On Nov 24, 2020, at 4:41 PM, Gary Ma
<[email protected]<mailto:[email protected]>> wrote:
Hello,
We are using version 2.7 of the Couchbase-lite-ios in our application and
through a security scan, some dynamic SQL queries were identified. Some of the
findings are that our client side code is doing include:
* INSERT INTO "%@" ("%@", "%@", "%@", "%@", "%@", "%@") VALUES ('%@', '%@',
'%@', %@, '%u', '%lld')
* CREATE TABLE "%@" (%@%@);
* DELETE FROM "%@" WHERE %@
There's nothing like that in version 2.x — for one thing, all the SQLite access
is done from C++ code, so it wouldn't be using the Objective-C '%@' syntax.
I don't recall anything like that from the old 1.x either. How did you find
these strings? Could they come from some other library you link with that uses
SQLite?
We are passing the strings from the application into the queryObject when we
are building out the query through CBLQuery.buildQuery.
In addition to ensuring our inputs are sanitized prior to building the query, I
was wondering if the the CBLQueryBuilder has any additional guards against
potential SQL Injection attacks?
We don't have any `buildQuery` method or `CBLQueryBuilder` class, in CBL 2.x.
—Jens
PS: Please use the Couchbase web forum for future questions. This mailing list
is unused (maybe we should just delete it…)
--
You received this message because you are subscribed to the Google Groups
"Couchbase Mobile" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/mobile-couchbase/3F79E2D5-2919-41C2-822C-4E14FE1AB792%40couchbase.com.
