Potential path-traversal vulnerability in the messaging component of Firebase SDK for iOS #14338
Assignees
Labels
Comments
|
I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
The vulnerability is hypothetical and was found using a source code scanner on an unrelated project using Firebase SDK for iOS.
I have no way to test it. It was previously reported to the security issue tracker and found to be not important enough. So I am reporting it again here.
Affected Branch: main (all since PR #6591)
File: firebase-ios-sdk/FirebaseMessaging/Sources/FIRMessagingExtensionHelper.m
The method "fileExtensionForResponse" (line 140) attempts to construct a proper file extension for image files using the MIME Type received in the response to a network request. This is done by stripping away the "image/" portion of the MIME Type and replacing it with a dot (".").
The constructed extension is later used by simply appending it to a file path (lines 170-173).
There is no check if the MIME Type is sane. If the MIME Type is, for example "image/png/../../../target_file", an unrelated file could be overwritten.
Reproducing the issue
It is unclear how or if this can actually be exploited. An exploit would require downloading of an attachment from a malicious web server.
Firebase SDK Version
main (all since PR #6591)
Xcode Version
N/A
Installation Method
N/A
Firebase Product(s)
Messaging
Targeted Platforms
N/A
Relevant Log Output
If using Swift Package Manager, the project's Package.resolved
If using CocoaPods, the project's Podfile.lock
The text was updated successfully, but these errors were encountered: