You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I have searched for a similar issue in the project and found none
Issue Info
Info
Value
Platform Name
ios
Platform Version
15.0
SDWebImage Version
5.18.2
Integration Method
cocoapods
Xcode Version
Xcode 15.2
Repro rate
all the time (100%)
Repro with our demo prj
cyber security issue
Demo project link
cyber security issue
Issue Description and Steps
thanks for the contribution on your git. we are currently using it to load a image; WebImage(url:
However, we found that there is some cyber security issue(NSCoding) on your git repository; if you search NSCoding in your repository, you can easily find them in your git.
Therefore,I just wonder if your organization have a plan to swift NSCoding to NSSecureCoding(Secure Object Archiving APIs or cache) in a near future; if you have don't have any capacity to fix soon, it would be appreciated if you could response saying that you don't have plan on it now. Then, we could keep using your repository; otherwise, we need to consider to drop it off unfortunately(that is not what we want). Looking forward to hearing from your organization.
Thanks for your time and your contribution to our development community is crucial.
Best Regards,
Peace Cho.
Here is the founding
The NSKeyedArchiver or NSKeyedUnarchiver methods used by the App are insecure because they are incompatible with the NSSecureCoding protocol. An attacker-controlled payload that is deserialized via these APIs may result in attacker-controlled code being executed.
NSCoding is an Objective-C protocol that interoperates with NSKeyedArchiver and NSKeyedUnarchiver. Together, these APIs allow serialization and deserialization of code objects. However, the NSKeyedUnarchiver methods used by the app, and the NSCoding protocol itself, do not verify the type of object upon deserialization. Thus, an attacker may craft a malicious payload that results in unexpected code being executed.
To mitigate this vulnerability, Apple introduced the NSSecureCoding protocol along with the following secure methods of NSKeyedArchiver and NSKeyedUnarchiver, which are robust against this type of attack:
These APIs protect against object substitution attacks by requiring the programmer to declare the expected type of object before deserialization completes. Thus, if an invalid object is deserialized, the error can be handled safely.
Locate all the classes in the App that conform to NSCoding and migrate them to NSSecureCoding.
Then, replace the insecure usages of NSKeyedArchiver and NSKeyedUnarchiver with the secure APIs that perform error handling and validate the expected type of the deserialized objects.
Additionally, ensure all input data is validated before it is used, especially when dealing with data that becomes executable.
// Declare that your class conforms to NSSecureCoding
@interface MySecureObject : NSObject <NSSecureCoding>
@property (nonatomic, retain) NSDictionary *myData;
@end
@implementation MySecureObject
+ (BOOL)supportsSecureCoding {
// Must override this class delegate method to reture YES
return YES;
}
+ (MySecureObject*)deserializeFromData:(NSData*)data {
// Inform the system of the object type we expect to be deserialized from the data
// This method will return an error if the serialized data was invalid
NSError* out_error = nil;
[NSKeyedUnarchiver unarchivedObjectOfClass:[MySecureObject class] fromData:data error:&out_error];
if (out_error != nil) {
// Handle the error
NSLog(@"Deserialization failed: %@", out_error);
}
}
- (id)initWithCoder:(NSCoder *)decoder {
if ((self = [super init])) {
// When decoding sub-objects, use @selector(decodeObjectOfClass:forKey:)
// This method will throw an exception if the deserialized object's class doesn't match the expected class
self.myData = [decoder decodeObjectOfClass:[NSDictionary class] forKey:@"myData"];
}
return self;
}
- (void)encodeWithCoder:(NSCoder *)encoder {
[encoder encodeObject:self.myData forKey:@"myData"];
}
@end
The text was updated successfully, but these errors were encountered:
The most important question is that whether SDWebImage use NSCoding or not by default when user use WebImage(url:)?
Because based on my search with sd_extendedObject, it said, "By default, if the image is cached, we do not send request to query new metadata.".
Also, I found that latest SDWebImage is 5.19.1( 6 does not exist).
New Issue Checklist
Issue Info
Issue Description and Steps
thanks for the contribution on your git. we are currently using it to load a image; WebImage(url:
However, we found that there is some cyber security issue(NSCoding) on your git repository; if you search NSCoding in your repository, you can easily find them in your git.
Therefore,I just wonder if your organization have a plan to swift NSCoding to NSSecureCoding(Secure Object Archiving APIs or cache) in a near future; if you have don't have any capacity to fix soon, it would be appreciated if you could response saying that you don't have plan on it now. Then, we could keep using your repository; otherwise, we need to consider to drop it off unfortunately(that is not what we want). Looking forward to hearing from your organization.
Thanks for your time and your contribution to our development community is crucial.
Best Regards,
Peace Cho.
Here is the founding
The
NSKeyedArchiver
orNSKeyedUnarchiver
methods used by the App are insecure because they are incompatible with theNSSecureCoding
protocol. An attacker-controlled payload that is deserialized via these APIs may result in attacker-controlled code being executed.NSCoding
is an Objective-C protocol that interoperates withNSKeyedArchiver
andNSKeyedUnarchiver
. Together, these APIs allow serialization and deserialization of code objects. However, theNSKeyedUnarchiver
methods used by the app, and theNSCoding
protocol itself, do not verify the type of object upon deserialization. Thus, an attacker may craft a malicious payload that results in unexpected code being executed.To mitigate this vulnerability, Apple introduced the
NSSecureCoding
protocol along with the following secure methods ofNSKeyedArchiver
andNSKeyedUnarchiver
, which are robust against this type of attack:These APIs protect against object substitution attacks by requiring the programmer to declare the expected type of object before deserialization completes. Thus, if an invalid object is deserialized, the error can be handled safely.
Apple provides more information in the WWDC20 session, 'Securing Your App'.
here is the
Remediation Guidance
Locate all the classes in the App that conform to
NSCoding
and migrate them toNSSecureCoding
.Then, replace the insecure usages of
NSKeyedArchiver
andNSKeyedUnarchiver
with the secure APIs that perform error handling and validate the expected type of the deserialized objects.Additionally, ensure all input data is validated before it is used, especially when dealing with data that becomes executable.
The text was updated successfully, but these errors were encountered: