From b4ccc28dcea2517b074c68bfdf09401b946b03d7 Mon Sep 17 00:00:00 2001 From: Abhinav Gupta Date: Tue, 30 Jul 2024 15:09:06 +0530 Subject: [PATCH 1/2] fix: replaced md5 hashing algorithm by sha-256 --- contentstack/src/main/java/com/contentstack/sdk/Asset.java | 4 ++-- .../src/main/java/com/contentstack/sdk/AssetLibrary.java | 4 ++-- contentstack/src/main/java/com/contentstack/sdk/Entry.java | 4 ++-- contentstack/src/main/java/com/contentstack/sdk/Query.java | 4 ++-- .../src/main/java/com/contentstack/sdk/SDKUtil.java | 6 +++--- 5 files changed, 11 insertions(+), 11 deletions(-) diff --git a/contentstack/src/main/java/com/contentstack/sdk/Asset.java b/contentstack/src/main/java/com/contentstack/sdk/Asset.java index 828e609d..bbac9b8b 100755 --- a/contentstack/src/main/java/com/contentstack/sdk/Asset.java +++ b/contentstack/src/main/java/com/contentstack/sdk/Asset.java @@ -385,8 +385,8 @@ public void fetch(FetchResultCallback callback) { urlQueries.put("environment", headers.get("environment")); } String mainStringForMD5 = urlEndpoint + new JSONObject().toString() + headers.toString(); - String md5Value = new SDKUtil().getMD5FromString(mainStringForMD5.trim()); - File cacheFile = new File(SDKConstant.cacheFolderName + File.separator + md5Value); + String shaValue = new SDKUtil().getSHAFromString(mainStringForMD5.trim()); + File cacheFile = new File(SDKConstant.cacheFolderName + File.separator + shaValue); switch (cachePolicyForCall) { case IGNORE_CACHE: diff --git a/contentstack/src/main/java/com/contentstack/sdk/AssetLibrary.java b/contentstack/src/main/java/com/contentstack/sdk/AssetLibrary.java index e47cf2b0..48a081d8 100644 --- a/contentstack/src/main/java/com/contentstack/sdk/AssetLibrary.java +++ b/contentstack/src/main/java/com/contentstack/sdk/AssetLibrary.java @@ -215,8 +215,8 @@ public void fetchAll(FetchAssetsCallback assetsCallback) { urlQueries.put("environment", headers.get("environment")); } String mainStringForMD5 = URL + new JSONObject().toString() + headers.toString(); - String md5Value = new SDKUtil().getMD5FromString(mainStringForMD5.trim()); - File cacheFile = new File(SDKConstant.cacheFolderName + File.separator + md5Value); + String shaValue = new SDKUtil().getSHAFromString(mainStringForMD5.trim()); + File cacheFile = new File(SDKConstant.cacheFolderName + File.separator + shaValue); switch (cachePolicyForCall) { case IGNORE_CACHE: fetchFromNetwork(URL, urlQueries, headers, cacheFile.getPath(), assetsCallback); diff --git a/contentstack/src/main/java/com/contentstack/sdk/Entry.java b/contentstack/src/main/java/com/contentstack/sdk/Entry.java index 64987ec8..f315392c 100755 --- a/contentstack/src/main/java/com/contentstack/sdk/Entry.java +++ b/contentstack/src/main/java/com/contentstack/sdk/Entry.java @@ -1087,9 +1087,9 @@ public void fetch(EntryResultCallBack callBack) { } String mainStringForMD5 = URL + new JSONObject().toString() + headerAll.toString(); - String md5Value = new SDKUtil().getMD5FromString(mainStringForMD5.trim()); + String shaValue = new SDKUtil().getSHAFromString(mainStringForMD5.trim()); - File cacheFile = new File(SDKConstant.cacheFolderName + File.separator + md5Value); + File cacheFile = new File(SDKConstant.cacheFolderName + File.separator + shaValue); switch (cachePolicyForCall) { diff --git a/contentstack/src/main/java/com/contentstack/sdk/Query.java b/contentstack/src/main/java/com/contentstack/sdk/Query.java index 7c540415..ceed7910 100755 --- a/contentstack/src/main/java/com/contentstack/sdk/Query.java +++ b/contentstack/src/main/java/com/contentstack/sdk/Query.java @@ -1595,8 +1595,8 @@ protected void execQuery(SingleQueryResultCallback callBack, QueryResultsCallBac mainJSON.put("query", urlQueries); mainJSON.put("_method", SDKConstant.RequestMethod.GET.toString()); String mainStringForMD5 = URL + mainJSON.toString() + headers.toString(); - String md5Value = new SDKUtil().getMD5FromString(mainStringForMD5.trim()); - File cacheFile = new File(SDKConstant.cacheFolderName + File.separator + md5Value); + String shaValue = new SDKUtil().getSHAFromString(mainStringForMD5.trim()); + File cacheFile = new File(SDKConstant.cacheFolderName + File.separator + shaValue); CachePolicy cachePolicy = CachePolicy.NETWORK_ONLY;//contentTypeInstance.stackInstance.globalCachePolicyForCall; if (cachePolicyForCall != null) { cachePolicy = cachePolicyForCall; diff --git a/contentstack/src/main/java/com/contentstack/sdk/SDKUtil.java b/contentstack/src/main/java/com/contentstack/sdk/SDKUtil.java index acf0723a..72cf092f 100755 --- a/contentstack/src/main/java/com/contentstack/sdk/SDKUtil.java +++ b/contentstack/src/main/java/com/contentstack/sdk/SDKUtil.java @@ -134,15 +134,15 @@ public static JSONObject getJsonFromCacheFile(File file) { * To encrypt given value. * * @param value string - * @return MD5 value + * @return SHA-256 value */ - public String getMD5FromString(String value) { + public String getSHAFromString(String value) { String output; output = value.toString().trim(); if (value.length() > 0) { try { // Create MD5 Hash - MessageDigest digest = java.security.MessageDigest.getInstance("MD5"); + MessageDigest digest = java.security.MessageDigest.getInstance("SHA-256"); digest.reset(); digest.update(output.getBytes()); byte messageDigest[] = digest.digest(); From 01c5a7e25448f92128b692a8b031677af4758e83 Mon Sep 17 00:00:00 2001 From: Abhinav Gupta Date: Tue, 30 Jul 2024 16:17:43 +0530 Subject: [PATCH 2/2] fix: added transitive dependency constraints and updated sdk download link --- README.md | 2 +- contentstack/build.gradle | 19 +++++++++++++++++-- 2 files changed, 18 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 62856166..47498c8b 100644 --- a/README.md +++ b/README.md @@ -41,7 +41,7 @@ Or, To add the Contentstack Android SDK to your existing project manually, perform the steps given below: -1. [Download the Android SDK](https://docs.contentstack.com/platforms/android/android_sdk_latest) +1. [Download the Android SDK](https://github.com/contentstack/contentstack-android/archive/refs/heads/master.zip) and extract the ZIP file to your local disk. 2. Add references/dependencies using Eclipse/Android Studio: diff --git a/contentstack/build.gradle b/contentstack/build.gradle index 3e96408e..9ff1611d 100755 --- a/contentstack/build.gradle +++ b/contentstack/build.gradle @@ -160,10 +160,25 @@ dependencies { implementation 'com.github.rjeschke:txtmark:0.12' // // Retrofit implementation("com.squareup.retrofit2:retrofit:2.9.0") - implementation 'com.squareup.retrofit2:converter-gson:2.9.0' + implementation 'com.squareup.retrofit2:converter-gson' // // OkHttp - implementation 'com.squareup.okhttp3:okhttp:4.9.3' + implementation 'com.squareup.okhttp3:okhttp' // implementation 'com.squareup.okhttp3:logging-interceptor:4.9.3' + + constraints { + implementation('com.squareup.retrofit2:converter-gson:2.9.0') { + because 'gson 2.8.5 used by retrofit has a vulnerability' + } + implementation('com.google.code.gson:gson@2.8.9') { + because 'gson 2.8.5 used by retrofit has a vulnerability' + } + implementation('com.squareup.okhttp3:okhttp:4.9.3') { + because 'kotlin stdlib 1.4.10 used by okhttp has a vulnerability' + } + implementation('org.jetbrains.kotlin:kotlin-stdlib@1.6.0') { + because 'kotlin stdlib 1.4.10 used by okhttp has a vulnerability' + } + } } tasks.register('clearJar', Delete) { delete 'build/libs/contentstack.jar' } tasks.register('unzip', Copy) {