Possible SQL Injection in FIRMessagingRmqManager.m #14846
Assignees
Labels
Comments
|
I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight. |
|
I don't think this is actually a vulnerability because the rmqID is not a user input. It's generated by Google. But still, I will create a PR to bind the rmqID, instead of using stringWithFormat. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
FirebaseMessaging/Sources/FIRMessagingRmqManager.mcontains a possible SQL injection:querySyncMessageWithRmqIDconstructs a query with armqIDString, which is supplied from the calling method. Following a possible call stack backwards, this can be an arbitrary message in the call toFirMessaging.appDidReceiveMessage. If input from the user of the app, or other external input is used as message here, this can lead to arbitrary SQL Injection.The code suggests that this uses a prepared statement via
sqlite3_prepare_v2, but this is not the case, as the query with the SQLi is constructed in the stringWithFormat in the preceding line.Reproducing the issue
No response
Firebase SDK Version
10.9
Xcode Version
15.3
Installation Method
Swift Package Manager
Firebase Product(s)
All
Targeted Platforms
All
Relevant Log Output
If using Swift Package Manager, the project's Package.resolved
Expand
Package.resolvedsnippetReplace this line with the contents of your Package.resolved.If using CocoaPods, the project's Podfile.lock
Expand
Podfile.locksnippetReplace this line with the contents of your Podfile.lock!The text was updated successfully, but these errors were encountered: