Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Data injection vulnerability #12789

Closed
piars777 opened this issue Apr 15, 2024 · 4 comments
Closed

Data injection vulnerability #12789

piars777 opened this issue Apr 15, 2024 · 4 comments
Labels
api: remoteconfig closed-by-bot needs-info no-recent-activity

Comments

@piars777
Copy link

Description

We use fortify to detect vulnerability and in RCNConfigDBManager.m, the method loadMetadataTableWithBundleIdentifier:namespace:() writes unvalidated input into JSON. This call could allow an attacker to inject arbitrary elements or attributes into the JSON entity.The method writes unvalidated input into JSON. This call could allow an attacker to inject arbitrary elements or attributes into the JSON entity.
Before serializing to json, a check must be performed to verify that any untrusted data is properly delimited and escaped

Reproducing the issue

we reproduce this issue with the last sdk version

Firebase SDK Version

10.9

Xcode Version

15.3

Installation Method

CocoaPods

Firebase Product(s)

Remote Config

Targeted Platforms

iOS

Relevant Log Output

No response

If using Swift Package Manager, the project's Package.resolved

No response

If using CocoaPods, the project's Podfile.lock

No response
@google-oss-bot
Copy link

I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.

@morganchen12
Copy link
Contributor

There's no calls to NSJSONSerialization in the loadMetadataTableWithBundleIdentifier:namespace: method. Other JSON serialization calls in this method serialize and deserialize configs that are fetched from Firebase, and use those configs for not particularly sensitive operations (rollouts and personalization). Can you describe what exactly the vulnerability is here?

@google-oss-bot
Copy link

Hey @piars777. We need more information to resolve this issue but there hasn't been an update in 5 weekdays. I'm marking the issue as stale and if there are no new updates in the next 5 days I will close it automatically.

If you have more information that will help us get to the bottom of this, just add a comment!

@google-oss-bot
Copy link

Since there haven't been any recent updates here, I am going to close this issue.

@piars777 if you're still experiencing this problem and want to continue the discussion just leave a comment here and we are happy to re-open this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
api: remoteconfig closed-by-bot needs-info no-recent-activity
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@morganchen12 @piars777 @google-oss-bot @rizafran