slack-digest/2021-06-03.md
Thu, 03 Jun 2021 08:46:20 GMT
Join the conversation at slack.cordova.io
Wed, 02 Jun 2021 09:23:02 GMT
@bergantin_joy says
Hi, New to cordova here. I've been assigned with running security scans in our app which runs on Cordova. However, the scanner seems to tag vulnerabilities in the Cordova as well.
- one of which is, "Insecure Implementation Of WebView SSL Error Can Expose Network Traffic to Interception and Modification" where the SystemWebViewClient.java 's method onReceivedSslError was found to have a handler.proceed(). I'd assume that this was intentional if the developer is debugging the app. But, are there plans on adding codes on this? (e.g. logging specific SSL error in the backend or prompting the user with a generic popup)
- The scanner also tagged "Context Registered Broadcast Receivers Not Protected With Permissions" where the implementation of registerReceiver from SystemWebViewEngine.java, CoreAndroid.java, NetworkManager.java do not include permissions. Though the first file does not necessarily need this from my viewpoint. I know that some of these files have been around for years without issues and I'm not looking forward for them to be changed at all. I just wanted to understand the reason/implementation behind these.
Wed, 02 Jun 2021 13:30:28 GMT
@norman137 says
it only proceeds on ssl errors if the application is in debug mode. Applications for release won't be in debug mode, Google will reject all debug variants of apps, so it will be hard to accidentally upload a debug version of an app.
Wed, 02 Jun 2021 13:30:39 GMT
@norman137 says
Wed, 02 Jun 2021 13:31:57 GMT
@norman137 says
In my experience (which there are many who reports bugs based on these static analysis tools) they do not do a good job. They just simply see the function name and a line, without looking at surrounding context, yielding a lot of false positives.
Wed, 02 Jun 2021 13:36:41 GMT
@norman137 says
For context about why something may be done, I would suggest looking at the source code on Github and use the blame tool to see the last commit that touched those line(s). The commit (hopefully) will be attached to a Github issue, PR, or a Cordova Jira issue (depending on the age of the commit). If it's a Jira tag (CB-XXXXXX) then you can probably search for the issue on https://issues.apache.org/jira/projects/CB/issues/CB-11440?filter=allopenissues
Most of the framework is 6-7 years old and a lot of the developers who worked on Cordova then aren't around anymore.
Wed, 02 Jun 2021 16:11:12 GMT
@khatridevk says
In my app, I open image files using inappbrowser plugin, but now it cannot open file of type heic. How's everyone handling it ! Another plugin ?