Remote Code Execution Found in CocoaPods
source link: https://news.ycombinator.com/item?id=26874726
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
This is why some customers require various security certifications. Too bad the certifications often focus on whether your employees have three groups of characters in their passwords instead of an actual security audit with penetration testing.
My point being, how to make people want a proper audit and how to commuicate you had one. From another point of view, how do you justify the cost without including the risk of being hacked? Because even in this instance, they were (probably) not hacked, and your reward was likely lower than an audit would cost.
A company could simply dismiss most reports as duplicates, maybe even with a fake hall of fame, and get away with this for a long time.
> I’m trying to give 10,000 mosquito nets to charity! If you liked this post please consider donating a $2 mosquito net.
Not to diminish the finding mind you, just that I was surprised to hear about malaria nets.
https://www.nytimes.com/2015/01/25/world/africa/mosquito-net...
Unfortunately not - the hole size on the nets is much smaller than a normal fishing net, so it doesn't let juveniles escape, reducing the future fish population.
A lot of the nets are also treated with insecticide, which means you're essentially dumping insecticide into the water, which can be dangerous to humans and toxic to fish.
I don't understand what this means
It's a suggestion that everything is only done on the basis of what will result in the most benefit, ignoring the mortality of how it is achieved.
[1] https://en.wikipedia.org/wiki/Jeremy_Bentham [2] https://en.wikipedia.org/wiki/Jeremy_Bentham
CocoaPods itself is quite problematic: You need Ruby to run it. Definitions aren't strict enough (you can use too old CocoaPods binary for package that doesn't support it). Pods can cause build conflicts/issues that might only be visible when you run your app.
This isn't meant as a criticism of the CocoaPods team, who seem to be doing the best they can given that they're working on a volunteer basis and even had to pay for infrastructure costs out of pocket. It just amazes me that Apple couldn't donate a little bit to help out such a critical part of their developer ecosystem.
CocoaPods was a hugely important part of the iOS ecosystem and will be for years to come, but SPM is a great next step.
I’d be very surprised if Apple wasn’t dogfooding their own tool chain
I'm deprecating my use of Cocoapods (for publishing -I never use them for my own software), in favor of SPM.
That said, it's clearly a labor of love, and filled an important niche for years.
I do not believe SPM is mature enough to be the entire platform, and worst yet if you experience any problems it is entirely impossible to customize the behavior. I think it's going to be another year or 2 before dropping CocoaPods entirely is a fair choice for libraries -- SPM works for the most basic use cases, but not all.
That's fixed in Xcode 12.5 https://developer.apple.com/documentation/xcode-release-note...
Looks like this happens for chained dependencies ("a Swift package with binary dependencies", below), in apps with extensions (I have none).
This is from the 12.4 notes[0]:
> If you use a Swift package with binary dependencies in an app with extensions, the build system incorrectly embeds the binary dependencies alongside the extension in the PlugIns directory, causing validation of the archived app to fail. (69834549) (FB8761306) Workaround: Add a scheme post-build action which removes the embedded binaries from the PlugIns directory after the build, e.g. rm -rf "${TARGET_BUILD_DIR}/${TARGET_NAME}.app"/PlugIns/.framework.*
I do not see a note in the 12.5 notes addressing this[1].
[0] https://developer.apple.com/documentation/xcode-release-note...
[1] https://developer.apple.com/documentation/xcode-release-note...
Maybe, we could have found more in common than you may think. We both seem to be passionate about the same kind of stuff.
I was under the impression that we should make an effort to be a wee bit more respectful with each other, than we might in venues like Reddit or SO (where they have the "digital sneer" down to a science).
That was the only thing I could find that mentioned anything like it at all.
I checked my builds every which way from Sunday, and I never had a double-embedded static lib. I was wondering if they may have been mixed up.
Otherwise, there's nothing at all about it.
I pretty much always use static libs, but sometimes, I may need a .framework. I've been using SPM for months, and have published a bunch of libs. I do tend to be conservative, and reduce the surface of dependencies wherever possible. I eat my own dog food, and am the only consumer (that I know of) of my packages. My chains tend to be short.
A swift package manager product before 12.5 will be embedded inside your target and statically linked.
If you have more than one target using that product, you will end up embedding it more than once, which creates duplicated symbols in your binary, which leads to undefined behaviour when calling that symbol at runtime (which Apple don't allow for apps on the AppStore - ironically Big Sur on M1 Macs has a lot of duplicated libraries for x86 and arm64 which will cause a warning about undefined behaviour when you call them - do as I say, not as I do).
What happens now in 12.5 onwards is those products will be dynamically linked, meaning there will be one copy of it in your binary, that each of your targets can call symbols on, which gets rid of the duplication and the potential for undefined behaviour.
I understand. I have not encountered that. I'll look again. In most of my projects, the executables are test harnesses, and not all use SPM. Most of my dependencies are so small, that I might actually be better off directly linking in the source file from inside the package. I do that with the Carthage variants, but the static libs are so small, that I don't sweat it, and it makes life easier, all around.
I know that dylibs are fairly recent additions to SPM. One of the issues that I had with Carthage, was that I was constantly screwing up the signing. Since the libs were so small, I just said "Bugger this for a lark," and directly linked the source files. Since Carthage checks out in the project dir, this was easy. I use a separate derivedData directory, so it's not so straightforward to directly embed SPM source files. I haven't tried the new resources in SPM modules, yet.
Thanks for following up, and again, my apologies for overreacting.
For libraries this is probably true, but I would imagine that most apps could start on SPM from today and never need to introduce CocoaPods or Carthage (we did, ~1 year ago). There are certainly limitations, but they are disappearing fairly rapidly, and the advantage of simpler builds, no Ruby setup, simpler Xcode project structures, etc, are worthwhile.
I don't see the libraries being embedded in my project, but maybe I need to use something like iMazing to look at the package.
I manually import and rewrite snippets of 3rd party code when needed, or I write needed utils myself. I lean on the OS as much as possible, not dodgy and often abandoned 3rd party libraries.
Would be good to show a list of all repositories where there are more than 1 distinct source as most people who make pods just point to their Github repo release page.
It's very tedious to check the impact of this without that list.
I noticed that quite a few pods have more than 1 distinct source when checking the pods used by projects I have worked on. From what I could see source changes were the result of ownership changes, GitHub account name changes, etc.
So i'm not sure how to distinguish malicious source changes from innocuous ones. Maybe it would be worthwhile to search for source changes that lasted a single release and reverted thereafter.
They should have used `popen` instead.
This is similar to python's subprocess with `shell=True`
Edit: I'm wrong!
> ls-remote has a parameter --upload-pack which can be used to execute a new shell
[1] pry(main)> system "echo", "$(whoami)"
$(whoami)
=> true
[2] pry(main)> system "git", "ls-remote", "--upload-pack=$(whoami)", "HEAD"
$(whoami) 'HEAD': USERNAME: command not found
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
=> false
P.S. it seems that you have an extra space before `--upload-pack`.
Specifically, the problem here is that git, like almost every other CLI tool, tries to add as many features as possible to make it easy to use from a console. This (coupled with the fact that these things are never documented, as is the case here, unless <exec> is some idiom I'm supposed to be aware of) makes it harder to use in a correct manor (security bugs being a subset of possible problems).
https://www.defensecode.com/public/DefenseCode_Unix_WildCard...
I expect you could make a hard developer trivia game where people have to guess if a vulnerability was found in an IOT app or a SAAS app based only on the name.
Whenever IT folks run out of good names they always turn to coffee.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK