github-starred/android
2
0
Fork 0
mirror of https://github.com/bitwarden/android.git synced 2026-03-22 12:32:53 -05:00
Code Issues 144 Packages Projects Releases 118 Wiki Activity

[PR #5419] [MERGED] [PM- 22735] Unsafe deserialization parcel data intent #5750

New Issue
Closed
opened 2025-11-27 00:13:39 -06:00 by GiteaMirror · 0 comments
GiteaMirror commented 2025-11-27 00:13:39 -06:00
Owner
Copy Link

📋 Pull Request Information

Original PR: https://github.com/bitwarden/android/pull/5419
Author: @LRNcardozoWDF
Created: 6/25/2025
Status: Merged
Merged: 7/14/2025
Merged by: @LRNcardozoWDF

Base: mainHead: pm-22735/unsafe-deserialization-parcel-data-intent

📝 Commits (10+)

  • 53f2dd5 pm-22735 Add func to sanitize intent
  • 227d582 pm-22735 Refactor unused exception
  • 23baefe Merge branch 'main' into pm-22735/unsafe-deserialization-parcel-data-intent
  • 9bbb93f pm-22735 Validate if extracting data throws an exception
  • eec9c4e pm-22735 Add unit tests for validate intent
  • 8215498 Merge branch 'main' into pm-22735/unsafe-deserialization-parcel-data-intent
  • 0192c6c pm-22735 Refactor
  • 6953292 Merge branch 'main' into pm-22735/unsafe-deserialization-parcel-data-intent
  • fb1caca pm-22735 Refactor
  • 19ee1de pm-22735 Fix PR comment

📊 Changes

11 files changed (+147 additions, -102 deletions)

View changed files

📝 app/src/main/kotlin/com/x8bit/bitwarden/AccessibilityActivity.kt (+12 -0)
📝 app/src/main/kotlin/com/x8bit/bitwarden/AuthCallbackActivity.kt (+11 -0)
📝 app/src/main/kotlin/com/x8bit/bitwarden/AutofillTotpCopyActivity.kt (+12 -0)
📝 app/src/main/kotlin/com/x8bit/bitwarden/MainActivity.kt (+12 -2)
📝 app/src/main/kotlin/com/x8bit/bitwarden/data/auth/util/PasswordlessRequestDataUtils.kt (+1 -1)
📝 app/src/main/kotlin/com/x8bit/bitwarden/data/autofill/util/AutofillIntentUtils.kt (+1 -1)
📝 authenticator/src/main/kotlin/com/bitwarden/authenticator/MainActivity.kt (+10 -14)
authenticator/src/main/kotlin/com/bitwarden/authenticator/data/platform/util/IntentExtensions.kt (+0 -19)
authenticator/src/test/kotlin/com/bitwarden/authenticator/data/platform/util/IntentExtensionsTest.kt (+0 -64)
📝 ui/src/main/kotlin/com/bitwarden/ui/platform/util/IntentExtensions.kt (+20 -1)
ui/src/test/kotlin/com/bitwarden/ui/platform/util/IntentExtensionsTest.kt (+68 -0)

📄 Description

🎟️ Tracking

PM-22735

📔 Objective

Fix a vulnerability that exists when deserializing a parcel data intent containing a class that doesn't belong to the app which would lead to a crash.

📸 Screenshots

Reminders before review

  • Contributor guidelines followed
  • All formatters and local linters executed and passed
  • Written new unit and / or integration tests where applicable
  • Protected functional changes with optionality (feature flags)
  • Used internationalization (i18n) for all UI strings
  • CI builds passed
  • Communicated to DevOps any deployment requirements
  • Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team

🦮 Reviewer guidelines

  • 👍 (:+1:) or similar for great changes
  • 📝 (:memo:) or ℹ️ (:information_source:) for notes or general info
  • (:question:) for questions
  • 🤔 (:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion
  • 🎨 (:art:) for suggestions / improvements
  • (:x:) or ⚠️ (:warning:) for more significant problems or concerns needing attention
  • 🌱 (:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt
  • ⛏ (:pick:) for minor or nitpick changes

