Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ensure unsafe functions are properly guarded #1012

Closed
markushi opened this issue Jun 19, 2024 · 3 comments
Closed

Ensure unsafe functions are properly guarded #1012

markushi opened this issue Jun 19, 2024 · 3 comments
Assignees
@JoshuaMoelans
Labels
Platform: Native

Comments

@markushi
Copy link
Member

Description

We recently received a security report about unsafe usages. Whilst there's not always a safe alternative available (especially cross-platform) we can still have a check and ensure we have best-effort implementations for:

  • input validation
  • buffer management
  • return values are in proper format (e.g. null terminated strings)

Detailed report:

Format String Vulnerabilities

libsentry-android.so
  snprintf: 00001c92
libsentry.so
  fprintf: 000d4d98
  snprintf: 00074252
  vfprintf: 000d102a
  vprintf: 0008c4da
  vsnprintf: 0007914a

Buffer Overflow Vulnerabilities

libsentry.so
  strncpy: 000d34ea
  memcpy: 000d40b0

Buffer Overflow Danger Functions

libsentry.so
  realpath: 0007cd4e
@markushi
Copy link
Member Author

We should also consider integrating CodeQL into CI to highlight potential issues earlier.

@kahest kahest moved this from Needs Discussion to Todo in Mobile & Cross Platform SDK Jun 20, 2024
@JoshuaMoelans
Copy link
Member

Tracking progress on this Notion page (+ subpages)

@JoshuaMoelans JoshuaMoelans moved this from Todo to In Progress in Mobile & Cross Platform SDK Sep 17, 2024
This was referenced Oct 2, 2024
Merged
Merged
@JoshuaMoelans
Copy link
Member

Investigation led to 2 minor fixes (#1046 and #1047). All other occurrences of 'unsafe' functions were already properly guarded, or handled static data that made their uses safe.

@github-project-automation github-project-automation bot moved this from In Progress to Done in Mobile & Cross Platform SDK Oct 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@JoshuaMoelans JoshuaMoelans

Labels
Platform: Native
Projects
Mobile & Cross Platform SDK
Archived in project
Milestone
No milestone
Development

No branches or pull requests
3 participants
@markushi @kahest @JoshuaMoelans