[jira] [Resolved] (CB-13186) HP Fortify SCA - Dynamic Code Evaluation: Unsafe Deserialization issue in cordova-plugin-file/src/android/AssetFilesystem.java

[Joe Bowser (JIRA)]

     [ 
https://issues.apache.org/jira/browse/CB-13186?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Joe Bowser resolved CB-13186.
-----------------------------
    Resolution: Not A Problem

How can the user interact with assets that are zipped and are packaged with the 
application? If the assets are already compromised, we have bigger issues than 
this bug.  This isn't user-facing code, and is dealing with Android's asset 
manager.  I highly suspect that this is a false positive picked up by HP 
Fortify looking for JSP bugs.


> HP Fortify SCA - Dynamic Code Evaluation: Unsafe Deserialization issue in 
> cordova-plugin-file/src/android/AssetFilesystem.java
> ------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: CB-13186
>                 URL: https://issues.apache.org/jira/browse/CB-13186
>             Project: Apache Cordova
>          Issue Type: Bug
>          Components: cordova-android, cordova-plugin-file
>    Affects Versions: 5.1.1
>         Environment: Android 4 (Crosswalk)
>            Reporter: GSS FED
>            Assignee: Joe Bowser
>
> Dynamic Code Evaluation: Unsafe Deserialization
> [https://vulncat.hpefod.com/en/detail?id=desc.structural.java.dynamic_code_evaluation_unsafe_deserialization]
> Abstract:
> 在執行階段，還原序列化使用者控制的物件串流可能會讓攻擊者在伺服器上執行任意程式碼、濫用應用程式邏輯和/或造成阻斷服務。
> Line: 56
> Snippet:
> {code:java}
> try { ois = new 
> ObjectInputStream(assetManager.open("cdvasset.manifest")); 
> listCache = (Map<String, String[]>) ois.readObject(); lengthCache = 
> (Map<String, Long>) ois.readObject(); listCacheFromFile = true;
> {code}
> TargetFunction: FunctionCall: readObject()
> Line: 57
> Snippet:
> {code:java}
> ois = new 
> ObjectInputStream(assetManager.open("cdvasset.manifest")); 
> listCache = (Map<String, String[]>) ois.readObject(); lengthCache = 
> (Map<String, Long>) ois.readObject(); listCacheFromFile = true; } catch 
> (ClassNotFoundException e) {
> {code}
> TargetFunction: FunctionCall: readObject()



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@cordova.apache.org
For additional commands, e-mail: issues-h...@cordova.apache.org