Hitesh Sahu created CB-11719: -------------------------------- Summary: Security Issues found with SystemWebViewEngine in static code analysis with Veracode Key: CB-11719 URL: https://issues.apache.org/jira/browse/CB-11719 Project: Apache Cordova Issue Type: Bug Components: Android Environment: Android Hybrid App Reporter: Hitesh Sahu Priority: Critical
While doing a security scan of our code using the veracode tool, following high priority defect has been found : Associated Flaws by CWE ID: Exposed Dangerous Method or Function (CWE ID 749)(1 flaw) Description The application provides an API or similar interface to a dangerous method or function that is not properly restricted. Effort to Fix: 2 - Implementation error. Fix is approx. 6-50 lines of code. 1 day to fix. Recommendations Restrict the exposed API, or avoid using the classes that exhibit this behavior. Instances found via Static Scan Flaw Id Module # Class # Module Location Fix By 53 9 - abc(name_changed).apk .../SystemWebViewEngine.java 259 16/08/16 The flaw has been caught in SystemWebViewEngine.java. It is an internal Cordova Lib class at following path:- android/CordovaLib/src/org/apache/cordova/engine/SystemWebViewEngine.java The code at line 259 is :- webView.addJavascriptInterface(exposedJsApi, "_cordovaNative"); Since being an integral part of Cordova lib I couldn't understand how to mitigate this flaw. Can you help us to understand what should be done in order to mitigate this ? -- This message was sent by Atlassian JIRA (v6.3.4#6332) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@cordova.apache.org For additional commands, e-mail: issues-h...@cordova.apache.org