CRLF Injection - Improper Output Neutralization for Logs

matomo-org / matomo-sdk-android

SDK for Android to measure your apps with Matomo. Works on Android phones, tablets, Fire TV sticks, and more!

BSD 3-Clause "New" or "Revised" License

393 stars 164 forks source link

CRLF Injection - Improper Output Neutralization for Logs #222

Closed ishwarverma39 closed 6 years ago

ishwarverma39 commented 6 years ago

Hi, team we are using Piwik for our Android applications. We are getting these security vulnerabilities when doing the security scanning.

Source file names are DefaultPacketSender.java - org/piwik/sdk/dispatcher/ Tracker.java - org/piwik/sdk/

Method name is void zzk(android.content.Intent)

Please advise how to resolve this issue.

d4rken commented 6 years ago

There is no method with that signature in either class.

Imho, CRLF Injection is not really a concern here. This library doesn't log by default. If this is a security issue for your project and you require logging then you can write a custom Tree for the logging library Timber used here, that escapes CRLF sequences.