Skip to content

Latest commit

 

History

History
91 lines (72 loc) · 8 KB

mitigations.md

File metadata and controls

91 lines (72 loc) · 8 KB

Mitigation Strategies Analysis for ibireme/yykit

Mitigation Strategy: Strict Image Input Validation and Sanitization for YYImage/YYAnimatedImageView

Description:

  1. Define Allowed Types: Before using YYImage or YYAnimatedImageView, create a list of explicitly allowed image MIME types (e.g., ["image/jpeg", "image/png", "image/gif", "image/webp"]).
  2. Check File Header (Magic Numbers): Before passing data to YYImage imageWithData: or similar methods, read the first few bytes of the image data and verify the file signature against known headers for the declared type. Do not rely solely on file extensions.
  3. Size Limits (File and Dimensions):
    • Set a maximum file size limit before passing data to YYKit.
    • After creating a YYImage (but before displaying it in a YYAnimatedImageView), check the size property (which represents the decoded image dimensions) and reject images exceeding predefined maximum width and height.
  4. Re-encode (Optional, but Recommended): After validating, consider re-encoding the image using YYImage's encoding methods (e.g., yy_imageWithData:scale:) to a standard format and quality. This can help remove malicious embedded data. This is done using YYKit itself.
  5. Avoid imageWithContentsOfFile for Untrusted Sources: If loading images from potentially untrusted sources (e.g., user uploads), avoid using YYImage imageWithContentsOfFile: directly. Instead, load the file data into an NSData object first, perform the validation steps above, and then use YYImage imageWithData:.

  • Threats Mitigated:

    • Malformed Image Exploits (High Severity): Prevents attacks exploiting vulnerabilities in YYKit's image decoding (or its underlying libraries) via crafted image files.
    • Denial of Service (DoS) (Medium Severity): Prevents excessively large images from causing resource exhaustion.
    • Resource Exhaustion (Medium Severity): Similar to DoS.

  • Impact:

    • Malformed Image Exploits: Significantly reduces risk (80-90%).
    • Denial of Service: Substantially reduces risk (70-80%).
    • Resource Exhaustion: Substantially reduces risk (70-80%).

  • Currently Implemented:

    • File type check based on extension before using YYAnimatedImageView in ImageViewController.swift. (Example)

  • Missing Implementation:

    • Magic number validation is missing before using YYImage.
    • Image dimension checks after YYImage creation are not implemented.
    • Re-encoding using YYImage is not implemented.
    • imageWithContentsOfFile is used directly with potentially untrusted URLs in RemoteImageLoader.m. (Example - This is a major vulnerability).

Mitigation Strategy: Secure Text Input Handling for YYText (YYLabel, YYTextView)

Description:

  1. Input Validation (Crucial for User Input): If YYLabel or YYTextView displays user-provided text, rigorously sanitize and validate this input before setting the text or attributedText properties.
  2. Whitelist Approach: Use a whitelist to restrict allowed characters, formatting tags (if using attributed strings), and attributes. Avoid blacklisting.
  3. Length Limits: Enforce maximum length limits on user-provided text to prevent excessively long strings that could cause performance issues or DoS when rendered by YYText.
  4. Contextual Output Encoding (If Mixing Data): If user-provided data is combined with application-controlled data within a YYLabel or YYTextView, ensure proper encoding for the context to prevent cross-site scripting (XSS) or similar vulnerabilities. This is less about YYKit itself and more about how you use the output from YYText.
  5. Avoid Direct HTML/Rich Text Input: If possible, avoid allowing users to directly input HTML or other rich text formats that will be rendered by YYText. If you must, use a very strict whitelist of allowed tags and attributes, and consider using a dedicated HTML sanitizer before passing the data to YYText.

  • Threats Mitigated:

    • Malformed Text Exploits (High Severity): Prevents attacks exploiting vulnerabilities in YYText's text rendering and layout engine.
    • Cross-Site Scripting (XSS) (High Severity - If applicable): Prevents XSS if user input is displayed without proper sanitization. This is relevant if YYText is used to display web-like content.
    • Denial of Service (DoS) (Medium Severity): Prevents excessively long or complex text from causing performance issues.

  • Impact:

    • Malformed Text Exploits: High risk reduction (70-90%, with thorough validation).
    • Cross-Site Scripting (XSS): High risk reduction (80-90%, with proper sanitization).
    • Denial of Service: Moderate risk reduction (50-70%).

  • Currently Implemented:

    • Basic length limits are enforced on user comments displayed in YYLabel in CommentViewController.m. (Example)

  • Missing Implementation:

    • No whitelist-based sanitization is performed. This is a critical gap.
    • No contextual output encoding is used when combining user input with other data.
    • Users can input limited HTML, which is passed directly to YYTextView in PostEditorViewController.swift. (Example - This is a major vulnerability).

Mitigation Strategy: Secure YYModel JSON Parsing and Validation

Description:

  1. Schema Validation (Recommended): Before using YYModel to parse JSON, validate the JSON structure and data types against a predefined JSON schema. This is the most robust approach.
  2. Property Whitelisting (Essential): Use YYModel's + (NSDictionary *)modelCustomPropertyMapper (or + (NSDictionary *)modelContainerPropertyGenericClass for collections) to explicitly define which JSON keys are allowed to be mapped to model properties. Ignore any unexpected keys. This is a core feature of YYModel and must be used correctly.
  3. Type Enforcement: Define clear data types for your model properties. YYModel will attempt type conversions; handle any conversion errors gracefully.
  4. Range/Value Checks (After YYModel Parsing): After YYModel has parsed the JSON and populated your model object, perform additional validation checks on the property values. Check for:
    • Valid ranges for numeric values.
    • Non-empty strings where required.
    • Valid date ranges.
    • Any other business-logic-specific constraints.
  5. Avoid Deeply Nested/Recursive Models (If Possible): While YYModel can handle nested objects, overly complex or deeply recursive models can increase the attack surface. If possible, simplify your data models.

  • Threats Mitigated:

    • Object Injection (High Severity): Prevents attackers from injecting malicious objects via crafted JSON.
    • Data Tampering (Medium Severity): Prevents unexpected modification of data.
    • Unexpected Input Handling (Medium Severity): Ensures graceful handling of invalid JSON.

  • Impact:

    • Object Injection: High risk reduction (80-90%, with schema validation and property whitelisting).
    • Data Tampering: Moderate risk reduction (50-70%).
    • Unexpected Input Handling: Moderate risk reduction (40-60%).

  • Currently Implemented:

    • + (NSDictionary *)modelCustomPropertyMapper is used in User.m and Product.m. (Example)
    • YYModel's built-in type checking is relied upon. (Example)

  • Missing Implementation:

    • No JSON schema validation is used before calling YYModel methods. This is a significant gap.
    • No additional range/value checks are performed after YYModel parsing. This is important for business logic validation.
    • A deeply nested model (Order.m) is used without sufficient validation. (Example)