intrigus-lgtm
commented
3 years ago The linked project does not exist.
www.github.com/demetere/project for showing cars
Closed luchua-bc closed 3 years ago
intrigus-lgtm
commented
3 years ago The linked project does not exist.
www.github.com/demetere/project for showing cars
luchua-bc
commented
3 years ago I did test the link before I submitted this issue. It seems that the repository for the linked project was deleted by the owner or converted to a private repository.
I will run the query to find another project then add the link.
luchua-bc
commented
3 years ago @intrigus-lgtm I've added another project taitocode/form-android.
ghsecuritylab
commented
3 years ago Your submission is now in status SecLab review.
For information, the evaluation workflow is the following: CodeQL initial assessment > SecLab review > CodeQL review > SecLab finalize > Pay > Closed
ghsecuritylab
commented
3 years ago Your submission is now in status CodeQL review.
For information, the evaluation workflow is the following: CodeQL initial assessment > SecLab review > CodeQL review > SecLab finalize > Pay > Closed
ghsecuritylab
commented
3 years ago Your submission is now in status SecLab finalize.
For information, the evaluation workflow is the following: CodeQL initial assessment > SecLab review > CodeQL review > SecLab finalize > Pay > Closed
ghsecuritylab
commented
3 years ago Your submission is now in status Pay.
For information, the evaluation workflow is the following: CodeQL initial assessment > SecLab review > CodeQL review > SecLab finalize > Pay > Closed
xcorail
commented
3 years ago Created Hackerone report 1061211 for bounty 266597 : [199] [Java] CWE-755: Query to detect Local Android DoS caused by NFE
ghsecuritylab
commented
3 years ago Your submission is now in status Closed.
For information, the evaluation workflow is the following: CodeQL initial assessment > SecLab review > CodeQL review > SecLab finalize > Pay > Closed
luchua-bc
commented
3 years ago Thanks @xcorail for the quick turn-around and the bounty.
CVE ID(s)
List the CVE ID(s) associated with this vulnerability. GitHub will automatically link CVE IDs to the GitHub Advisory Database.
Report
Describe the vulnerability. Provide any information you think will help GitHub assess the impact your query has on the open source community.
NumberFormatException (NFE) thrown but not caught by an Android application will crash the application. For applications allowing external inputs, an attacker can send an invalid number as intent extra to trigger NFE, which introduces local Denial of Service (Dos) attack.
This is a very common problem in Android development since Android components don't have throw Exception(...) in their class and method definitions thus developers tend to follow the same pattern and leave this exception unprocessed.
To address this issue, either use the Android methods intended to get number extras e.g.
Intent.getFloatExtra(String name, float defaultValue)since they have the built-in try/catch processing, or explicitly do try/catch in the application.Relevant PR: #4610
Result(s)
Provide at least one useful result found by your query, on some revision of a real project.
By sending an invalid number like "a" for the input parameter "YYYY" to the application, the application will crash. A screenshot is as follows:
By sending an invalid input like "abc" for the input parameter of "priceMin" to the application, the application will crash and a screenshot is as follows: