[VBLOCKS-6683] fix secops 24657#773
Conversation
Comprehensive PR ReviewAutomated multi-pass review covering bug analysis and test coverage. Findings are ranked by severity; each includes a concrete failure scenario. Bug Analysis (3 Independent Passes)🔴 Critical1. Two After the migration, both <service android:name=".notify.fcm.NotifyFirebaseMessagingService">
<intent-filter><action android:name="com.google.firebase.MESSAGING_EVENT"/></intent-filter>
</service>
<service android:name=".notify.fcm.NotifyFirebaseInstanceIDService">
<intent-filter><action android:name="com.google.firebase.MESSAGING_EVENT"/></intent-filter>
</service>Firebase Messaging routes an event to only one service (the first resolved). Depending on manifest order, either Fix: Delete Failure scenario: New device install → 2. The previous implementation had an explicit null check: if (newAddress == null) {
Log.w(TAG, "The Firebase token is not available yet.");
return;
}That guard has been removed. Fix: Re-add the null check (or 🟠 High3. String installationId = Tasks.await(FirebaseInstallations.getInstance().getId());
newAddress = Tasks.await(FirebaseMessaging.getInstance().getToken());If the Firebase task never resolves (no network, GMS bug, GCM channel down), Fix: Use the overload with a timeout: 4.
Fix: } catch (InterruptedException e) {
Thread.currentThread().interrupt();
// handle...
} catch (ExecutionException | TimeoutException e) { ... }5. The comment says "mitigate CWE-502," but Also: 6.
Fix: Explicitly check 🟡 Medium7. String identity = sharedPreferences.getString(IDENTITY, null);
try {
Response<Token> response = TwilioSDKStarterAPI.fetchToken(identity).execute();If the shared-preference key is absent (first launch), 8. Semantic drift: The endpoint format is 9. These bypass the top-level 10. Unused Left over from before the 🔵 Low / Nit11. @Override
public void onNewToken(String token) {
Log.d(TAG, "Refreshed token: " + token);
sendRegistrationToServer(); // param stripped, then fetched again later
}Passing it through would save a redundant 12. Logging tokens at DEBUG level
13. README instruction risks silent breakage The README now tells users to hand-patch Test Coverage AnalysisThis is an example / quickstart repo — there are no existing unit or instrumentation tests for the
Manual verification the PR description does not mention but should cover before merge:
SummaryMust-fix before merge:
Should-fix before merge: Nice-to-have: move the two hardcoded lib versions into 🤖 Generated by |
Follow-up: Does this actually close SECOPS-24657?Pulled the ticket to check remediation criteria against the PR. The ticket is a Snyk auto-generated stub — the description, severity, CVE list, and remediation criteria fields are all empty (only the standard triage boilerplate). The only comment is Jira automation pinging the assignee to transition it to In-Progress.
Implications for merging:
Suggested path before merge (pick one):
This is separate from the correctness findings in my earlier review (duplicate 🤖 Follow-up from |
|
Explicit whitelist of the previous patch version is whitelisted according to the secops ticket |
Fixed some issues that were reported by a sec-opts ticket, and verified a bunch of dependabot issues. These required some minor code changes to refelect modenerizaiton.
Contributing to Twilio