-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Potentially Dangerous Function (unarchiveObjectWithFile) in Messaging Component #9816
Comments
Thanks for the report and specific links, @grzegorzleszek! Sounds reasonable to update the code to use replacement calls where possible. Note that the recommended calls are only available on iOS 11+ so we'll still need to keep the old calls around since we still support iOS 10 for CocoaPods - it just won't be used on the newer platforms. |
…upportsSecureCoding (firebase#9816)
Hi @grzegorzleszek, the fix for this has been merged and the warnings should be resolved when building iOS 11+ in the next release (9.2.0). |
[REQUIRED] Step 1: Describe your environment
Swift Package Manager
iOS
[REQUIRED] Step 2: Describe the problem
Our security team scanned our code and dependencies for vulnerabilities and found Use of Potentially Dangerous Function (CWE-676). Is there a plan to migrate to new api?
Source: FIRIAMClearcutLogStorage.m:171, FIRIAMActivityLogger.m:155
Attack Vector: NSKeyedUnarchiver.unarchiveObjectWithFile:
Description: Use of an unsafe function that are either deprecated due to security concerns, such as not conforming to secure coding practices, can introduce a vulnerability.
Most, if not all, of these functions have been documented as unsafe and should not be used, as mentioned in the WWDC session 'Threat Modeling', and can be replaced with more recent API calls.
Steps to reproduce:
Go to linked files, please note use of unarchiveObjectWithFile:
FIRIAMClearcutLogStorage.m:171
FIRIAMActivityLogger.m:155
Relevant Code:
The text was updated successfully, but these errors were encountered: