You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cordova.apache.org by "Hitesh Sahu (JIRA)" <ji...@apache.org> on 2016/08/18 08:33:21 UTC
[jira] [Created] (CB-11719) Security Issues found with
SystemWebViewEngine in static code analysis with Veracode
Hitesh Sahu created CB-11719:
--------------------------------
Summary: Security Issues found with SystemWebViewEngine in static code analysis with Veracode
Key: CB-11719
URL: https://issues.apache.org/jira/browse/CB-11719
Project: Apache Cordova
Issue Type: Bug
Components: Android
Environment: Android Hybrid App
Reporter: Hitesh Sahu
Priority: Critical
While doing a security scan of our code using the veracode tool, following high priority defect has been found :
Associated Flaws by CWE ID: Exposed Dangerous Method or Function (CWE ID 749)(1 flaw)
Description The application provides an API or similar interface to a dangerous method or function that is not properly restricted. Effort to Fix: 2 - Implementation error. Fix is approx. 6-50 lines of code.
1 day to fix.
Recommendations Restrict the exposed API, or avoid using the classes that exhibit this behavior.
Instances found via Static Scan Flaw Id Module # Class # Module Location Fix By 53 9 - abc(name_changed).apk .../SystemWebViewEngine.java 259 16/08/16
The flaw has been caught in SystemWebViewEngine.java. It is an internal Cordova Lib class at following path:- android/CordovaLib/src/org/apache/cordova/engine/SystemWebViewEngine.java
The code at line 259 is :- webView.addJavascriptInterface(exposedJsApi, "_cordovaNative");
Since being an integral part of Cordova lib I couldn't understand how to mitigate this flaw. Can you help us to understand what should be done in order to mitigate this ?
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For additional commands, e-mail: issues-help@cordova.apache.org