Last 12 weeks · 24 commits
5 of 6 standards met
Summary hex-encodes MD5 digests with: treats the digest as a number, so it drops leading zeros. Any digest that begins with one or more zero nibbles produces a hex string shorter than the expected 32 characters: Roughly one digest in sixteen starts with a zero nibble, so a meaningful fraction of checksums silently did not equal the canonical MD5 value. The same flaw was present in both and the path. Change Use — already defined in the same package — which formats each byte as exactly two hex digits () and therefore preserves leading zeros. This also removes the now-unused import. Tests Added a regression test in covering a single leading-zero nibble () and many leading-zero nibbles (), both of which failed before this change. Existing non-zero-prefixed cases are unchanged. Note: the SDK test suite needs the Android/Gradle toolchain, which wasn't available in my environment, so the new assertions were verified against the canonical values by inspection. CI should exercise them.
Summary is meant to reject any nonce that contains whitespace, but the check only matched the literal space character: Despite the local being named , a nonce containing a tab (), newline (), or carriage return () passed validation. That nonce is later fed into the OIDC login flow through 's , where embedded whitespace can break request handling downstream. Change Use so every whitespace character is rejected: Tests Added regression coverage in for tab, newline, and carriage return — each of which previously passed validation and now correctly fails. Existing valid/space/empty cases are unchanged. Note: the SDK's test suite requires the Android SDK/Gradle toolchain, which wasn't available in my local environment, so the new tests were validated by inspection. CI should exercise them. Co-authored-by:Baradhan-Madhu
Checklist before submitting a bug report [X] I've updated to the latest released version of the SDK [X] I've searched for existing Github issues [X] I've looked for existing answers on Stack Overflow, the Facebook Developer Community Forum and the Facebook Developers Group [X] I've read the Code of Conduct [X] This issue is not security related and can safely be disclosed publicly on GitHub Java version 8 Android version SDK 31 Android SDK version 13.0.0 Installation platform & version Gradle 7.0.0 Package Core & AppEvents Goals No blocking HTTP calls on the main thread Expected results The application is free of ANRs. Actual results We occasionally see ANRs reported in our error collection service with the following relevant callstacks. It appears that what is happening is that during a login attempt the following happens. On the main thread the OS calls onActivityResult() in facebook-common/src/main/java/com/facebook/login/LoginFragment.kt This eventually results in the NativeLoginMethodHandler creating an AuthenticationToken via one of the LoginMethodHandler's static factory methods The AuthenticationToken constructor tries to verify the signature of the header used to create the token in a require() function. The isSignatureValid() check calls into OidcSecurityUtil.getRawKeyFromEndpoint() The OidcSecurityUtil.getRawKeyFromEndpoint() function looks like this: This results in a blocking wait on the main thread until the HTTP request can be completed. It seems that this sometimes takes more than 5 seconds to complete and results in the reported ANR. Steps to reproduce _No response_ Code samples & details _No response_
Checklist before submitting a bug report [X] I've updated to the latest released version of the SDK [X] I've searched for existing Github issues [X] I've looked for existing answers on Stack Overflow, the Facebook Developer Community Forum and the Facebook Developers Group [X] I've read the Code of Conduct [X] This issue is not security related and can safely be disclosed publicly on GitHub Java version java 11.0.12 Android version Andriod 11 Android SDK version 8.2.0 Installation platform & version implementation 'com.facebook.android:facebook-android-sdk:latest.release' Package Login Goals have an jwt format token Expected results have an jwt format token Actual results authenticationToken is empty Steps to reproduce _No response_ Code samples & details
Checklist before submitting a bug report [X] I've updated to the latest released version of the SDK [X] I've searched for existing Github issues [X] I've looked for existing answers on Stack Overflow, the Facebook Developer Community Forum and the Facebook Developers Group [X] I've read the Code of Conduct [X] This issue is not security related and can safely be disclosed publicly on GitHub Java version 8 Android version api 23+ Android SDK version 12.1 Installation platform & version Gradle Package Other / I don't know Goals According to our investigations can block the callers thread for a long time which in case of main thread leads to ANR. We call from the background thread, it is safer and works just fine. Looks like fb sdk calls it from the main thread and we have a bunch of ANR reports that shows this case. Please consider moving to the background thread. Thanks Expected results is used in the background thread, no ANRs Actual results is used in the main thread, ANRs Steps to reproduce _No response_ Code samples & details Edit: added a stacktrace
Checklist before submitting a feature request [X] I've updated to the latest released version of the SDK [X] I've searched for existing Github issues [X] I've read the Code of Conduct Goals Please update the library because there is a build error Expected results android.useAndroidX=false Code samples & details
Repository: facebook/facebook-android-sdk. Description: Used to integrate Android apps with Facebook Platform. Stars: 6439, Forks: 3690. Primary language: Kotlin. Languages: Kotlin (93.6%), Java (6.1%), Shell (0.3%), AIDL (0%). Homepage: https://developers.facebook.com/docs/android Latest release: sdk-version-18.3.0 (1w ago). Open PRs: 3, open issues: 84. Last activity: 1d ago. Community health: 87%. Top contributors: jingping2015, KylinChang, jawwad, maxalbrightmeta, mingflifb, swiese, dreamolight, mingcaozhang, kongxinzhu, jjiang10 and others.