Veracode Security Flaws

[mastergogo]

Hi Team,

After creating and submitting the app in veracode, veracode found below flaws in files:

(1) CRLF Injection:

Description: The acronym CRLF stands for "Carriage Return, Line Feed" and refers to the sequence of characters used to denote the end of a line of text. CRLF injection vulnerabilities occur when data enters an application from an untrusted source and is not properly validated before being used. For example, if an attacker is able to inject a CRLF into a log file, he could append falsified log entries, thereby misleading administrators or cover traces of the attack. If an attacker is able to inject CRLFs into an HTTP response header, he can use this ability to carry out other attacks such as cache poisoning. CRLF vulnerabilities primarily affect data integrity.

   **Improper Output Neutralization for Logs (CWE ID 117)(1 flaw)**

Description: A function call could result in a log forging attack. Writing untrusted data into a log file allows an attacker to forge log entries or inject malicious content into log files. Corrupted log files can be used to cover an attacker's tracks or as a delivery mechanism for an attack on a log viewing or processing utility.

com/.../getcapacitor/Logger.java 56

(2) Cryptographic Issues

Applications commonly use cryptography to implement authentication mechanisms and to ensure the confidentiality and integrity of sensitive data, both in transit and at rest. The proper and accurate implementation of cryptography is extremely critical to its efficacy.

**Insufficient Entropy (CWE ID 331)(4 flaws)**

     **com/.../aes256/AES256.java 191
shaded/.../codec/digest/B64.java 75
shaded/.../digest/UnixCrypt.java 202
shaded/.../digest/UnixCrypt.java 202**

(3) Deployment Configuration

A deployment descriptor is a component in J2EE applications that describes how a web application should be deployed. It directs a deployment tool to deploy a module or application with specific container options and describes specific configuration requirements that a deployer must resolve.

**Improper Export of Android Application Components (CWE ID 926)(2 flaws)**

/CapacitorFirebaseMessagingService.java 1 ./DeviceCredentialHandlerActivity.java 1

(4) Code Quality

**Use of Wrong Operator in String Comparison (CWE ID 597)(1 flaw)**

Description: Using '==' to compare two strings for equality or '!=' for inequality actually compares the object references rather than their values. It is unlikely that this reflects the intended application logic.

com/.../getcapacitor/JSExport.java 124

(5) Information Leakage

**Generation of Error Message Containing Sensitive Information (CWE ID 209)(1 flaw)**

   **com/.../MessageHandler.java 91**

**Insertion of Sensitive Information Into Sent Data (CWE ID 201)(7 flaws)**

  com/.../getcapacitor/Bridge.java 739
com/.../FileUtils.java 188
com/.../camera/ImageUtils.java 152
com/.../MessageHandler.java 91
./WebViewLocalServer.java 305
/WebViewLocalServer.java 305
WebViewLocalServer.java 309

Thanks!

[jcesarmobile]

Thanks for the report, but we don't accept reports from automatic code analysers as they usually report false positives. Also we don't accept multiples issues grouped into one.

Examples: for 1, it's you who shouldn't log user generated messages, Capacitor, by default, doesn't show any app user data, it's you as the app developer who decides what to log. Also, can be globally disabled. for 2, Capacitor doesn't use any cryptography libraries, so no idea where that comes from. for 3, it doesn't make sense at all. Also DeviceCredentialHandlerActivity is not part of Capacitor, CapacitorFirebaseMessagingService isn't in Capacitor 3 neither.

If you are concerned about any of them in particular and think it's a real issue, please, report it independently and providing all the information requested from the issue template.

[ionitron-bot[bot]]

Thanks for the issue! This issue is being locked to prevent comments that are not relevant to the original issue. If this is still an issue with the latest version of Capacitor, please create a new issue and ensure the template is fully filled out.