Skip to content
This repository has been archived by the owner on May 6, 2024. It is now read-only.

fix: vulnerable to cross-app script injection via crafted intent #1833

Merged
merged 2 commits into from
Oct 23, 2023
Merged

fix: vulnerable to cross-app script injection via crafted intent #1833

merged 2 commits into from
Oct 23, 2023

Conversation

farhan-arshad-dev
Copy link
Contributor

@farhan-arshad-dev farhan-arshad-dev commented Oct 6, 2023
edited
Loading

Description

LEARNER-9557

  • Mitigated the vulnerability by disabling the ability to open custom-defined inner URIs through external sources. This was achieved by setting android:exported="false".
  • Setting android:exported="false" for the android component doesn't need to call outside from the app.

Testing

  • App should open a custom-defined URI or URL via browser OR crafted intent through other apps.

@farhan-arshad-dev farhan-arshad-dev self-assigned this Oct 6, 2023
@farhan-arshad-dev farhan-arshad-dev marked this pull request as draft October 6, 2023 18:25
@codecov
Copy link

codecov bot commented Oct 6, 2023
edited
Loading

Codecov Report

All modified lines are covered by tests ✅

Comparison is base (bcf1d6d) 1.08% compared to head (086b84e) 1.07%.
Report is 5 commits behind head on master.

Additional details and impacted files 
@@             Coverage Diff             @@
##             master   #1833      +/-   ##
===========================================
- Coverage      1.08%   1.07%   -0.01%     
  Complexity      137     137              
===========================================
  Files           538     538              
  Lines         26293   26300       +7     
  Branches       3381    3384       +3     
===========================================
  Hits            284     284              
- Misses        25982   25989       +7     
  Partials         27      27

see 4 files with indirect coverage changes

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@farhan-arshad-dev
fix: vulnerable to cross-app script injection via crafted intent
c3da710 
- Mitigated the vulnerability by disabling the ability to open custom-defined inner URIs through external sources. This was achieved by setting `android:exported="false"`.
- Setting `android:exported="false"` for the android component doesn't need to call out side from the app.

fixes: LEARNER-9557
@farhan-arshad-dev farhan-arshad-dev marked this pull request as ready for review October 10, 2023 11:59
HamzaIsrar12
HamzaIsrar12 suggested changes Oct 18, 2023
View reviewed changes
Copy link
Contributor

@HamzaIsrar12 HamzaIsrar12 left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can also change NotificationService's exported value to false. Notifications are working fine using Braze.

Everything else looks good to me other than MediaStatusReciever and EndEmmaBroadcast because I'm unable to test them.

@farhan-arshad-dev
fix: address PR comments
086b84e 
fixes: LEARNER-9557
@farhan-arshad-dev farhan-arshad-dev merged commit c4e2dba into master Oct 23, 2023
3 of 5 checks passed
@farhan-arshad-dev farhan-arshad-dev deleted the farhan_ar/LEARNER-9557 branch October 23, 2023 06:14
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@HamzaIsrar12 HamzaIsrar12 HamzaIsrar12 approved these changes

@omerhabib26 omerhabib26 Awaiting requested review from omerhabib26

Assignees

@farhan-arshad-dev farhan-arshad-dev

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@farhan-arshad-dev @HamzaIsrar12