Apktool icon indicating copy to clipboard operation
Apktool copied to clipboard
verified publisher icon iBotPeaches

[BUG] Directory Traversal is not allowed in a subst filesystem

Open Genouka opened this issue 5 months ago • 2 comments

Information

  1. Apktool Version (apktool -version) - 2.12.0
  2. Operating System (Mac, Linux, Windows) - Windows
  3. APK From? (Playstore, ROM, Other) - Other
  4. Java Version (java --version) - openjdk version "24.0.1" 2025-04-15

Stacktrace/Logcat

I: Using Apktool 2.12.0 on base.apk with 8 threads
I: Baksmaling classes.dex...
I: Loading resource table...
I: Decoding file-resources...
I: Loading resource table from file: C:\Users\29800\AppData\Local\apktool\framework\1.apk
I: Decoding values */* XMLs...
I: Decoding AndroidManifest.xml with resources...
I: Copying original files...
W: Skipping file META-INF/CERT.SF (Directory Traversal is not allowed)
W: Skipping file META-INF/CERT.RSA (Directory Traversal is not allowed)
W: Skipping file META-INF/MANIFEST.MF (Directory Traversal is not allowed)
I: Copying assets...
W: Skipping file assets/log.txt (Directory Traversal is not allowed)
I: Copying lib...
W: Skipping file lib/armeabi-v7a/libxwalkcore.so (Directory Traversal is not allowed)
W: Skipping file lib/armeabi-v7a/libxwalkdummy.so (Directory Traversal is not allowed)
I: Copying unknown files...

Steps to Reproduce

1.Create a case sensitive file directory and copy base.apk in it. 2.Open PowerShell and run:

subst X: .
cd X:
./apktool d base.apk

If I don't use subst, apktool works fine.

But the scripts in my workflow are very complex, they require subst to work,I can't replace them.

./apktool b trigger the same issue.

Frameworks

This APK is not from an OEM ROM.

APK

If this APK can be freely shared, please upload/attach a link to it.

The base.apk is a private program,so I can't share it. But I have tried many APKs, and they all trigger this issue.

Questions to ask before submission

  1. Have you tried apktool d, apktool b without changing anything? Yes, they all trigger this issue.
  2. If you are trying to install a modified apk, did you resign it? No.
  3. Are you using the latest apktool version? Yes.

Genouka avatar Aug 08 '25 14:08 Genouka

Sorry with not knowing what subst is and not using Windows - this may sit for awhile. Just to set expectations.

iBotPeaches avatar Aug 08 '25 14:08 iBotPeaches

I took a look and not sure how to fix this. It appears subst is making a virtual drive letter at the root which during out sanitation ends up looking like a traversal attack. I wouldn't know how to make a distinction between a known safe subst usage and an accidental/intentional traversal attack.

Saying that - in Apktool 3 we've rewritten a bit of the messaging regarding this error so "Directory Traversal is not allowed" is not a valid output anymore. If you want to try a bleeding edge build (https://github.com/iBotPeaches/Apktool/actions/runs/19032256767/job/54349419393) you could try and again and see how the message changes. This would help me ensure I'm looking at right place.

iBotPeaches avatar Nov 03 '25 11:11 iBotPeaches