Giters

google / google-api-objectivec-client-for-rest

Google APIs Client Library for Objective-C for REST

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Insecure API when using in React Native iOS app

master4-2021 opened this issue · comments

commented

There are some insecure APIs that exists in this repository that Apple considered insecure and recommended not using:
https://developer.apple.com/library/archive/documentation/Security/Conceptual/SecureCodingGuide/Articles/BufferOverflows.html#//apple_ref/doc/uid/TP40002577-SW1

These are reported when using Mobile Security Framework (https://github.com/MobSF/Mobile-Security-Framework-MobSF) to scan the IPA.

strlen:

google-api-objectivec-client-for-rest/Sources/Core/GTLRBase64.m

Line 84 in 883b23e

NSInteger inputLength = (NSInteger)strlen(cString);

google-api-objectivec-client-for-rest/Sources/Core/GTLRRuntimeCommon.m

Line 227 in 883b23e

size_t baseNameLen = strlen(baseName);

google-api-objectivec-client-for-rest/Sources/Core/GTLRRuntimeCommon.m

Line 276 in 883b23e

size_t propNameLen = strlen(propName);

I understand that the use of these function does not definitely leads to security issues, but I want to bring this to your attention, and check if these are safe to use within our application.

commented

The GTLRBase64.m call is fine, this is in some UTF-8 conversion code from Foundation, if someone wants to look a submitting a PR it might be possible to tweak it to do the conversion and get the length at the same time.

The two calls in GTLRRuntimeCommon.m are from apis that only vend cstrings, so strlen is the correct call and the way the value is used is correct.