Vulnerability find RNFetchBlob library in my app

joltup / rn-fetch-blob

A project committed to making file access and data transfer easier, efficient for React Native developers.

MIT License

2.81k stars 772 forks source link

Vulnerability find RNFetchBlob library in my app #708

Open SyedFaraz530 opened 3 years ago

SyedFaraz530 commented 3 years ago

Hi ! There is a one vulnerability found in RNFetchBlob through reverse engineering of android apk in Penetration Testing and it has a High Vulnerability so we have to must resolved this. so can anyone resolve or suggest me better way to pass this high vulnerability.

Current Version ^0.12.0 reference https://developer.android.com/reference/java/security/MessageDigest

RNFetchBlob

alpha0010 commented 3 years ago

Easiest way probably is use patch-package, edit the line https://github.com/joltup/rn-fetch-blob/blob/v0.12.0/android/src/main/java/com/RNFetchBlob/RNFetchBlobUtils.java#L26 to

MessageDigest md = MessageDigest.getInstance("SHA-256");

SyedFaraz530 commented 3 years ago

@alpha0010 is this a valid way to resolve this vulnerability after replacing MD-5 to SHA-256 ?

alpha0010 commented 3 years ago

RNFetchBlobUtils.getMD5() is used for generating temporary file names when using fileCache: true. So, previously cached will no longer be used. The function name no longer makes sense (but it is only used internally). Other than that, everything should function the same.