Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use of potentially dangerous functions #2785

Open
4 tasks
philipphofmann opened this issue Mar 13, 2023 · 9 comments
Open
4 tasks

Use of potentially dangerous functions #2785

philipphofmann opened this issue Mar 13, 2023 · 9 comments
Labels
Platform: Cocoa

Comments

@philipphofmann
Copy link
Member

philipphofmann commented Mar 13, 2023
edited by armcknight
Loading

Description

A customer reported that their security vulnerability tool reported our repository has the following security issue: CWE-676, which stands for the use of potentially dangerous functions.

For all tasks, we should check if we should do this quickly. If replacing is a bit complicated, needs refactoring to make things testable, we should reconsider the priority.

Clarified fixes for dangerous functions:

The following usage functions need clarification:

  • memcpy - what are the downsides? Should we replace their usage?
  • sscanf - Maybe replace it with safer scanf_s?
  • strlen - you do not know the size of the original source buffer when using it. Is there a safer API?
  • calloc - Should we replace our usages with malloc?
@philipphofmann philipphofmann moved this from Needs Discussion to Needs Investigation in Mobile & Cross Platform SDK Mar 13, 2023
@philipphofmann philipphofmann moved this from Needs Investigation to Backlog in Mobile & Cross Platform SDK Mar 15, 2023
@github-actions
Copy link

github-actions bot commented Apr 6, 2023

This issue has gone three weeks without activity. In another week, I will close it.

But! If you comment or otherwise update it, I will reset the clock, and if you label it Status: Backlog or Status: In Progress, I will leave it alone ... forever!

"A weed is but an unloved flower." ― Ella Wheeler Wilcox 🥀

@armcknight armcknight mentioned this issue May 31, 2023
Merged
4 tasks
@armcknight
Copy link
Member

There is also a use of SHA1 in the crash reporter: https://github.com/getsentry/sentry-cocoa/blob/main/Sources/SentryCrash/Recording/Monitors/SentryCrashMonitor_System.m#L424

@philipphofmann philipphofmann moved this from Backlog to Needs Discussion in Mobile & Cross Platform SDK Oct 23, 2023
@wkoutre
Copy link

wkoutre commented Jun 5, 2024

👋🏼 Hi! I'm facing the same issue as the OP. I'm wondering if this has any priority. Thanks!

@getsantry getsantry bot moved this to Waiting for: Product Owner in GitHub Issues with 👀 3 Jun 5, 2024
@philipphofmann
Copy link
Member Author

@wkoutre, which warning do you get for which functions? We already fixed the most important functions. Fixing the rest in our backlog, but I can't give you an ETA.

@getsantry getsantry bot removed the status in GitHub Issues with 👀 3 Jun 6, 2024
@wkoutre
Copy link

wkoutre commented Jun 7, 2024

@philipphofmann Thanks for the quick reply!

The warnings are for:

  • Use of memcpy function
  • Use of malloc function
  • Use of SHA1

Another member of my team will follow up on this thread shortly with more details.

@getsantry getsantry bot moved this to Waiting for: Product Owner in GitHub Issues with 👀 3 Jun 7, 2024
@juan-utility
Copy link

juan-utility commented Jun 7, 2024
edited
Loading

I update @wkoutre comment with the reported files:

Use of memcpy function
SentryCrashCString.m

Use of malloc function
SentryCrashCString.m

Use of SHA1
SentryDsn.m SentryCrashMonitor_System.m

Let me know if you need more information.

@philipphofmann philipphofmann mentioned this issue Jun 10, 2024
Merged
7 tasks
@philipphofmann
Copy link
Member Author

@juan-utility and @wkoutre. We fix the occurrences in SentryCrashCString with #4045, and the use of SHA1 is something we can only change in the next major with #4022.

@brustolin
Copy link
Contributor

Regarding SHA1. Its just a problem when used for security reason, which we dont used it for.

@wkoutre
Copy link

wkoutre commented Jun 10, 2024

Thanks for the update here! We really appreciate it 🎉

@getsantry getsantry bot moved this to Waiting for: Product Owner in GitHub Issues with 👀 3 Jun 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Platform: Cocoa
Projects
GitHub Issues with 👀 3
Status: No status
Mobile & Cross Platform SDK
Status: Needs Discussion
Milestone
No milestone
Development

No branches or pull requests
7 participants
@kahest @philipphofmann @armcknight @wkoutre @hubertdeng123 @brustolin @juan-utility