issue #1057 Parsing/decrypting of complex PGP messages in Kotlin

[IvanPizhenko]

This PR introduces native Kotlin-base processing of the complex email messages

close #1057

• Tests added

---

To be filled by reviewers

I have reviewed that this PR... (tick whichever items you personally focused on during this review):

• addresses the issue it closes (if any)
• code is readable and understandable
• is accompanied with tests, or tests are not needed
• is free of vulnerabilities

[IvanPizhenko]

@tomholub I can see some Snyk tests failed, however I can't see what exactly. Please check.

[seisvelas]

@IvanPizhenko Sorry to answer a question not directed at me, but I checked on Snyk and it appears this PR introduces a vulnerable dependency. Specifically, com.googlecode.owasp-java-html-sanitizer:owasp-java-html-sanitizer:20200713.1, which is introduced here:

flowcrypt-android/FlowCrypt/build.gradle

Line 459 in 0c43360

implementation 'com.googlecode.owasp-java-html-sanitizer:owasp-java-html-sanitizer:20200713.1'

Depends on a version of com.google.guava which suffers an Information Disclosure vulnerability (you can learn more about how this specific vuln works / can be exploited in Guava here: https://snyk.io/vuln/SNYK-JAVA-COMGOOGLEGUAVA-1015415)

The codebase on https://github.com/OWASP/java-html-sanitizer has actually updated to a non-vulnerable Guava version (here: OWASP/java-html-sanitizer@ad287c3), but there hasn't been a release in quite some time which is why we're having this problem.

The actual vulnerability is that files used in the temp dir created via Guava's createTempDir are readable by all users on the system. Upon deeper inspection, it appears owasp-java-html-sanitizer doesn't even use the vulnerable method, so in practice we should be safe.

Consequently, I've told Snyk to skip this check and mark it as passed.

[tomholub]

Thank you Alex for looking into this 👍

[tomholub]

Thanks! So far only reviewed the tests. Sorry if the answer is obvious.

[tomholub]

Approximately 14 test files (.txt) were added below, but this test is using only a handful of them. Where are they being loaded and used?

[IvanPizhenko]

All these files should be used in the tests here.

[IvanPizhenko]

Looks like mime-email-*.txt are not used. Will remove them

[DenBond7]

@IvanPizhenko Please look at my comments. I didn't try your realization yet but it will be a start point of the final migration. On the current stage it's hard to say what is good or not good.

[DenBond7]

unfortunately, we can't use Throwable in Parcelable implementation in data classes. We can't compare Throwable instance here. That's why some of JUnit tests were failed.

[tomholub]

This PR is pretty massive 👀 which reflects the issue is a complicated one. It looks good. On my end, I mainly want to make sure that all provided test cases are indeed tested (see earlier question) and if not, that we file an issue to test all soon.

[tomholub]

I wonder if the conversion to String can fail with an exception if we give it arbitrary bytes that are non-ascii. If it can fail by throwing, we should catch the error and return false.

[IvanPizhenko]

Did the small test:

import java.nio.charset.StandardCharsets
import java.util.Locale

fun main() {
    val a = ByteArray(256)
    for (i in 0..255) a[i] = i.toByte()
    val s = a.toString(StandardCharsets.US_ASCII).toLowerCase(Locale.ROOT)
    println(s)
}

Works for all source byte values.

[tomholub]

@IvanPizhenko Please look at my comments. I didn't try your realization yet but it will be a start point of the final migration. On the current stage it's hard to say what is good or not good.

As long as it passes the supplied test cases, then it's well good enough. Of course, some adjustments will be needed once you start integrating, but if we confirm that supplied test cases pass the way they do on TypeScript code (and code style stuff gets adjusted) then this is perfectly fine for merging even if we didn't try to integrate it yet.

[IvanPizhenko]

@IvanPizhenko Sorry to answer a question not directed at me, but I checked on Snyk and it appears this PR introduces a vulnerable dependency. Specifically, com.googlecode.owasp-java-html-sanitizer:owasp-java-html-sanitizer:20200713.1, which is introduced here:

flowcrypt-android/FlowCrypt/build.gradle

Line 459 in 0c43360

implementation 'com.googlecode.owasp-java-html-sanitizer:owasp-java-html-sanitizer:20200713.1'

Depends on a version of com.google.guava which suffers an Information Disclosure vulnerability (you can learn more about how this specific vuln works / can be exploited in Guava here: https://snyk.io/vuln/SNYK-JAVA-COMGOOGLEGUAVA-1015415)

The codebase on https://github.com/OWASP/java-html-sanitizer has actually updated to a non-vulnerable Guava version (here: OWASP/java-html-sanitizer@ad287c3), but there hasn't been a release in quite some time which is why we're having this problem.

The actual vulnerability is that files used in the temp dir created via Guava's createTempDir are readable by all users on the system. Upon deeper inspection, it appears owasp-java-html-sanitizer doesn't even use the vulnerable method, so in practice we should be safe.

Consequently, I've told Snyk to skip this check and mark it as passed.

Thanks Alex!

[DenBond7]

@IvanPizhenko I've added some changes to fix tests

[tomholub]

I've reviewed the changes and they look good. I'll still give it a review regarding the test cases, then can merge.

[tomholub]

This file is not used anywhere that I can find

[tomholub]

This file is not used anywhere that I can find