Intent redirection vulnerability for com.razorpay.x2.onReceive

[shahidtumbi]

Description

Please provide a clear and concise description of what the bug is. Include screenshots if needed. Please test using the latest React Native Razorpay plugin release to make sure your issue has not already been fixed.

• Specific to iOS Users :-
• [ ] I have tried updating Razorpay pod to the latest version by using 'pod update'.

Razorpay Package Version :

Open Package.json. > Copy react-native-razorpay version here.

Xcode Version (iOS) :

Open Xcode > Go to About Xcode > copy the Xcode version here.

Razorpay-pod version (iOS) :

Go to your project path > Go to folder named ios > open 'podfile.lock' file > search for 'razorpay-pod' > copy the line here

Java and Gradle Version (android) :

Specify your Java and Gradle version.

What you did:

What happened:

Steps To Reproduce

Provide a detailed list of steps that reproduce the issue.

1. update the package to 2.3.0
2. run the build.
3. submit the build to play store. You will recieve the mail as attached

Suggested solution:

Code example, screenshot, or link to a repository:

Please provide a link to a repository on GitHub, or provide a minimal code example that reproduces the problem. You may provide a screenshot of the application if you think it is relevant to your bug report. Here are some tips for providing a minimal example: https://stackoverflow.com/help/mcve

[rajeshde]

I have also faced the same issue today. Using razorpay version 2.3.0

[vivekshindhe]

Hey folks, we are currently looking into this. The fix will be made live by Monday morning. Will update here once done. Thank you for your patience.

[rajeshde]

Thanks @vivekshindhe

[shahidtumbi]

Thanks @vivekshindhe

[iamromec]

+1 (also this issue has affected the razorpay-capacitor).

[Nirav444Educase]

I have also same issue

[vivekshindhe]

Hey folks, apologies for the delay on this. A new version has been pushed to maven for android SDK. Please ensure the older version isn't cached and reinstall again. When uploading to play store please ensure that the version which was throwing this error from google is out of the track so this issue doesn't crop up again. Thank you for your support.

Will keep this thread open in case any of you weren't able to resolve this issue with Google.

[rajeshde]

@vivekshindhe Can you please share the steps to use the updated version correctly? And is there any way to verify it before uploading a new version on Play Store?

[vivekshindhe]

@rajeshde The package is set to receive the latest version whenever available. Reinstalling the package should do the trick.

[nb-immosnapp]

@vivekshindhe Still same issue even if i deleted node_modules. all lock file and also reinstall whole package and uploaded new .aab file.

[nb-immosnapp]

Hello @vivekshindhe any update?

[nirav-infostretch]

hi @vivekshindhe,

We are using react-native-razorpay : 2.2.9 react-native : 0.64.4 com.razorpay:checkout : 1.6.28

We have uploaded new bundle. But still it rejected by play store. Can you please help us ? This is rejection reason we are getting from google Your app contains an Intent Redirection vulnerability. Please see this Google Help Center article for details.

com.razorpay.b_J.onReceive sv:deadline:12/13/2020

[malikzype]

Reinstalling doesn't solve the issue. @vivekshindhe Can you please help us update the package?

[Nirav1432]

@vivekshindhe i also got the same issue. and google is giving warning to remove app from playstore

i tried all ways. upgrading and reinstall react-native-razorpday. nothing is working. Please help!

[vivekshindhe]

Hey guys, apologies for the delay. Had to combine two of the remedies together for it to work. Please reinstall the razorpay package and try uploading. I'm gonna attach a screenshot of the working sample as well.

That said, we apologize for this issue. We'll see why it happened and how we can ensure this doesn't happen again.

[Nirav1432]

okay let me check

[iamromec]

The npm package is showing "3 months ago"...the latest version on NPM is "2.3.0 • Public • Published 3 months ago"

Is there any direct GitHub URL we can use to install it?

[iamromec]

FYI: https://www.npmjs.com/package/react-native-razorpay

[vivekshindhe]

@iamromec the package automatically picks up the latest Android SDK even if the package remains the same. So you don't have to worry about the package update as of right now.

[Nirav1432]

@iamromec the package automatically picks up the latest Android SDK even if the package remains the same. So you don't have to worry about the package update as of right now.

Yes @vivekshindhe . Now working fine i did't get any mail now. Thanks a lot!

[mashish584]

@vivekshindhe Also facing the same issue. Have upgraded the version from 2.2.9 to 2.3.0 & submit the bundle to app store again but still receiving the same warning.

Using, React Native : 0.64.4 React: 17.0.1

[vivekshindhe]

@mashish584 In the retained bundles, if you see a version that gets affected by this, that can also cause this error to pop up. Please ensure to remove it from the retained bundle list. I'd also suggest talking with google directly regarding this because this did not happen in the app I pushed.

[eshantbist]

Hey guys, apologies for the delay. Had to combine two of the remedies together for it to work. Please reinstall the razorpay package and try uploading. I'm gonna attach a screenshot of the working sample as well.

That said, we apologize for this issue. We'll see why it happened and how we can ensure this doesn't happen again.

@vivekshindhe I am still facing the same issue, even though I reinstalled the package and uploaded again .

And how critical is this warning?

[vivekshindhe]

It's not critical. The test basically includes looking for a broadcast receiver and then ensuring that the activity that is triggering it is safe. Doesn't really apply to us, but we still have to follow the guideline.

[rajeshde]

Just an update

I have uninstalled and installed react-native-razorpay package -> Update my app version -> Clean -> Generate Signed aab Now the updated version is approved by Google.

Thanks a lot @vivekshindhe

[vivekshindhe]

For the folks who are still facing the issue, please raise a support ticket on the Razorpay Dashboard. Our support team will help you sort out the issue the best we can.

Closing the ticket with this.