Snyk.io has alerted me to a CWE-502 issue with a Swift class that implements Codable.
Deserialization of untrusted data (CWE-502), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.
The class is defined as class Foo: Codable { ....
The report goes onto suggest a NSSecureCopying fix which I don't think is relevant.
In Swift, the NSSecureCoding protocol (https://developer.apple.com/documentation/foundation/nssecurecoding) was added to mitigate object-injection or deserialization attacks. The analysis found serializable classes that do not fully conform to the NSSecureCoding protocol. To prevent this issue from being detected, all serializable must conform to the NSSecureCoding protocol by:
Extend the NSSecureCoding class Adding a boolean variable to the class (supportsSecureCoding) and setting the value to true Ensuring that only safe decoding methods are used in the class init?(coder: NSCoding) constructor, such as decodeObjectOfClass()
Disclaimer: I work for Snyk. :)
This finding does not appear anymore. It was removed from the Snyk ruleset and Codable is not flagged anymore.
Traditional cases using NSCoding will still be flagged though:
class Vehicle: NSObject, NSCoding {
var make: String
open func encode(with coder: NSCoder) {
coder.encode(make, forKey: "make")
}
public init(make aMake) {
self.make = aMake
}
public required convenience init?(coder: NSCoder) {
guard let aMake = coder.decodeObject(of:NSString.self, forKey: "make") as? String
else { return nil }
self.init(make: aMake)
}
}