Possible SQL Injection in FIRMessagingRmqManager.m

[titze]

Description

FirebaseMessaging/Sources/FIRMessagingRmqManager.m contains a possible SQL injection:

querySyncMessageWithRmqID constructs a query with a rmqID String, which is supplied from the calling method. Following a possible call stack backwards, this can be an arbitrary message in the call to FirMessaging.appDidReceiveMessage. If input from the user of the app, or other external input is used as message here, this can lead to arbitrary SQL Injection.

The code suggests that this uses a prepared statement via sqlite3_prepare_v2, but this is not the case, as the query with the SQLi is constructed in the stringWithFormat in the preceding line.

Reproducing the issue

No response

Firebase SDK Version

10.9

Xcode Version

15.3

Installation Method

Swift Package Manager

Firebase Product(s)

All

Targeted Platforms

All

Relevant Log Output

If using Swift Package Manager, the project's Package.resolved

Expand Package.resolved snippet

Replace this line with the contents of your Package.resolved.

If using CocoaPods, the project's Podfile.lock

Expand Podfile.lock snippet

Replace this line with the contents of your Podfile.lock!

[google-oss-bot]

I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.

[leojaygoogle]

I don't think this is actually a vulnerability because the rmqID is not a user input. It's generated by Google. But still, I will create a PR to bind the rmqID, instead of using stringWithFormat.