search

EddyVerbruggen / Custom-URL-scheme

:link: Launch your Cordova/PhoneGap app by a Custom URL scheme like mycoolapp://
1.03k stars 367 forks source link

The plugin makes apps vulnerable to javascript injection #242

Closed cypressious closed 7 years ago

cypressious commented 7 years ago

In https://github.com/EddyVerbruggen/Custom-URL-scheme/blob/e3bec4f0570fc94b88e927640a76503dbf4bce66/src/android/nl/xservices/plugins/LaunchMyApp.java#L83 

webView.loadUrl("javascript:handleOpenURL('" + writer.toString() + "');");

You are concatenating any unvalidated string with javascript code and execute it. This makes any app that uses this plugin vulnerable to injection.

You could trivially create an intent that carries some javascript code that will be executed with the priveleges of the app that can read sensitive user data and send it over the network.

EddyVerbruggen commented 7 years ago

Interesting. Are you intending on sharing a fix as well?

cypressious commented 7 years ago

At the very least you have to escape or even better forbid single quotes (') so that an attacker can't do

webView.loadUrl("javascript:handleOpenURL('" + "'); alert('hello" + "');");

However it would be best to whitelist the payload before to make sure it's really just a url.

EddyVerbruggen commented 7 years ago

I don't mind adding that. If someone is willing to do a PR I'd be happy to merge and release it.

cypressious commented 7 years ago

Hm, actually it looks like escapeJavaStyleString might already escape single quotes. Is that function new?

EddyVerbruggen commented 7 years ago

blame tells me it's ~3 years old: https://github.com/EddyVerbruggen/Custom-URL-scheme/blame/e3bec4f0570fc94b88e927640a76503dbf4bce66/src/android/nl/xservices/plugins/LaunchMyApp.java#L83

cypressious commented 7 years ago

Ok, then maybe the app I was testing at that time used a really old version of the library. I think this can be closed.