You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We use fortify to detect vulnerability and in RCNConfigDBManager.m, the method loadMetadataTableWithBundleIdentifier:namespace:() writes unvalidated input into JSON. This call could allow an attacker to inject arbitrary elements or attributes into the JSON entity.The method writes unvalidated input into JSON. This call could allow an attacker to inject arbitrary elements or attributes into the JSON entity.
Before serializing to json, a check must be performed to verify that any untrusted data is properly delimited and escaped
Reproducing the issue
we reproduce this issue with the last sdk version
Firebase SDK Version
10.9
Xcode Version
15.3
Installation Method
CocoaPods
Firebase Product(s)
Remote Config
Targeted Platforms
iOS
Relevant Log Output
No response
If using Swift Package Manager, the project's Package.resolved
No response
If using CocoaPods, the project's Podfile.lock
No response
The text was updated successfully, but these errors were encountered:
There's no calls to NSJSONSerialization in the loadMetadataTableWithBundleIdentifier:namespace: method. Other JSON serialization calls in this method serialize and deserialize configs that are fetched from Firebase, and use those configs for not particularly sensitive operations (rollouts and personalization). Can you describe what exactly the vulnerability is here?
Hey @piars777. We need more information to resolve this issue but there hasn't been an update in 5 weekdays. I'm marking the issue as stale and if there are no new updates in the next 5 days I will close it automatically.
If you have more information that will help us get to the bottom of this, just add a comment!
Description
We use fortify to detect vulnerability and in RCNConfigDBManager.m, the method loadMetadataTableWithBundleIdentifier:namespace:() writes unvalidated input into JSON. This call could allow an attacker to inject arbitrary elements or attributes into the JSON entity.The method writes unvalidated input into JSON. This call could allow an attacker to inject arbitrary elements or attributes into the JSON entity.
Before serializing to json, a check must be performed to verify that any untrusted data is properly delimited and escaped
Reproducing the issue
we reproduce this issue with the last sdk version
Firebase SDK Version
10.9
Xcode Version
15.3
Installation Method
CocoaPods
Firebase Product(s)
Remote Config
Targeted Platforms
iOS
Relevant Log Output
No response
If using Swift Package Manager, the project's Package.resolved
No response
If using CocoaPods, the project's Podfile.lock
No response
The text was updated successfully, but these errors were encountered: