Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Android Intent Redirection Vulnerability

See original GitHub issue

Summary


Version	7.3.1
Affected OS	android

Current behavior

When we added react-native-device-info and used some functions like getVersion(), after releasing a version on google play, we received an email (from google play console) that says about Intent Redirection Vulnerability . You can find more info about the issue at this link

Expected behavior

Clearing error and warning alert on google play console

Suggestion resolve

According to the above Google Help link, ensuring that the extracted Intent is from a trustworthy source can resolve the problem.

// check if the originating Activity is from trusted package
 if (getCallingActivity().getPackageName().equals(“known”)) {
   Intent intent = getIntent();
   // extract the nested Intent
   Intent forward = (Intent) intent.getParcelableExtra(“key”);
   // redirect the nested Intent
   startActivity(forward);
 }

Issue Analytics

State:
Created 3 years ago
Reactions:1
Comments:15 (1 by maintainers)

Top GitHub Comments

2reactions

dcenatiempocommented, Jan 4, 2021

I’m having the same issue.

using this command in my node-modules directory: grep -rwl 'android:exported="true"' ./ I have 2 potential culprits, either this package or react-native-firebase/messaging

But we did just upgrade from 5.6.5 to 7.2.1, so I’m guessing that this library is the issue. I’ll downgrade and report back if that fixes it.

1reaction

dcenatiempocommented, Jan 6, 2021

I’m having the same issue.

using this command in my node-modules directory: grep -rwl 'android:exported="true"' ./ I have 2 potential culprits, either this package or react-native-firebase/messaging

But we did just upgrade from 5.6.5 to 7.2.1, so I’m guessing that this library is the issue. I’ll downgrade and report back if that fixes it.

Yeah, reverting we still had issues… I think what happened is someone deleted our yarn.lock and some dependency got updated to a version that broke, but I have no idea what dependency so we are reverting out yarn.lock to one from several months ago

Thanks for everyone who looked into this. @mikehardy I see you everywhere, thanks for all the work you do for the open source community