Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CWE-502 #2536

Open
1 of 2 tasks
adhiherlianto opened this issue Feb 20, 2025 · 0 comments
Open
1 of 2 tasks

CWE-502 #2536

adhiherlianto opened this issue Feb 20, 2025 · 0 comments
Labels
bug Something isn't working

Comments

@adhiherlianto
Copy link

Is there an existing issue for this?

  • I have searched the existing issues

Current Behavior

The application uses an insecure object deserialization format that attackers can exploit to cause remote code execution.

Expected Behavior

To prevent object serialization vulnerabilities, the application must either:

  • Accept serialized objects from trusted sources only
  • Use serialization primitive data types only

Steps with code example to reproduce

Use of insecure serialize api android.os.Bundle.getSerializable. Method android.os.Bundle.getSerializable call trace:

at com.pichillilorenzo.flutter_inappwebview.in_app_browser.InAppBrowserActivity.onCreate()
at android.os.Bundle.getSerializable()

Code sources: Methodcom.pichillilorenzo.flutter_inappwebview.in_app_browser.InAppBrowserActivity.onCreate:

protected void onCreate(android.os.Bundle p10)
{
	super.onCreate(p10);
	com.pichillilorenzo.flutter_inappwebview.types.URLRequest v10_8 = this.getIntent().getExtras();
	if (v10_8 != null) {
		this.id = v10_8.getString("id");
		com.pichillilorenzo.flutter_inappwebview.in_app_webview.InAppWebView v0_15 = ((com.pichillilorenzo.flutter_inappwebview.in_app_browser.InApp
		this.manager = v0_15;
		if (v0_15 != null) {
			com.pichillilorenzo.flutter_inappwebview.in_app_webview.InAppWebView v0_22 = v0_15.plugin;
			if ((v0_22 != null) && (v0_22.messenger != null)) {
				com.pichillilorenzo.flutter_inappwebview.in_app_webview.InAppWebView v0_26 = ((java.util.Map) v10_8.getSerializable("options"));
				this.options.parse(v0_26);
				this.windowId = Integer.valueOf(v10_8.getInt("windowId"));
				com.pichillilorenzo.flutter_inappwebview.types.UserScript v2_10 = this.manager.plugin.messenger;
				com.pichillilorenzo.flutter_inappwebview.in_app_webview.InAppWebView v3_4 = new StringBuilder();
				v3_4.append("com.pichillilorenzo/flutter_inappbrowser_");
				v3_4.append(this.id);
				this.channel = new io.flutter.plugin.common.MethodChannel(v2_10, v3_4.toString());
				this.setContentView(com.pichillilorenzo.flutter_inappwebview.R$layout.activity_web_view);
				String v1_24 = ((java.util.Map) v10_8.getSerializable("pullToRefreshInitialOptions"));
				com.pichillilorenzo.flutter_inappwebview.in_app_webview.InAppWebView v3_8 = this.manager.plugin.messenger;
				String v4_4 = new StringBuilder();
				v4_4.append("com.pichillilorenzo/flutter_inappwebview_pull_to_refresh_");
				v4_4.append(this.id);
				com.pichillilorenzo.flutter_inappwebview.types.UserScript v2_12 = new io.flutter.plugin.common.MethodChannel(v3_8, v4_4.toString());
				com.pichillilorenzo.flutter_inappwebview.in_app_webview.InAppWebView v3_10 = new com.pichillilorenzo.flutter_inappwebview.pull_to_re
v3_10.parse(v1_24);
				String v1_27 = ((com.pichillilorenzo.flutter_inappwebview.pull_to_refresh.PullToRefreshLayout) this.findViewById(com.pichillilorenzo
this.pullToRefreshLayout = v1_27;
				v1_27.channel = v2_12;
				v1_27.options = v3_10;
				v1_27.prepare();
				String v1_30 = ((com.pichillilorenzo.flutter_inappwebview.in_app_webview.InAppWebView) this.findViewById(com.pichillilorenzo.flutter
this.webView = v1_30;
				v1_30.windowId = this.windowId;
				v1_30.inAppBrowserDelegate = this;
				v1_30.channel = this.channel;
				v1_30.plugin = this.manager.plugin;
				com.pichillilorenzo.flutter_inappwebview.types.UserScript v2_18 = new com.pichillilorenzo.flutter_inappwebview.InAppWebViewMethodHan
this.methodCallDelegate = v2_18;
				this.channel.setMethodCallHandler(v2_18);
				this.fromActivity = v10_8.getString("fromActivity");
				String v1_2 = ((java.util.Map) v10_8.getSerializable("contextMenu"));
				com.pichillilorenzo.flutter_inappwebview.types.UserScript v2_2 = ((java.util.List) v10_8.getSerializable("initialUserScripts"));
				com.pichillilorenzo.flutter_inappwebview.in_app_webview.InAppWebView v3_1 = new com.pichillilorenzo.flutter_inappwebview.in_app_webv
v3_1.parse(v0_26);
				com.pichillilorenzo.flutter_inappwebview.in_app_webview.InAppWebView v0_1 = this.webView;
				v0_1.options = v3_1;
				v0_1.contextMenu = v1_2;
				com.pichillilorenzo.flutter_inappwebview.in_app_webview.InAppWebView v0_3 = new java.util.ArrayList();
				if (v2_2 != null) {
					String v1_3 = v2_2.iterator();
					while (v1_3.hasNext()) {
						v0_3.add(com.pichillilorenzo.flutter_inappwebview.types.UserScript.fromMap(((java.util.Map) v1_3.next())));
					}
				} 
				this.webView.userContentController.addUserOnlyScripts(v0_3);
				this.actionBar = this.getSupportActionBar();
				this.prepareView();
				if (this.windowId.intValue() == -1) {
					com.pichillilorenzo.flutter_inappwebview.in_app_webview.InAppWebView v0_9 = v10_8.getString("initialFile");
					String v1_10 = ((java.util.Map) v10_8.getSerializable("initialUrlRequest"));
					String v5_0 = v10_8.getString("initialData");
					if (v0_9 == null) {	
						if (v5_0 == null) {
							if (v1_10 != null) {
								this.webView.loadUrl(com.pichillilorenzo.flutter_inappwebview.types.URLRequest.fromMap(v1_10));
							}
						} else {
							this.webView.loadDataWithBaseURL(v10_8.getString("initialBaseUrl"), v5_0, v10_8.getString("initialMimeType"), v10_8.getS
						}
					} else {
						try {
							this.webView.loadFile(v0_9);
						} catch (com.pichillilorenzo.flutter_inappwebview.types.URLRequest v10_3) {
							v10_3.printStackTrace();
							String v1_12 = new StringBuilder();
							v1_12.append(v0_9);
							v1_12.append(" asset file cannot be found!");
							android.util.Log.e("InAppBrowserActivity", v1_12.toString(), v10_3);
							return;
						}
					}
				} else {
					com.pichillilorenzo.flutter_inappwebview.types.URLRequest v10_6 = ((android.os.Message) com.pichillilorenzo.flutter_inappwebview
					if (v10_6 != null) {
						((android.webkit.WebView$WebViewTransport) v10_6.obj).setWebView(this.webView);
						v10_6.sendToTarget();
					}
				} 
				this.onBrowserCreated();
			}
		} 
		return;
	} else {
		return;
	}
}

