Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[question]: HIGH RISK vulnerables in Security report using OneSignal SDK #1780

Closed
1 task done
billyu1228 opened this issue Jan 8, 2025 · 4 comments
Closed
1 task done

[question]: HIGH RISK vulnerables in Security report using OneSignal SDK #1780

billyu1228 opened this issue Jan 8, 2025 · 4 comments

Comments

@billyu1228
Copy link

billyu1228 commented Jan 8, 2025
edited by github-actions bot
Loading

How can we help?

rom security report from scan:

There is 'execSQL()' found in file 'com/onesignal/core/internal/database/impl/OSDatabase.java':

[line 458: safeExecSQL(sQLiteDatabase, "ALTER TABLE notification ADD COLUMN expire_time TIMESTAMP;");]
[line 459: safeExecSQL(sQLiteDatabase, "UPDATE notification SET expire_time = created_time + 259200;");]
[line 460: safeExecSQL(sQLiteDatabase, OneSignalDbContract.NotificationTable.INDEX_CREATE_EXPIRE_TIME);]
[line 461: }]
[line 512: if (!StringsKt.startsWith$default(str, "sqlite_", false, 2, (Object) null)) {]
[line 513: db.execSQL("DROP TABLE IF EXISTS " + str);]
[line 514: }]

There is 'execSQL()' found in file 'com/onesignal/session/internal/outcomes/impl/OutcomeTableProvider.java':

[line 69: db.execSQL("INSERT INTO cached_unique_outcome(_id,name,channel_influence_id) SELECT _id,name,notification_id FROM cached_unique_outcome_notification;");]
[line 70: db.execSQL("UPDATE cached_unique_outcome SET channel_type = '" + InfluenceChannel.NOTIFICATION + "';");]
[line 71: db.execSQL("DROP TABLE cached_unique_outcome_notification;");]
[line 72: } catch (SQLiteException e) {]

Example of secure code:
PreparedStatement pstmt = con.prepareStatement("UPDATE EMPLOYEES SET SALARY = ? WHERE ID = ?");
pstmt.setBigDecimal(1, 153833.00)
pstmt.setInt(2, 110592)

Example of insecure code:
db.rawQuery("SELECT username FROM users_table WHERE id = '" + input_id +"'");
db.execSQL("SELECT username FROM users_table WHERE id = '" + input_id +"'");

Environment
Android SDK: Android 11
reac-native OneSignal SDK: 5.2.4

how can i fix it?
or
how can i explain to Security team that is safe to ignore?

Code of Conduct

  • I agree to follow this project's Code of Conduct
@jsellam
Copy link

jsellam commented Jan 21, 2025

I'm looking for an answer too. This issue was found in a pen test.

@jsellam
Copy link

jsellam commented Jan 21, 2025

I found this

Image

@jfishman1
Copy link

Hello, this is a false positive.

The OneSignal SDK uses its own database in the app that is not taking any user input. While OneSignal isn't using the recommended PreparedStatement, all SQL statements are wrapped to prevent injection. The likelihood of exploitation is zero.

@jsellam jsellam mentioned this issue Jan 22, 2025
Closed
@sherwinski
Copy link

Closing this following @jfishman1's response

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@billyu1228 @sherwinski @jfishman1 @jsellam