Skip to content

Bind rmqID instead of using stringWithFormat. #14856

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
May 15, 2025
Merged

Bind rmqID instead of using stringWithFormat. #14856

merged 2 commits into from
May 15, 2025

Conversation

leojaygoogle
Copy link
Contributor

@leojaygoogle leojaygoogle commented May 14, 2025
edited
Loading

When populating SQL queries to find messages by ID, stringWithFormat is currently being used.

firebase-ios-sdk/FirebaseMessaging/Sources/FIRMessagingRmqManager.m

Lines 280 to 287 in 1deb75c

NSString *queryFormat = @"SELECT %@ FROM %@ WHERE %@ = '%@'";
NSString *query =
[NSString stringWithFormat:queryFormat,
kSyncMessagesColumns, // SELECT (rmq_id, expiration_ts,
// apns_recv, mcs_recv)
kTableSyncMessages, // FROM sync_rmq
kRmqIdColumn, // WHERE rmq_id
rmqID];

This is a potential SQL injection vulnerability. Even though it's very unlikely to be exploited since the rmqID is not user input, but a Google generated ID, we should follow best practices and use sqlite3_bind_text to bind the value instead.

This PR introduces no behavioral changes. It just changes how the SQL query is populated.
#14846.

@gemini-code-assist Gemini Code Assist
Copy link
Contributor

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in issue comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist is currently in preview and may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments to provide feedback.

ncooke3
ncooke3 approved these changes May 14, 2025
View reviewed changes
Copy link
Member

@ncooke3 ncooke3 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice!

@ncooke3 ncooke3 linked an issue May 14, 2025 that may be closed by this pull request
Possible SQL Injection in FIRMessagingRmqManager.m #14846
Closed
@ncooke3
Copy link
Member

ncooke3 commented May 14, 2025

Could you also please add a changelog entry that references the original issue?

ncooke3
ncooke3 approved these changes May 15, 2025
View reviewed changes
Copy link
Member

@ncooke3 ncooke3 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@leojaygoogle leojaygoogle merged commit 7b9899b into main May 15, 2025
57 checks passed
@leojaygoogle leojaygoogle deleted the rmq branch May 15, 2025 19:16
@github-actions github-actions bot mentioned this pull request Jun 4, 2025
Merged
cherylEnkidu pushed a commit that referenced this pull request Jun 30, 2025
@leojaygoogle @cherylEnkidu
Bind rmqID instead of using stringWithFormat. (#14856)
79f584a
@firebase firebase locked and limited conversation to collaborators Jul 17, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@ncooke3 ncooke3 ncooke3 approved these changes

Assignees
No one assigned
Labels
api: messaging
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Possible SQL Injection in FIRMessagingRmqManager.m
3 participants
@leojaygoogle @ncooke3 @google-oss-bot