Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Network connection may not be being verified in method #14

Open
amazuerar opened this issue Aug 15, 2021 · 0 comments
Open

Network connection may not be being verified in method #14

amazuerar opened this issue Aug 15, 2021 · 0 comments

Comments

@amazuerar
Copy link

Dear Developer!

My name is Alejandro Mazuera-Rozo, I am a PhD Student at Universidad de los Andes, and at Università della Svizzera italiana. I am part of a research on the usage of network libraries within android apps. As a result of this we identified that there is a missing validation of network connection within a method since some network operations are being performed in it.

As you might know, a device may not be connected to a network. In order to get such information see https://developer.android.com/reference/android/net/ConnectivityManager. Therefore it is recommended to identify whether the device has a network connection available before performing a network operation.

In order to address this issue we recommend you to visit:

  1. https://developer.android.com/training/basics/network-ops/managing
  2. https://developer.android.com/reference/android/net/ConnectivityManager.NetworkCallback

Note: public NetworkInfo getActiveNetworkInfo () returns details about the currently active default data network. When connected, this network is the default route for outgoing connections. You should always check NetworkInfo#isConnected() before initiating network traffic, it requires Manifest.permission.ACCESS_NETWORK_STATE. However, isConnected() was deprecated in API level 29, one could instead use the ConnectivityManager.NetworkCallback API to learn about connectivity changes, to be more specific the onAvailable() method.

Potential Code Location not verifying network connection before performing a network request:

hacs/app/src/main/kotlin/io/mainframe/hacs/cashbox/BaseCashboxTask.kt

Lines 46 to 73 in c92d4c7

private fun login(user: String, password: String): String {
val client = getCaCertSSLClient()
val formBody = FormBody.Builder()
.add("user", user)
.add("password", password)
.build()
val request = Request.Builder()
.url(LOGIN_URL)
.post(formBody)
.build()
client.newCall(request).execute().use { response ->
if (response.code != 200) {
throw LoginFailed("Unexpected code ${response.code}.", response.body!!.string(), response)
}
val setCookie = response.header("Set-Cookie")
?: throw LoginFailed("No cookie present", response.body!!.string(), response)
val cookie = Cookie.Companion.parse(request.url, setCookie)
?: throw LoginFailed("Can't parse cookie: ${setCookie}", response.body!!.string(), response)
Logger.debug("Login successful")
return cookie.value
}
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@amazuerar