[jira] [Closed] (CB-12202) Security: Exposed Dangerous Method or Function

Thu, 01 Dec 2016 01:05:51 -0800 

     [ 
https://issues.apache.org/jira/browse/CB-12202?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

jcesarmobile closed CB-12202.
-----------------------------
    Resolution: Duplicate
      Assignee: jcesarmobile

It's a duplicate of CB-11719


> Security: Exposed Dangerous Method or Function
> ----------------------------------------------
>
>                 Key: CB-12202
>                 URL: https://issues.apache.org/jira/browse/CB-12202
>             Project: Apache Cordova
>          Issue Type: Bug
>          Components: Android
>            Reporter: Daulet Urazalinov
>            Assignee: jcesarmobile
>              Labels: security
>
> We use VeraCode to analyze level of security of our applications. When we 
> submit our application that uses the latest Cordova version, we get "Exposed 
> Dangerous Method or Function" 
> (http://cwe.mitre.org/data/definitions/749.html) in this file: 
> org/apache/cordova/engine/SystemWebViewEngine.java line 262.
> We would like to know your opinion about this issue and suggested remediation.
> Here is the detailed information we got from VeraCode:
> Attack Vector: android.webkit.WebView.addJavascriptInterface
> Description: Use of the android.webkit.WebView.addJavascriptInterface() 
> method before Android SDK revision 17 (Android 4.2) is dangerous, as this 
> allows remote attackers to execute arbitrary methods of Java objects (using 
> the inherited .getClass()) within JavaScript code that is loaded into the 
> WebView.
> Remediation: The ideal solution is to remove the use of a JavaScript-Java 
> bridge in this application. Another possible solution is to develop a custom 
> bridge via the shouldOverrideUrlLoading() method; however, this option can be 
> risky and consideration must be given to what functionality is exposed and to 
> the prevention of injection attacks. If removal or development of a custom 
> solution are not options, then one should at least verify the application is 
> not loading JavaScript from an untrusted source.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@cordova.apache.org
For additional commands, e-mail: issues-h...@cordova.apache.org

Reply via email to