Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Potentially Dangerous Function (unarchiveObjectWithFile) in Messaging Component #9816

Closed
grzegorzleszek opened this issue May 18, 2022 · 2 comments
Closed

Potentially Dangerous Function (unarchiveObjectWithFile) in Messaging Component #9816

grzegorzleszek opened this issue May 18, 2022 · 2 comments
Labels
api: inappmessaging Firebase In App Messaging
Milestone
9.2.0 - M117

Comments

@grzegorzleszek
Copy link

[REQUIRED] Step 1: Describe your environment

  • Xcode version: 13.2.1
  • Firebase SDK version: 8.13.0
  • Installation method: Swift Package Manager
  • Firebase Component: Messaging
  • Target platform(s): iOS

[REQUIRED] Step 2: Describe the problem

Our security team scanned our code and dependencies for vulnerabilities and found Use of Potentially Dangerous Function (CWE-676). Is there a plan to migrate to new api?

Source: FIRIAMClearcutLogStorage.m:171, FIRIAMActivityLogger.m:155

Attack Vector: NSKeyedUnarchiver.unarchiveObjectWithFile:

Description: Use of an unsafe function that are either deprecated due to security concerns, such as not conforming to secure coding practices, can introduce a vulnerability.
Most, if not all, of these functions have been documented as unsafe and should not be used, as mentioned in the WWDC session 'Threat Modeling', and can be replaced with more recent API calls.

Steps to reproduce:

Go to linked files, please note use of unarchiveObjectWithFile:
FIRIAMClearcutLogStorage.m:171
FIRIAMActivityLogger.m:155

Relevant Code:

... = [NSKeyedUnarchiver unarchiveObjectWithFile:filePath];
@rizafran rizafran added api: inappmessaging Firebase In App Messaging and removed api: messaging labels May 18, 2022
@ryanwilson
Copy link
Member

Thanks for the report and specific links, @grzegorzleszek! Sounds reasonable to update the code to use replacement calls where possible. Note that the recommended calls are only available on iOS 11+ so we'll still need to keep the old calls around since we still support iOS 10 for CocoaPods - it just won't be used on the newer platforms.

rizafran added a commit to rizafran/firebase-ios-sdk that referenced this issue May 23, 2022
@rizafran
Changed unarchiveObjectWithFile with unarchivedObjectOfClass, added s…
385e2eb 
…upportsSecureCoding (firebase#9816)
@rizafran rizafran mentioned this issue May 23, 2022
Merged
ncooke3 pushed a commit that referenced this issue May 24, 2022
@rizafran
Change unarchiveObjectWithFile in FIAM to conform to the secure codin…
ba4bf76 
…g practices (#9834)

* Changed unarchiveObjectWithFile with unarchivedObjectOfClass, added supportsSecureCoding (#9816)

* Addressed review feedback

* Run style script

* Changed unarchivedObjectOfClass to unarchivedObjectOfClasses

* Added to changelog, changed NSArray to NSMutableArray
@rizafran
Copy link
Contributor

Hi @grzegorzleszek, the fix for this has been merged and the warnings should be resolved when building iOS 11+ in the next release (9.2.0).

@paulb777 paulb777 added this to the 9.2.0 - M117 milestone May 24, 2022
@firebase firebase locked and limited conversation to collaborators Jun 24, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
api: inappmessaging Firebase In App Messaging
Projects
None yet
Milestone
9.2.0 - M117
Development

No branches or pull requests
5 participants
@paulb777 @ryanwilson @grzegorzleszek @google-oss-bot @rizafran