cordova-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Joe Bowser (JIRA)" <j...@apache.org>
Subject [jira] [Resolved] (CB-13186) HP Fortify SCA - Dynamic Code Evaluation: Unsafe Deserialization issue in cordova-plugin-file/src/android/AssetFilesystem.java
Date Thu, 17 Aug 2017 20:46:00 GMT

     [ https://issues.apache.org/jira/browse/CB-13186?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Joe Bowser resolved CB-13186.
-----------------------------
    Resolution: Not A Problem

How can the user interact with assets that are zipped and are packaged with the application?
If the assets are already compromised, we have bigger issues than this bug.  This isn't user-facing
code, and is dealing with Android's asset manager.  I highly suspect that this is a false
positive picked up by HP Fortify looking for JSP bugs.


> HP Fortify SCA - Dynamic Code Evaluation: Unsafe Deserialization issue in cordova-plugin-file/src/android/AssetFilesystem.java
> ------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: CB-13186
>                 URL: https://issues.apache.org/jira/browse/CB-13186
>             Project: Apache Cordova
>          Issue Type: Bug
>          Components: cordova-android, cordova-plugin-file
>    Affects Versions: 5.1.1
>         Environment: Android 4 (Crosswalk)
>            Reporter: GSS FED
>            Assignee: Joe Bowser
>
> Dynamic Code Evaluation: Unsafe Deserialization
> [https://vulncat.hpefod.com/en/detail?id=desc.structural.java.dynamic_code_evaluation_unsafe_deserialization]
> Abstract:
> 在執行階段,還原序列化使用者控制的物件串流可能會讓攻擊者在伺服器上執行任意程式碼、濫用應用程式邏輯和/或造成阻斷服務。
> Line: 56
> Snippet:
> {code:java}
> try { ois = new ObjectInputStream(assetManager.open(&quot;cdvasset.manifest&quot;));
listCache = (Map&lt;String, String[]&gt;) ois.readObject(); lengthCache = (Map&lt;String,
Long&gt;) ois.readObject(); listCacheFromFile = true;
> {code}
> TargetFunction: FunctionCall: readObject()
> Line: 57
> Snippet:
> {code:java}
> ois = new ObjectInputStream(assetManager.open(&quot;cdvasset.manifest&quot;));
listCache = (Map&lt;String, String[]&gt;) ois.readObject(); lengthCache = (Map&lt;String,
Long&gt;) ois.readObject(); listCacheFromFile = true; } catch (ClassNotFoundException
e) {
> {code}
> TargetFunction: FunctionCall: readObject()



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For additional commands, e-mail: issues-help@cordova.apache.org


Mime
View raw message