Content Provider Path Traversal
Description
Improperly validated ContentProvider URIs can allow path traversal to read arbitrary files or expose private app data when using openFile/openAssetFile.
Examples
Attempt Traversal via content Shell
adb shell content read --uri "content://com.example.provider/../../../../data/data/com.example.app/databases/app.db"
If data is returned, the provider fails to canonicalize and validate paths.
Remediation
- Canonicalize and validate
- Resolve paths with
File.getCanonicalPath()and enforce allow‑listed directories.
- Resolve paths with
- Enforce permissions
- Require signature‑level permissions or
READ/WRITEcustom permissions; avoidgrantUriPermissionsbroadly.
- Require signature‑level permissions or
- Use
FileProvider- Prefer
FileProviderwith strictpaths.xmlto mediate file access safely.
- Prefer