[PR #430] [MERGED] fix!: Sanitization for IPA path strings #1610

New issue

Closed

opened 2026-03-03 19:07:58 +03:00 by kerem · 0 comments

kerem commented

2026-03-03 19:07:58 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/PlayCover/PlayCover/pull/430
Author: @ohaiibuzzle
Created: 10/19/2022
Status: ✅ Merged
Merged: 10/19/2022
Merged by: @Depal1

Base: develop ← Head: fix/sanitize-strings

📝 Commits (1)

5767fea fix: Sanitization for IPA path strings

📊 Changes

1 file changed (+7 additions, -1 deletions)

View changed files

📝 PlayCover/Utils/URLExtensions.swift (+7 -1)

📄 Description

This PR attempts to fix for a potential security issue in PlayCover IPA extraction where it may be vulnerable to shell command injections.

For example: two IPA files could be delivered to an user

valid.ipa <-- Valid ZIP archive (can be hidden, so that zip exits with code 0)
valid.ipa;some_command|printf .ipa <-- also a valid IPA file

When the second IPA is selected to be install, PlayCover will run

/bin/zsh -c "unzip -oq /path/to/file/valid.ipa;some_command&&printf\ .ipa -d <tempdir>

Which:

Extracts the first IPA to the working directory (not the allocated temp dir since we escaped that)
Runs whatever command is specified (some_command)

Examples:

valid.ipa;as|printf .ipa which should hang PlayCover indefinitely as as waits for input
-;bluetoothd&&.ipa which will crash your Mac

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/PlayCover/PlayCover/pull/430 **Author:** [@ohaiibuzzle](https://github.com/ohaiibuzzle) **Created:** 10/19/2022 **Status:** ✅ Merged **Merged:** 10/19/2022 **Merged by:** [@Depal1](https://github.com/Depal1) **Base:** `develop` ← **Head:** `fix/sanitize-strings` --- ### 📝 Commits (1) - [`5767fea`](https://github.com/PlayCover/PlayCover/commit/5767fea658783a07aa6952edb68c8406673bb636) fix: Sanitization for IPA path strings ### 📊 Changes **1 file changed** (+7 additions, -1 deletions) <details> <summary>View changed files</summary> 📝 `PlayCover/Utils/URLExtensions.swift` (+7 -1) </details> ### 📄 Description This PR attempts to fix for a potential security issue in PlayCover IPA extraction where it may be vulnerable to shell command injections. For example: two IPA files could be delivered to an user - `valid.ipa` <-- Valid ZIP archive (can be hidden, so that zip exits with code 0) - `valid.ipa;some_command|printf .ipa` <-- also a valid IPA file When the second IPA is selected to be install, PlayCover will run `/bin/zsh -c "unzip -oq /path/to/file/valid.ipa;some_command&&printf\ .ipa -d <tempdir>` Which: - Extracts the first IPA to the **working directory** (not the allocated temp dir since we escaped that) - Runs whatever command is specified (`some_command`) Examples: - `valid.ipa;as|printf .ipa` which should hang PlayCover indefinitely as `as` waits for input - `-;bluetoothd&&.ipa` which will crash your Mac --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>