Thank you for the response Jens.
I didn't realize this was unused. I'll look in the Couchbase web forum.
Gary
On Wednesday, November 25, 2020 at 2:00:46 PM UTC-8 Jens Alfke wrote:
>
> On Nov 24, 2020, at 4:41 PM, Gary Ma <gary...@gmail.com> wrote:
>
> Hello,
>
> We are using version 2.7 of the Couchbase-lite-ios in our application and
> through a security scan, some dynamic SQL queries were identified. Some of
> the findings are that our client side code is doing include:
>
> -
>
> INSERT INTO "%@" ("%@", "%@", "%@", "%@", "%@", "%@") VALUES ('%@',
> '%@', '%@', %@, '%u', '%lld')
> -
>
> CREATE TABLE "%@" (%@%@);
> - DELETE FROM "%@" WHERE %@
>
> There's nothing like that in version 2.x — for one thing, all the SQLite
> access is done from C++ code, so it wouldn't be using the Objective-C '%@'
> syntax.
>
> I don't recall anything like that from the old 1.x either. How did you
> find these strings? Could they come from some other library you link with
> that uses SQLite?
>
> We are passing the strings from the application into the queryObject when
> we are building out the query through CBLQuery.buildQuery.
>
> In addition to ensuring our inputs are sanitized prior to building the
> query, I was wondering if the the CBLQueryBuilder has any additional guards
> against potential SQL Injection attacks?
>
>
> We don't have any `buildQuery` method or `CBLQueryBuilder` class, in CBL
> 2.x.
>
> —Jens
>
> PS: Please use the Couchbase web forum for future questions. This mailing
> list is unused (maybe we should just delete it…)
>
--
You received this message because you are subscribed to the Google Groups
"Couchbase Mobile" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to mobile-couchbase+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/mobile-couchbase/ba69377e-4867-4dec-aca0-1af4c5fd45f2n%40googlegroups.com.
