search

DataDog / dd-sdk-flutter

Flutter bindings and tools for utilizing Datadog Mobile SDKs
Apache License 2.0
43 stars 42 forks source link

On iOS the Runner have the user and folder location where ir was generated #630

Closed cancio952 closed 1 month ago

cancio952 commented 3 months ago

Describe the bug

Raíced by security scan they found embeved on the Runner the ubication of the library on the local machine

/User/axcUser/Projects/

/DatadogCrashReporting/Source/CrashContext/CrashContextProvider.swift /User/axcUser/Projects/

/DatadogCrashReporting/Source/CrashReportingFeature.swift

This can be a security issue because a hacker can found the user info of the developer on the code of the Runner

Reproduction steps

Build a Runner ipa on the device running the comand flutter build ipa --no-codesign --release --flavor prod --dart-define-form-file= --dart-define=flutter.memory_allocations=true --obfuscate

SDK logs

No response

Expected behavior

To no expose the user where it was generated or the path

Affected SDK versions

2.4.0

Latest working SDK version

No response

Did you confirm if the latest SDK version fixes the bug?

Yes

Flutter Version

3.16.9

Setup Type

No response

Device Information

No response

Other relevant information

No response

fuzzybinary commented 3 months ago

Hi @cancio952

Can you fill out your Steps to Reproduce a bit better? As a potential bad actor, how would I get this information from a built IPA?

Is this specific to our SDK, or something you can reproduce in other Flutter applications?

cancio952 commented 3 months ago

Hi yes

if you generate the ipa file and decompress it the path were it was generated

step 1 change the extension of the .ipa to .zip step 2 extract the .zip step 3 then on the folder extracted *.ipa/Payload/Runner.app/Runner step 4 run the command below $ strings Runner | grep '/User/'

This data can typically be found by scanning the binary for strings. For example, to find potential user paths the following command can be used $ strings Runner | grep '/User/'

if you generate the app on the user folder you will be able to see it using this command

Ragars

AMarturelo commented 3 months ago

That happens to me too. When doing a text string search in binary, these two classes are exposed. The security problem is not in the exposed classes. Otherwise, in the path, the user of the session that generated the artifact clearly appears.

fuzzybinary commented 2 months ago

This is part of the iOS SDK and fixed with https://github.com/DataDog/dd-sdk-ios/pull/1938

It will be part of the next Flutter SDK release.

fuzzybinary commented 1 month ago

This should be fixed in 2.7.0 with the inclusion of the iOS SDK 2.15.0