New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Issue #224 - Added an exception for the LocalBroadcastManager in the detector. #225
Conversation
…the plugin-deps and added an exception for the LocalBroadcastManager in the detector.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The test case is good.
I would change the condition to test the class hierarchy just in case an wrapper of LocalBroadcastManager
is use in an application. It could be a future class from the Android SDK or a proprietary utility class.
getNameConstantOperand().equals("sendOrderedBroadcast") || | ||
getNameConstantOperand().equals("sendOrderedBroadcastAsUser") | ||
) | ||
&& !getClassConstantOperand().endsWith("LocalBroadcastManager") // The LocalBroadcastManager object is safe. The broadcast doesn't leave the application scope. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would use InterfaceUtils.isSubtype()
has a main method to confirm that it is a LocalBroadcastManager.
The check !getClassConstantOperand().endsWith("LocalBroadcastManager")
can still be present. It will be useful to have fallback when the complete class hierarchy can be loaded (aka missing classes during the scan).
* https://developer.android.com/reference/android/support/v4/content/LocalBroadcastManager.html | ||
* > "You know that the data you are broadcasting won't leave your app, so don't need to worry about leaking private data." | ||
*/ | ||
LocalBroadcastManager.getInstance(this).sendBroadcast(i); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Excellent doc. 👍
@@ -0,0 +1,10 @@ | |||
package android.content; | |||
|
|||
public class LocalBroadcastManager { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would add android.support.v4.content.LocalBroadcastManager
type. It will be needed when an actual test on the class hierarchy is made. (See comment related to InterfaceUtils.isSubtype()
below)
…to fit the changes requested in find-sec-bugs#225.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks perfect ! 👍
I added a check in the BroadcastDetector to validate that the sendBroadcast call is not executed on the LocalBroadcastManager class. This should fix issue #224 .
Right now it could be fooled if someone calls its Activity LocalBroadcastManager and uses the global sendBroadcast method. I could change the check for something stricter like !"android/support/v4/content/LocalBroadcastManager".equals(getClassConstantOperand()) but this would have to be changed often since it contains the API version.