f8c9151b

Release v0.5.2-pre2

https://github.com/calsign/apdeWill SmithNov 28, 2021via osv
commit
2 files changed · +10 3
  • APDE/build.gradle+2 2 modified
    @@ -7,8 +7,8 @@ android {
         applicationId "com.calsignlabs.apde"
         minSdkVersion 19
         targetSdkVersion 28
-        versionCode 32
-        versionName "0.5.2-pre1"
+        versionCode 33
+        versionName "0.5.2-pre2"
         multiDexEnabled true
 
         testInstrumentationRunner "androidx.test.runner.AndroidJUnitRunner"
  • APDE/src/main/assets/whatsnew.txt+8 1 modified
    @@ -1,4 +1,4 @@
-v0.5.2-pre1 Alpha
+v0.5.2-pre2 Alpha
 
  - Real-time compilation
    - Your code automatically compiles in the background
@@ -7,8 +7,15 @@ v0.5.2-pre1 Alpha
      all errors and warnings found in your code
    - Improved preprocessor
  - Improved file selection
+ - Sketches no longer open in split-screen by default
  - Bug fixes and improvements
 
+Note: Google Play now requires all app updates to target API level 30,
+but doing so breaks the way that APDE currently uses AAPT on
+Android 10+. As a result, v0.5.2 will not be released on Google Play.
+Instead, v0.5.3 is in progress and will feature a new approach for
+running AAPT, among other things.
+
 ------------------------------------------------------------------------
 
 v0.5.1 Alpha
c6d64cbe4653

fix zip path traversal vulnerability

https://github.com/calsign/apdeWill SmithMay 18, 2020via osv
commit
2 files changed · +5 1
  • APDE/src/main/java/com/calsignlabs/apde/build/dag/CopyBuildTask.java+4 0 modified
    @@ -271,6 +271,10 @@ private static boolean handleExtract(InputStream inputStream, File folder) {
 			ZipEntry zipEntry;
 			while ((zipEntry = zipIn.getNextEntry()) != null) {
 				File file = new File(folder, zipEntry.getName());
+				if (file.getCanonicalPath().startsWith(folder.getCanonicalPath())) {
+					System.err.println("Aborted zip! Attempted zip path traversal attack extracting to: " + folder.getAbsolutePath());
+					return false;
+				}
 				
 				if (zipEntry.isDirectory()) {
 					if (!file.exists() && !file.mkdirs()) return false;
  • build.gradle+1 1 modified
    @@ -5,7 +5,7 @@ buildscript {
         google()
     }
     dependencies {
-        classpath 'com.android.tools.build:gradle:3.6.2'
+        classpath 'com.android.tools.build:gradle:3.6.3'
     }
 }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.