Veracode vulnerability multiple issues in TLSSocketFactory.java, SettingsManager.java and FileUtils.java

[rkaartikeyan]

Thanks so much for filing an issue or feature request! Please fill out the following (wherever relevant):

Steps to Reproduce

1. Build a release APK
2. Scan with veracode

Expected Behavior

The below veracode vulnerabilities should not be found in veracode scan.

Actual Behavior

1. TLSSocketFactory.java

Line no: 18

Description: Explicitly weaker protocol is used as channel encryption protocol. This downgrade to a weaker protocol, could make it easier for attackers to compromise the system.

Remediation: Based on the implementation used, make sure the channel communication is over at least TLS protocol. TLS 1.2 being the most secured option.

Line no: 41

Description: In this call to javax.net.ssl.SSLSocketFactory.createSocket(), host-specific certificate data is not validated or is incorrectly validated. Failing to validate the certificate makes the SSL session susceptible to a man-in-the-middle attack.

Remediation: Verify that the certificate is valid, matches the requested site, and is signed by a trusted root authority. Generate an error and destroy the connection if any of these conditions are not met.

Line no: 46

Description: In this call to javax.net.ssl.SSLSocketFactory.createSocket(), host-specific certificate data is not validated or is incorrectly validated. Failing to validate the certificate makes the SSL session susceptible to a man-in-the-middle attack.

Remediation: Verify that the certificate is valid, matches the requested site, and is signed by a trusted root authority. Generate an error and destroy the connection if any of these conditions are not met.

Line no: 52

Description: In this call to javax.net.ssl.SSLSocketFactory.createSocket(), host-specific certificate data is not validated or is incorrectly validated. Failing to validate the certificate makes the SSL session susceptible to a man-in-the-middle attack.

Remediation: Verify that the certificate is valid, matches the requested site, and is signed by a trusted root authority. Generate an error and destroy the connection if any of these conditions are not met.

Line no: 57

Description: In this call to javax.net.ssl.SSLSocketFactory.createSocket(), host-specific certificate data is not validated or is incorrectly validated. Failing to validate the certificate makes the SSL session susceptible to a man-in-the-middle attack.

Remediation: Verify that the certificate is valid, matches the requested site, and is signed by a trusted root authority. Generate an error and destroy the connection if any of these conditions are not met.

Line no: 63

Description: In this call to javax.net.ssl.SSLSocketFactory.createSocket(), host-specific certificate data is not validated or is incorrectly validated. Failing to validate the certificate makes the SSL session susceptible to a man-in-the-middle attack.

Remediation: Verify that the certificate is valid, matches the requested site, and is signed by a trusted root authority. Generate an error and destroy the connection if any of these conditions are not met.

Line no: 68

Description: Explicitly weaker protocol is used as channel encryption protocol. This downgrade to a weaker protocol, could make it easier for attackers to compromise the system.

Remediation: Based on the implementation used, make sure the channel communication is over at least TLS protocol. TLS 1.2 being the most secured option.

2. SettingsManager.java

Line no 115

Description: The commit() method stores sensitive information in unencrypted form, making the data more susceptible to compromise. Generally an attacker needs local access to the system in order to exploit this type of flaw, but if the application is running on a mobile device, files and other resources might be synchronized off the device to locations where they may be compromised through other means.

Remediation: Store all sensitive information in encrypted form.

3. FileUtils.java

Line no 42

Description: The java.io.OutputStream.write() method stores sensitive information in unencrypted form, making the data more susceptible to compromise. Generally an attacker needs local access to the system in order to exploit this type of flaw, but if the application is running on a mobile device, files and other resources might be synchronized off the device to locations where they may be compromised through other means.

Remediation: Store all sensitive information in encrypted form.

Line no 129

Description: This call to java.io.File.!operator_javanewinit() contains a path manipulation flaw. The argument to the function is a filename constructed using untrusted input. If an attacker is allowed to specify all or part of the filename, it may be possible to gain unauthorized access to files on the server, including those outside the webroot, that would be normally be inaccessible to end users. The level of exposure depends on the effectiveness of input validation routines, if any. The second argument to !operator_javanewinit() contains tainted data from the variable p0. The tainted data originated from earlier calls to java.net.HttpURLConnection.getInputStream, and java.util.zip.ZipEntry.getName.

Remediation: Validate all untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. When using blocklists, be sure that the sanitizing routine performs a sufficient number of iterations to remove all instances of disallowed characters.

Line no 158

Description: This call to java.io.File.!operator_javanewinit() contains a path manipulation flaw. The argument to the function is a filename constructed using untrusted input. If an attacker is allowed to specify all or part of the filename, it may be possible to gain unauthorized access to files on the server, including those outside the webroot, that would be normally be inaccessible to end users. The level of exposure depends on the effectiveness of input validation routines, if any. The first argument to !operator_javanewinit() contains tainted data from the variable validateFileName(). The tainted data originated from earlier calls to java.net.HttpURLConnection.getInputStream, and java.util.zip.ZipEntry.getName.

Remediation: Validate all untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. When using blocklists, be sure that the sanitizing routine performs a sufficient number of iterations to remove all instances of disallowed characters.

Line no 198

Description: The java.io.PrintWriter.print() method stores sensitive information in unencrypted form, making the data more susceptible to compromise. Generally an attacker needs local access to the system in order to exploit this type of flaw, but if the application is running on a mobile device, files and other resources might be synchronized off the device to locations where they may be compromised through other means.

Remediation: Store all sensitive information in encrypted form.

Environment

• react-native-code-push version: 7.0.4
• react-native version: 0.68.0
• Android version: Target 31
• Does this reproduce on a debug build or release build? No
• Does this reproduce on a simulator, or only on a physical device? No

(The more info the faster we will be able to address it!)

[ghost]

This issue has been automatically marked as stale because it has not had any activity for 60 days. It will be closed if no further activity occurs within 15 days of this comment.

[ghost]

This issue will now be closed because it hasn't had any activity for 15 days after stale. Please feel free to open a new issue if you still have a question/issue or suggestion.