Skip to content

Latest commit

 

History

History
43 lines (38 loc) · 5.4 KB

mitigations.md

File metadata and controls

43 lines (38 loc) · 5.4 KB

Mitigation Strategies Analysis for ccgus/fmdb

Mitigation Strategy: Parameterized Queries (Placeholder Usage)

  • Description:
    1. Identify all SQL query execution points in your application code where you are using fmdb methods like executeQuery:, executeUpdate:, executeUpdate:withArgumentsInArray:, executeQuery:withArgumentsInArray:, etc.
    2. For each query, examine if user-provided data is being directly embedded into the SQL query string using string formatting (e.g., stringWithFormat:) or concatenation.
    3. Replace direct embedding with placeholders (?). For every piece of user input that needs to be part of the query, substitute its position in the SQL string with a ? placeholder.
    4. Utilize fmdb's argument array methods. Specifically, use methods like executeQuery:withArgumentsInArray: or `executeUpdate:withArgumentsInArray:.
    5. Construct an NSArray containing the user-provided data. The order of elements in the array must correspond to the order of ? placeholders in your SQL query string.
    6. Pass the SQL query string with placeholders and the argument array to the chosen fmdb execution method. fmdb will handle proper escaping and binding of the arguments, preventing SQL injection.
    7. Thoroughly test all query paths to ensure they function correctly with parameterized queries and that user input is treated as data, not executable code.
  • Threats Mitigated:
    • SQL Injection (High Severity): Malicious users can inject arbitrary SQL code by manipulating user input if queries are not parameterized. This can lead to unauthorized data access, modification, or deletion.
  • Impact: Significantly reduces the risk of SQL Injection. Parameterized queries are the most effective and direct mitigation against this vulnerability when using fmdb to interact with SQLite.
  • Currently Implemented:
    • Implemented in the user authentication module for login queries, specifically when querying the user table based on username. Placeholders are used for the username and password parameters.
    • Implemented in the search functionality within the application, where user-provided search terms are used in SELECT queries. Placeholders are used for the search terms.
  • Missing Implementation:
    • Not consistently applied in data update operations, particularly in older modules related to profile editing and data import features. Some update queries still use string formatting for constructing SQL statements.
    • Missing in certain administrative functions that involve database modifications, especially in scripts used for database maintenance or data migration.

Mitigation Strategy: Keep fmdb Updated

  • Description:
    1. Regularly monitor for new releases of fmdb on its GitHub repository (https://github.com/ccgus/fmdb) or through your dependency management system (e.g., CocoaPods, Swift Package Manager).
    2. Check release notes and changelogs for each new fmdb version to identify bug fixes, security patches, and any relevant changes.
    3. Use a dependency management tool to manage your project's dependencies, including fmdb. This simplifies the update process.
    4. Update the fmdb dependency in your project to the latest stable version. Follow the update instructions provided by your dependency management tool.
    5. After updating fmdb, thoroughly test your application to ensure compatibility and that no regressions or unexpected issues have been introduced by the update. Pay special attention to database interactions and functionalities that rely on fmdb.
    6. Establish a routine for periodically checking and updating dependencies, including fmdb, as part of your application's maintenance and security practices.
  • Threats Mitigated:
    • Exploitation of Known Vulnerabilities in fmdb (High Severity): Older versions of fmdb might contain bugs or vulnerabilities that could be discovered and exploited. Updating to the latest version ensures you benefit from bug fixes and security patches released by the fmdb maintainers.
    • Indirect Vulnerabilities in Bundled SQLite (Medium Severity): While fmdb itself might not have vulnerabilities, it bundles a specific version of SQLite. Updating fmdb may also update the bundled SQLite version, indirectly mitigating potential vulnerabilities in the underlying SQLite library. (Note: fmdb might not always update SQLite with every release, so check release notes).
  • Impact: Reduces the risk of exploiting known vulnerabilities in fmdb and potentially in the bundled SQLite version. Staying updated is a crucial part of maintaining a secure application.
  • Currently Implemented:
    • fmdb is managed as a dependency using CocoaPods in the iOS project.
    • Developers are generally aware of the need to update dependencies, but updates are often performed reactively rather than proactively.
  • Missing Implementation:
    • No automated checks for fmdb updates or vulnerability scanning of the currently used fmdb version.
    • Lack of a documented and enforced policy for regular fmdb updates and security patching.
    • No formal process for monitoring fmdb release announcements or security advisories.