Handle zip traversal vulnerability MobileChromeApps#92

Author: remoorejr

src/android/Zip.java

@@ -126,6 +126,13 @@ private void unzipSync(CordovaArgs args, CallbackContext callbackContext) {
                    dir.mkdirs();
                 } else {
                     File file = new File(outputDirectory + compressedName);
+                    String canonicalPath = file.getCanonicalPath();
+                     if (!canonicalPath.startsWith(outputDirectory)) {
+                         String errorMessage = "Zip traversal security error";
+                         callbackContext.error(errorMessage);
+                         Log.e(LOG_TAG, errorMessage);
+                         return;
+                     }
                     file.getParentFile().mkdirs();
                     if(file.exists() || file.createNewFile()){
                         Log.w("Zip", "extracting: " + file.getPath());