search

googleapis / google-api-java-client-services

Generated Java code for Google APIs
Apache License 2.0
617 stars 351 forks source link

Security Vulnerability Issue #6792

Open MaxAndolini opened 3 years ago

MaxAndolini commented 3 years ago 
    <issue
        id="TrustAllX509TrustManager"
        severity="Warning"
        message="`checkServerTrusted` is empty, which could cause insecure network traffic due to trusting arbitrary TLS/SSL certificates presented by peers"
        category="Security"
        priority="6"
        summary="Insecure TLS/SSL trust manager"
        explanation="This check looks for X509TrustManager implementations whose `checkServerTrusted` or `checkClientTrusted` methods do nothing (thus trusting any certificate chain) which could result in insecure network traffic caused by trusting arbitrary TLS/SSL certificates presented by peers.">
        <location
            file="Project\com\google\api\client\util\SslUtils$1.class"/>
    </issue>

I am using androidpublisher and oauth2. Because of them, I think my app removed from playstore. I gave all the necessary info below the link. What can I do?

https://stackoverflow.com/questions/65491217/how-can-i-find-and-fix-my-android-apps-security-vulnerability?noredirect=1#comment115787447_65491217

chingor13 commented 3 years ago

How are you instantiating your http transport implementation for the API client?

We suggest that you use either GoogleNetHttpTransport.newTrustedTransport() or GoogleApacheHttpTransport.newTrustedTransport(). These 2 helpers create HttpTransport instances that use include trusted keys for Google APIs.

Example:

HttpTransport httpTransport = GoogleNetHttpTransport.newTrustedTransport();
JsonFactory jsonFactory = JacksonFactory.getDefaultInstance();
GoogleCredentials googleCredentials = GoogleCredentials.create(access_token); // replace with your auth method
HttpRequestInitializer requestInitializer = new HttpCredentialsAdapter(googleCredentials);

Storage storage = new Storage.Builder(httpTransport, jsonFactory, requestInitializer)
        .setApplicationName("MyProject-1234")
        .build();
MaxAndolini commented 3 years ago

How are you instantiating your http transport implementation for the API client?

We suggest that you use either GoogleNetHttpTransport.newTrustedTransport() or GoogleApacheHttpTransport.newTrustedTransport(). These 2 helpers create HttpTransport instances that use include trusted keys for Google APIs.

Example:

HttpTransport httpTransport = GoogleNetHttpTransport.newTrustedTransport();
JsonFactory jsonFactory = JacksonFactory.getDefaultInstance();
GoogleCredentials googleCredentials = GoogleCredentials.create(access_token); // replace with your auth method
HttpRequestInitializer requestInitializer = new HttpCredentialsAdapter(googleCredentials);

Storage storage = new Storage.Builder(httpTransport, jsonFactory, requestInitializer)
        .setApplicationName("MyProject-1234")
        .build();

Thank you for your response. I am using it like this;

    OkHttpService service = new OkHttpService(); // Firstly, I am getting credentials.json with okhttp3. Because of its here.
    SubscriptionPurchase purchase = new AndroidPublisher.Builder(new NetHttpTransport(), JacksonFactory.getDefaultInstance(), 
            new HttpCredentialsAdapter(GoogleCredentials.fromStream(service.sendRequestInput(config.CREPATH + "credentials.json", null)).
            createScoped(AndroidPublisherScopes.ANDROIDPUBLISHER))).setApplicationName(String.valueOf(R.string.app_name)).
            build().purchases().subscriptions().
            get(BuildConfig.APPLICATION_ID, subscriptionID, token).execute();

Changed it to this as you said;

            OkHttpService service = new OkHttpService();
            SubscriptionPurchase purchase = new AndroidPublisher.Builder(GoogleNetHttpTransport.newTrustedTransport(), JacksonFactory.getDefaultInstance(),
                    new HttpCredentialsAdapter(GoogleCredentials.fromStream(service.sendRequestInput(config.CREPATH + "credentials.json", null)).
                            createScoped(AndroidPublisherScopes.ANDROIDPUBLISHER))).setApplicationName(String.valueOf(R.string.app_name)).
                    build().purchases().subscriptions().
                    get(BuildConfig.APPLICATION_ID, subscriptionID, token).execute();

Still the same.

burkedavison commented 2 weeks ago

Changing to feature request for improved documentation.