Thank you for the response Jens. I didn't realize this was unused. I'll look in the Couchbase web forum.
Gary On Wednesday, November 25, 2020 at 2:00:46 PM UTC-8 Jens Alfke wrote: > > On Nov 24, 2020, at 4:41 PM, Gary Ma <[email protected]> wrote: > > Hello, > > We are using version 2.7 of the Couchbase-lite-ios in our application and > through a security scan, some dynamic SQL queries were identified. Some of > the findings are that our client side code is doing include: > > - > > INSERT INTO "%@" ("%@", "%@", "%@", "%@", "%@", "%@") VALUES ('%@', > '%@', '%@', %@, '%u', '%lld') > - > > CREATE TABLE "%@" (%@%@); > - DELETE FROM "%@" WHERE %@ > > There's nothing like that in version 2.x — for one thing, all the SQLite > access is done from C++ code, so it wouldn't be using the Objective-C '%@' > syntax. > > I don't recall anything like that from the old 1.x either. How did you > find these strings? Could they come from some other library you link with > that uses SQLite? > > We are passing the strings from the application into the queryObject when > we are building out the query through CBLQuery.buildQuery. > > In addition to ensuring our inputs are sanitized prior to building the > query, I was wondering if the the CBLQueryBuilder has any additional guards > against potential SQL Injection attacks? > > > We don't have any `buildQuery` method or `CBLQueryBuilder` class, in CBL > 2.x. > > —Jens > > PS: Please use the Couchbase web forum for future questions. This mailing > list is unused (maybe we should just delete it…) > -- You received this message because you are subscribed to the Google Groups "Couchbase Mobile" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/mobile-couchbase/ba69377e-4867-4dec-aca0-1af4c5fd45f2n%40googlegroups.com.
