My project for an Android app uses Checkmarx to scan the source code for security issues. Checkmarx reports an issue with the Google Volley library. Here is the error description:
Method performRequest at line 89 of \app\libraries\volley\src\main\java\com\android\volley\toolbox\HurlStack.java gets user input for the getHeaders element. This element’s value then flows through the code without being properly sanitized or validated and is eventually displayed to the user in method parseNetworkResponse at line 61 of \app\libraries\volley\src\main\java\com\android\volley\toolbox\JsonArrayRequest.java. This may enable a Cross-Site-Scripting attack.
public HttpResponse performRequest(Request<?> request, Map<String, String> additionalHeaders)
throws IOException, AuthFailureError {
String url = request.getUrl();
HashMap<String, String> map = new HashMap<String, String>();
map.putAll(request.getHeaders());
map.putAll(additionalHeaders);
....
}
It says the headers of the request are cached and later displayed to the users in the JsonArrayRequest::parseNetworkResponse. However I can not find it is displayed to the user at all. Is this a false alarm? And in what condition a Cross-Site-Scripting attack may occur on an Android app? Does that only happen when you use a webview?
Let me answer your last question first. Yes, almost only WebViews are affected by it. Another (less common) scenario can be if an XSS payload is saved into a file and later opened by a browser.
HTTP headers are considered valid vector for XSS, so it doesn't seem like a false alarm. Here are two resources for further reading: