Couchbase lite iOS 2.7 Security Question

18 views
Skip to first unread message

Gary Ma

unread,
Nov 24, 2020, 8:24:36 PM11/24/20
to Couchbase Mobile
Hello,

We are using version 2.7 of the Couchbase-lite-ios in our application and through a security scan, some dynamic SQL queries were identified. Some of the findings are that our client side code is doing include:

  • INSERT INTO "%@" ("%@", "%@", "%@", "%@", "%@", "%@") VALUES ('%@', '%@', '%@', %@, '%u', '%lld')

  • CREATE TABLE "%@" (%@%@);

  • DELETE FROM "%@" WHERE %@
From the description, it points out that these client-side SQL queries are populated at runtime via format strings and could be subject to SQL Injection. 

We are passing the strings from the application into the queryObject when we are building out the query through CBLQuery.buildQuery.

In addition to ensuring our inputs are sanitized prior to building the query, I was wondering if the the CBLQueryBuilder has any additional guards against potential SQL Injection attacks? Also, are there other suggestions on how we can utilize CBLQuery safely? Please let me know if you require additional information.

Thanks,
Gary

Jens Alfke

unread,
Nov 25, 2020, 5:00:46 PM11/25/20
to mobile-c...@googlegroups.com

On Nov 24, 2020, at 4:41 PM, Gary Ma <gary...@gmail.com> wrote:

Hello,

We are using version 2.7 of the Couchbase-lite-ios in our application and through a security scan, some dynamic SQL queries were identified. Some of the findings are that our client side code is doing include:

  • INSERT INTO "%@" ("%@", "%@", "%@", "%@", "%@", "%@") VALUES ('%@', '%@', '%@', %@, '%u', '%lld')

  • CREATE TABLE "%@" (%@%@);

  • DELETE FROM "%@" WHERE %@
There's nothing like that in version 2.x — for one thing, all the SQLite access is done from C++ code, so it wouldn't be using the Objective-C '%@' syntax.

I don't recall anything like that from the old 1.x either. How did you find these strings? Could they come from some other library you link with that uses SQLite?

We are passing the strings from the application into the queryObject when we are building out the query through CBLQuery.buildQuery.

In addition to ensuring our inputs are sanitized prior to building the query, I was wondering if the the CBLQueryBuilder has any additional guards against potential SQL Injection attacks? 

We don't have any `buildQuery` method or `CBLQueryBuilder` class, in CBL 2.x.

—Jens

PS: Please use the Couchbase web forum for future questions. This mailing list is unused (maybe we should just delete it…)

Gary Ma

unread,
Nov 26, 2020, 5:08:45 PM11/26/20
to Couchbase Mobile
Thank you for the response Jens.

I didn't realize this was unused. I'll look in the Couchbase web forum.

Gary

Reply all
Reply to author
Forward
0 new messages