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/bitwarden/android/pull/5419 **Author:** [@LRNcardozoWDF](https://github.com/LRNcardozoWDF) **Created:** 6/25/2025 **Status:** ✅ Merged **Merged:** 7/14/2025 **Merged by:** [@LRNcardozoWDF](https://github.com/LRNcardozoWDF) **Base:** `main` ← **Head:** `pm-22735/unsafe-deserialization-parcel-data-intent` --- ### 📝 Commits (10+) - [`53f2dd5`](https://github.com/bitwarden/android/commit/53f2dd52e8e97f6025b25f93a55b793e45f9c182) pm-22735 Add func to sanitize intent - [`227d582`](https://github.com/bitwarden/android/commit/227d582a6399743f0ffc373189684d7619a03e6a) pm-22735 Refactor unused exception - [`23baefe`](https://github.com/bitwarden/android/commit/23baefeaa0542322f9c9130882c87eaf8052334b) Merge branch 'main' into pm-22735/unsafe-deserialization-parcel-data-intent - [`9bbb93f`](https://github.com/bitwarden/android/commit/9bbb93f83f060d636f748a68b69cc7edf202ca37) pm-22735 Validate if extracting data throws an exception - [`eec9c4e`](https://github.com/bitwarden/android/commit/eec9c4e82a3c65f19f1ed5f451973f154374b575) pm-22735 Add unit tests for validate intent - [`8215498`](https://github.com/bitwarden/android/commit/82154980da19af191ffe9882a120701ca6d00638) Merge branch 'main' into pm-22735/unsafe-deserialization-parcel-data-intent - [`0192c6c`](https://github.com/bitwarden/android/commit/0192c6ceec51016c33d8735b9a32348be4e3038f) pm-22735 Refactor - [`6953292`](https://github.com/bitwarden/android/commit/6953292e14bfa93555a91b9e26905c918d9ce7a5) Merge branch 'main' into pm-22735/unsafe-deserialization-parcel-data-intent - [`fb1caca`](https://github.com/bitwarden/android/commit/fb1caca39f11cdbfa61e1eae52bca2d8e41abba8) pm-22735 Refactor - [`19ee1de`](https://github.com/bitwarden/android/commit/19ee1de5f5a2ba1c0e530020f04a83b538bc842f) pm-22735 Fix PR comment ### 📊 Changes **11 files changed** (+147 additions, -102 deletions) <details> <summary>View changed files</summary> 📝 `app/src/main/kotlin/com/x8bit/bitwarden/AccessibilityActivity.kt` (+12 -0) 📝 `app/src/main/kotlin/com/x8bit/bitwarden/AuthCallbackActivity.kt` (+11 -0) 📝 `app/src/main/kotlin/com/x8bit/bitwarden/AutofillTotpCopyActivity.kt` (+12 -0) 📝 `app/src/main/kotlin/com/x8bit/bitwarden/MainActivity.kt` (+12 -2) 📝 `app/src/main/kotlin/com/x8bit/bitwarden/data/auth/util/PasswordlessRequestDataUtils.kt` (+1 -1) 📝 `app/src/main/kotlin/com/x8bit/bitwarden/data/autofill/util/AutofillIntentUtils.kt` (+1 -1) 📝 `authenticator/src/main/kotlin/com/bitwarden/authenticator/MainActivity.kt` (+10 -14) ➖ `authenticator/src/main/kotlin/com/bitwarden/authenticator/data/platform/util/IntentExtensions.kt` (+0 -19) ➖ `authenticator/src/test/kotlin/com/bitwarden/authenticator/data/platform/util/IntentExtensionsTest.kt` (+0 -64) 📝 `ui/src/main/kotlin/com/bitwarden/ui/platform/util/IntentExtensions.kt` (+20 -1) ➕ `ui/src/test/kotlin/com/bitwarden/ui/platform/util/IntentExtensionsTest.kt` (+68 -0) </details> ### 📄 Description ## 🎟️ Tracking <!-- Paste the link to the Jira or GitHub issue or otherwise describe / point to where this change is coming from. --> [PM-22735](https://bitwarden.atlassian.net/browse/PM-22735) ## 📔 Objective <!-- Describe what the purpose of this PR is, for example what bug you're fixing or new feature you're adding. --> Fix a vulnerability that exists when deserializing a parcel data intent containing a class that doesn't belong to the app which would lead to a crash. ## 📸 Screenshots <!-- Required for any UI changes; delete if not applicable. Use fixed width images for better display. --> ## ⏰ Reminders before review - Contributor guidelines followed - All formatters and local linters executed and passed - Written new unit and / or integration tests where applicable - Protected functional changes with optionality (feature flags) - Used internationalization (i18n) for all UI strings - CI builds passed - Communicated to DevOps any deployment requirements - Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team ## 🦮 Reviewer guidelines <!-- Suggested interactions but feel free to use (or not) as you desire! --> - 👍 (`:+1:`) or similar for great changes - 📝 (`:memo:`) or ℹ️ (`:information_source:`) for notes or general info - ❓ (`:question:`) for questions - 🤔 (`:thinking:`) or 💭 (`:thought_balloon:`) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion - 🎨 (`:art:`) for suggestions / improvements - ❌ (`:x:`) or ⚠️ (`:warning:`) for more significant problems or concerns needing attention - 🌱 (`:seedling:`) or ♻️ (`:recycle:`) for future improvements or indications of technical debt - ⛏ (`:pick:`) for minor or nitpick changes [PM-22735]: https://bitwarden.atlassian.net/browse/PM-22735?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2025-11-27 00:13:39 -06:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
app:authenticator
app:password-manager
bug
bug-passkey
customer-support
duplicate
enhancement
good first issue
help wanted
needs-reply
needs-response
pull-request
Mirrored from GitHub Pull Request
 question
No Label pull-request
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/android#5750
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?