Hitesh Sahu created CB-11719:
--------------------------------
Summary: Security Issues found with SystemWebViewEngine in static
code analysis with Veracode
Key: CB-11719
URL: https://issues.apache.org/jira/browse/CB-11719
Project: Apache Cordova
Issue Type: Bug
Components: Android
Environment: Android Hybrid App
Reporter: Hitesh Sahu
Priority: Critical
While doing a security scan of our code using the veracode tool, following high
priority defect has been found :
Associated Flaws by CWE ID: Exposed Dangerous Method or Function (CWE ID 749)(1
flaw)
Description The application provides an API or similar interface to a
dangerous method or function that is not properly restricted. Effort to Fix: 2
- Implementation error. Fix is approx. 6-50 lines of code.
1 day to fix.
Recommendations Restrict the exposed API, or avoid using the classes that
exhibit this behavior.
Instances found via Static Scan Flaw Id Module # Class # Module Location Fix
By 53 9 - abc(name_changed).apk .../SystemWebViewEngine.java 259 16/08/16
The flaw has been caught in SystemWebViewEngine.java. It is an internal
Cordova Lib class at following path:-
android/CordovaLib/src/org/apache/cordova/engine/SystemWebViewEngine.java
The code at line 259 is :- webView.addJavascriptInterface(exposedJsApi,
"_cordovaNative");
Since being an integral part of Cordova lib I couldn't understand how to
mitigate this flaw. Can you help us to understand what should be done in order
to mitigate this ?
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@cordova.apache.org
For additional commands, e-mail: issues-h...@cordova.apache.org
