Jsoup Library is presenting a security issue when scanning
mikebeitzel opened this issue · 2 comments
Hi I'm currently using the Barista plugin and when we did a security check we got an error returned about the library using jsoup 1.12.2 and the error was presented as thus:
jsoup is a java library for working with HTML. Those using jsoup versions prior to 1.14.2 to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception. This effect may support a denial of service attack. The issue is patched in version 1.14.2. There are a few available workarounds. Users may rate limit input parsing, limit the size of inputs based on system resources, and/or implement thread watchdogs to cap and timeout parse runtimes.
The recommendation is to use a newer version of jsoup:
https://mvnrepository.com/artifact/org.jsoup/jsoup
If there's more information that I can present I may be able to upon request.
Thank you.
Hi @mikebeitzel. Thank you for the detailed explanation. Out of curiosity, what did you use for the security check?
Barista doesn't directly use jsoup. From what I see, it's a transitive dependency of the espresso-contrib library. We're using the latest stable version 3.4 right now.
You could redirect the issue to the android-test repository directly.
Thanks!
Sure we use whitesource. 4.2 actually passed the security check as well btw. Thank you for your time!