Use of insecure serialize api android.os.Bundle.getSerializable. Method android.os.Bundle.getSerializable call trace:

at com.pichillilorenzo.flutter_inappwebview.chrome_custom_tabs.ChromeCustomTabsActivity.onCreate()
at android.os.Bundle.getSerializable()

Code sources: Methodcom.pichillilorenzo.flutter_inappwebview.chrome_custom_tabs.ChromeCustomTabsActivity.onCreate:

protected void onCreate(android.os.Bundle p5)
{
	super.onCreate(p5);
	this.setContentView(com.pichillilorenzo.flutter_inappwebview.R$layout.chrome_custom_tabs_layout);
	com.pichillilorenzo.flutter_inappwebview.chrome_custom_tabs.CustomTabActivityHelper v5_5 = this.getIntent().getExtras();
	if (v5_5 != null) {
		this.id = v5_5.getString("id");
		com.pichillilorenzo.flutter_inappwebview.chrome_custom_tabs.ChromeCustomTabsActivity$2 v0_4 = ((com.pichillilorenzo.flutter_inappwebview.chr
		this.manager = v0_4;
		if (v0_4 != null) {
			com.pichillilorenzo.flutter_inappwebview.chrome_custom_tabs.ChromeCustomTabsActivity$2 v0_5 = v0_4.plugin;
			if (v0_5 != null) {
				com.pichillilorenzo.flutter_inappwebview.chrome_custom_tabs.ChromeCustomTabsActivity$2 v0_6 = v0_5.messenger;
				if (v0_6 != null) {
					String v2_1 = new StringBuilder();
					v2_1.append("com.pichillilorenzo/flutter_chromesafaribrowser_");
					v2_1.append(this.id);
					java.util.List v1_2 = new io.flutter.plugin.common.MethodChannel(v0_6, v2_1.toString());
					this.channel = v1_2;
					v1_2.setMethodCallHandler(this);
					this.initialUrl = v5_5.getString("url");
					com.pichillilorenzo.flutter_inappwebview.chrome_custom_tabs.ChromeCustomTabsActivity$2 v0_10 = new com.pichillilorenzo.flutter_i
					this.options = v0_10;
					v0_10.parse(((java.util.Map) v5_5.getSerializable("options")));
					this.actionButton = com.pichillilorenzo.flutter_inappwebview.types.CustomTabsActionButton.fromMap(((java.util.Map) v5_5.getSeria
					com.pichillilorenzo.flutter_inappwebview.chrome_custom_tabs.CustomTabActivityHelper v5_6 = ((java.util.List) v5_5.getSerializabl
					while (v5_6.hasNext()) {
						this.menuItems.add(com.pichillilorenzo.flutter_inappwebview.types.CustomTabsMenuItem.fromMap(((java.util.Map) v5_6.next())))
					} 
					this.customTabActivityHelper.setConnectionCallback(new com.pichillilorenzo.flutter_inappwebview.chrome_custom_tabs.ChromeCustomT
					this.customTabActivityHelper.setCustomTabsCallback(new com.pichillilorenzo.flutter_inappwebview.chrome_custom_tabs.ChromeCustomT
				}
			}
		} 
		return;
	} else {
		return;
	}
}

Stacktrace/Logs

Stacktrace/Logs 
<Replace this line by pasting your stacktrace or logs here>

Flutter version

v3.24.4

Operating System, Device-specific and/or Tool

Windows, Android

Plugin version

v6.1.10

Additional information

No response

Self grab

  • I'm ready to work on this issue!
@adhiherlianto adhiherlianto added the bug Something isn't working label Feb 20, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@adhiherlianto