Skip to content

Potential vulnerability detected into a security audit. #740

Open
@Hanzofm

Description

@Hanzofm

Bug Report

Problem

Recently we have submitted our Ionic App for a security audit and this is report about Cordova-

Android:
-Vulnerability: Code Correctness: Double-Checked Locking
-Description: The method relies on double-checked locking, an incorrect idiom that does not achieve the intended effect.
-Fortify Priority: High.
-Fortify Priority: Explotable.

-Sink:

File Path : File Path : project/node_modules/cordova-android/framework/src/org/apache/cordova/NativeToJsMessageQueue.java Line Number : 93
if (newMode != null) {
                        newMode.reset();
                        if (!paused && !queue.isEmpty()) {
                            newMode.onNativeToJsMessageAvailable(this);
                        }

Recommendation:
Avoid double null-checking adding into code complexity and maintenance burden. Synchronize and then null check

Environment
Ionic info:

Ionic:

   ionic (Ionic CLI)  : 4.8.0
   Ionic Framework    : ionic-angular 3.9.2
   @ionic/app-scripts : 3.2.1

Cordova:

   cordova (Cordova CLI) : 8.0.0
   Cordova Platforms     : android 7.1.4, ios 4.5.5
   Cordova Plugins       : no whitelisted plugins (14 plugins total)

System:

   Android SDK Tools : 26.1.1 (/Users/user/Library/Android/sdk)
   ios-deploy        : 1.9.2
   ios-sim           : 7.0.0
   NodeJS            : v9.9.0 (/usr/local/bin/node)
   npm               : 5.7.1
   OS                : macOS Mojave
   Xcode             : Xcode 10.2 Build version 10E125

The version of Cordova-android is 7.1.4 but into 8.0.0 version the problem persist

It should be fixed?

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions