You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@cordova.apache.org by "Hitesh Sahu (JIRA)" <ji...@apache.org> on 2016/08/30 07:15:20 UTC

[jira] [Commented] (CB-11719) Security Issues found with SystemWebViewEngine in static code analysis with Veracode

    [ https://issues.apache.org/jira/browse/CB-11719?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15448295#comment-15448295 ] 

Hitesh Sahu commented on CB-11719:
----------------------------------

  Agreed; without this exposed method we simply cant communicate between Java and JS methods. The risk is that if some malicious html content try to call Java functions with the help of exposed API. That is possible if App is not aware of HTML contents it is rendering.
 Also I want to let you know I had discussion with VeraCode support and we agreed on this fact. 

> Security Issues found with SystemWebViewEngine in static code analysis with Veracode
> ------------------------------------------------------------------------------------
>
>                 Key: CB-11719
>                 URL: https://issues.apache.org/jira/browse/CB-11719
>             Project: Apache Cordova
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>          Components: Android
>         Environment: Android Hybrid App
>            Reporter: Hitesh Sahu
>            Priority: Critical
>
> While doing a security scan of our code using the veracode tool, following high priority defect has been found :  
> Associated Flaws by CWE ID: Exposed Dangerous Method or Function (CWE ID 749)(1 flaw)  
> Description  The application provides an API or similar interface to a dangerous method or function that is not properly restricted.  Effort to Fix: 2 - Implementation error. Fix is approx. 6-50 lines of code.
>  1 day to fix. 
>  Recommendations  Restrict the exposed API, or avoid using the classes that exhibit this behavior. 
>   Instances found via Static Scan  Flaw Id Module # Class # Module Location Fix By  53 9 - abc(name_changed).apk  .../SystemWebViewEngine.java 259 16/08/16  
> The flaw has been caught in SystemWebViewEngine.java.  It is an internal Cordova Lib class at following path:-    android/CordovaLib/src/org/apache/cordova/engine/SystemWebViewEngine.java  
> The code at line 259 is :-  webView.addJavascriptInterface(exposedJsApi, "_cordovaNative"); 
>  Since being an integral part of Cordova lib I couldn't understand how to mitigate this flaw.  Can you help us to understand what should be done in order to mitigate this ?



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For additional commands, e-mail: issues-help@cordova.apache.org