Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Recursion in Util.java. I suspect that this will lead to issues passing a Google Tier2 CASA #1785

Open
cjohn001 opened this issue Sep 12, 2023 · 0 comments
Open

Recursion in Util.java. I suspect that this will lead to issues passing a Google Tier2 CASA #1785

cjohn001 opened this issue Sep 12, 2023 · 0 comments

Comments

@cjohn001
Copy link

cjohn001 commented Sep 12, 2023
edited
Loading

Environment
Provide version numbers for the following components (information can be retrieved by running tns info in your project folder or by inspecting the package.json of the project):

✔ Getting NativeScript components versions information...
✔ Component nativescript has 8.5.3 version and is up to date.
✔ Component @nativescript/core has 8.5.9 version and is up to date.
✔ Component @nativescript/ios has 8.5.2 version and is up to date.
✔ Component @nativescript/android has 8.5.2 version and is up to date.

Describe the bug
Hello together, I am currently preparing for a Tier2 CASA from Google. As I do have to provide Source Code scans using FluidAttacks and it detected a vulnerability in this context of printStackTrace I found the following issue.

android/test-app/app/src/main/java/com/tns/Util.java

Line 28 in 5738833

public static boolean isDebuggableApp(Context context) { 

public static boolean isDebuggableApp(Context context) {
        int flags;
        try {
            flags = context.getPackageManager().getPackageInfo(context.getPackageName(), 0).applicationInfo.flags;
        } catch (NameNotFoundException e) {
            flags = 0;
            if (Util.isDebuggableApp(context)) {
                e.printStackTrace();
            }
        }

        boolean isDebuggableApp = ((flags & ApplicationInfo.FLAG_DEBUGGABLE) != 0);
        return isDebuggableApp;
    }

It is clear that printStackTrace() is only called in debug mode. However, I consider telling the guys at Google that this is save code as no good idea as it results in a recursion in the catch block. I would suspect that the e.printStackTrace(); in the catch block is actually never called, hence would it not make sense to completly remove it? I have also seen that the runtime provides
a check for isDebuggableApp. Maybe a save alternative would be to just call com.tns.Runtime.isDebuggable() ?

android/test-app/runtime/src/main/java/com/tns/Runtime.java

Line 248 in 5738833

public static boolean isDebuggable() {

I do not know the inner workings good enough to know if the runtime always exists at that point. Please consider it as just an idea.

Expected behavior
Catch should not run into a rekursion

Additional context

https://gitlab.com/fluidattacks/universe/-/issues/10406

Currently I am seeing lots of issues in FluidAttacks indirectly referencing this code. Below output is just an example. To my understanding this is a false positive as printStackTrace is not called for production builds. However, also in production builds the recursion would exist to my understanding.

234. Technical information leak - Stacktrace,CWE-209,The error stacktrace can be printed in OWASP/app/src/debug/java/com/tns/ErrorReport.java,CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:U/RC:R,https://docs.fluidattacks.com/criteria/vulnerabilities/234,skims,SAST,92,"
   82 |         final int version = Build.VERSION.SDK_INT;
   83 |         if (version >= 23) {
   84 |             try {
   85 |                 // Necessary to work around compile errors with compileSdk 22 and lower
   86 |                 Method checkSelfPermissionMethod;
   87 |                 try {
   88 |                     checkSelfPermissionMethod = ActivityCompat.class.getMethod(""checkSelfPermission"", Context.class, Stri
   89 |                 } catch (NoSuchMethodException e) {
   90 |                     // method wasn't found, so there is no need to handle permissions explicitly
   91 |                     if (Util.isDebuggableApp(activity)) {
>  92 |                         e.printStackTrace();
   93 |                     }
   94 |                     return;
   95 |                 }
   96 |
   97 |                 int permission = (int) checkSelfPermissionMethod.invoke(null, activity, Manifest.permission.WRITE_EXTERNA
   98 |
   99 |                 if (permission != PackageManager.PERMISSION_GRANTED) {
  100 |                     // We don't have permission so prompt the user
  101 |                     Method requestPermissionsMethod = ActivityCompat.class.getMethod(""requestPermissions"", Activity.class
  102 |
      ^ Col 0
",java.java_info_leak_stacktrace
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@cjohn001