Request for Information on Data Theorem Finding

[scottluxenberg]

Description

This is bubbling back up #5447

We have a finding in Firebase for App Embeds SQL Query with Dynamic Input References:

The issue linked above has a statement from Firebase saying
the %@ is only for hard coded strings (table names, column names) so that we can reuse the code internally. All user inputs are validated, sanitized and bound appropriately for each query. We have been through security audit of the source code before releasing.

We brought this issue up to our security team, but they have said the comment is not enough attestation. Is there any releasable details of said security audit that shows this attack vector is indeed secure, that I can bring back to my security team?

Reproducing the issue

No response

Firebase SDK Version

10.11

Xcode Version

4.2

Installation Method

CocoaPods

Firebase Product(s)

Crashlytics

Targeted Platforms

iOS

Relevant Log Output

No response

If using Swift Package Manager, the project's Package.resolved

Expand Package.resolved snippet

Replace this line with the contents of your Package.resolved.

If using CocoaPods, the project's Podfile.lock

Expand Podfile.lock snippet

Replace this line with the contents of your Podfile.lock!

[google-oss-bot]

I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.

[paulb777]

@scottluxenberg I'm not sure anything would have changed since #5447 was resolved, but it might help to clarify the issue. #5447 was about Analytics, but your report is about Crashlytics. Can you be more precise about where you are seeing the issue?

[scottluxenberg]

@paulb777 , yes the finding is actually in Analytics, my bad (I just put Crashlytics as that's our primary usage).

And I think if nothing has changed that's fine, I just want to know if there is a more detailed report to show that this is indeed not an issue and not jsut a GitHub comment - that's what our security department has asked for. Otherwise I have to file security exceptions - so just wondering if there is any releasble proof to show that the finding is indeed not an issue

[codyd51]

Hello! This is Phillip from the Data Theorem side. If it helps, would you please be able to provide some kind of symbol name (or w/e) for the sanitisation mentioned in #5447? Then, I can validate on my end from the disassembled code and provide an 'official' assurance from Data Theorem that we've confirmed that the SDK behaviour is fine. Would this work for your security team @scottluxenberg?

[scottluxenberg]

Yeah, if you all validate that, an actual validation from Data Theorem would be enough to satisfy us

[scottluxenberg]

Any update on if this info is providable?