Closed Nookaraju closed 4 years ago
I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.
Action items for the Analytics team:
Actually it's Installations, not Analytics - reassigned.
@Nookaraju Thank you for the report.
-[FIRInstallationsIIDStore sha1WithData:]
method is used only once per application installation to migrate data from legacy Firebase Instance ID storage. I can confirm that SHA1 hash function was never used for encryption in either the legacy Firebase Instance ID SDK or Firebase Installations SDK. So feel free to ignore this particular warning.
apm_MD5Data
method defined in Analytics SDK.
@allenktv, @htcgh Could you confirm if it is an actual security issue?
For Analytics: apm_MD5Data method is used only to calculate fingerprints for uniqueness. User inputs are also sanitized for the SQL database.
@allenktv you are saying issue (App Embeds SQL Query with Dynamic Input References) does not issue?
@Nookaraju I'm afraid the SQL issue slipped from our attention. Sorry about that and thank you for bringing this up again. Let us evaluate the potential issue again.
@Nookaraju Thanks for the report. Due to the closed source, we can't show you where and how the code sanitize. To clarify for @allenktv 's comment, the %@ is only for hard coded strings (table names, column names) so that we can reuse the code internally. All user inputs are validated, sanitized and bound appropriately for each query. We have been through security audit of the source code before releasing.
Closing this based on @baolocdo's comment. Please let us know if you find any more security warnings.
Step 0: Are you in the right place?
firebase
tag.[REQUIRED] Step 1: Describe your environment
[REQUIRED] Step 2: Describe the problem
We are using Firebase Analytics in our apps and there are a couple of security vulnerability issues found by our App Security Scanner (Data Theorem).
Steps to reproduce:
App Embeds SQL Query with Dynamic Input References: SELECT rowid, FROM %@ WHERE %@ CREATE TABLE IF NOT EXISTS %@ ( SELECT rowid, FROM %@ WHERE %@ = ? INSERT INTO %@ SELECT * FROM %@ UPDATE %@ SET %@ WHERE %@=? About 12 more findings with dynamic queries
Hash Generated Using Broken Cryptography API (SHA1) References: -[FIRInstallationsIIDStore sha1WithData:] calls _CC_SHA1()
Message Digest Generated Using Broken Cryptography API [$_Unknown_Class (MD5) apm_MD5Data] calls _CC_MD5()
Relevant Code: