Realm-cocoa: Insecure functions (malloc and strlen) are used
After a statical code analysis of our app, the use of malloc and strlen were reported as security bugs inside Realm files. Has anybody else reported this before? We want to know if you already have an explanation for this usage or if there is a plan of changing the method in a future version.
Goals
Avoid security issues using the library
Expected Results
Explanation of the usage of the methods or changing the methods being used
Actual Results
The static analysis shows security issues due to the usage of Realm
Steps to Reproduce
Static Analysis over the library with any security tool
Code Sample
usage of malloc:
Realm/RLMAnalytics.mm
buffer.reset(malloc(*bufferSize));
usage of strlen :
Realm/RLMProperty.mm
auto nameSize = strlen(str);
...
auto familySize = strlen(family);
Realm/RLMObjectStore.mm
char *const start = className + strlen(className);
Realm/RLMSyncSubscription.mm
objectType = objectType.substr(0, objectType.size() - strlen("_matches"));
Version of Realm and Tooling
Realm framework version: 3.0.2 but, even in the master branch the functions still used
Realm Object Server version: N/A
Xcode version: N/A
iOS/OSX version: N/A
Dependency manager + version: N/A
bdrangel
All 4 comments
@bdrangel Security scanner tools can often complain with false negatives. If they are easy fixes we don't mind merging PR's if that helps you. If you can point to and explain actual security issues we will of cause fix them right away. But so far we have not seen any actual risks.
bmunkholm
on 12 Dec 2019
Thanks for your answer. At this moment, our goal is to approve a security audit in which the usage of these functions was marked as findings. In particular, malloc is considered insecure due to the possibility to exploit it to lead a heap overflow. I'm not a security expert and I'm not sure if the usage in these specific scenarios could be exploited, but I would really appreciate your help to define why the usages are not risks or if there is evidence to demonstrate that the functions cannot lead to the security issue. Has anybody else asked before for security explanations? Thanks in advance
bdrangel
on 13 Dec 2019
Hi @bdrangel,
We can't see how this is a security risk in a mobile application. As mentioned any such tool will provide you with false negatives, and we can't really spend the time to prove that it's not, it has to be the opposite way. This repo is really only for bugs, but if you want help to assess if this is an issue, I suggest you ask on StackOverflow or provide the tool vendor with the code and ask then to not flag issues like this :-)
I'll be closing this issue, but feel free to reopen in case you have substantial arguments for why this issue must be addressed.
Thanks!
bmunkholm
on 13 Dec 2019
➤ Unito Sync Bot commented:
Transition made by Unito
RealmBot
on 13 Dec 2019
Related issues
jpsim
·
3Comments
dmorrow
·
3Comments
menhui222
·
3Comments
TheHmmka
·
3Comments
yangmeyer
·
3Comments
Most helpful comment
@bdrangel Security scanner tools can often complain with false negatives. If they are easy fixes we don't mind merging PR's if that helps you. If you can point to and explain actual security issues we will of cause fix them right away. But so far we have not seen any actual risks.