'Security Vulnerability in Core Data Stack
I have an Objective-C application which uses Core Data. In Core Data Stack class, I used methods exactly as in Apple Documentation.
In source code security analysis,
NSURL *modelURL = [[NSBundle mainBundle] URLForResource:@"Model" withExtension:@"momd"];
_managedObjectModel = [[NSManagedObjectModel alloc] initWithContentsOfURL:modelURL];
lines creating a vulnerability that must be solved to release the application. Report says, it is not secure to accessing a file by filename because in a jailbroken device, it can be manipulated.
Is it possible to initialize NSManagedObject different way or is it a false positive issue?
Security tool also show this kind of example when accessing and writing files securely:
NSString* fileNameTemplate = [NSTemporaryDirectory() stringByAppendingString:@"tmpfile-XXX.txt"];
const size_t bufLength = 2048;
char* fileNameBuf[bufLength];
strncpy(fileNameBuf, [fileNameTemplate cStringUsingEncoding:NSUTF8StringEncoding], bufLength);
int fileDescriptor = mkstemp(fileNameBuf);
NSFileHandle* fileHandle = [[NSFileHandle alloc] initWithFileDescriptor:fileDescriptor];
NSString* stringToWrite = @"Hello world";
[fileHandle writeData: [stringToWrite dataUsingEncoding:NSUTF8StringEncoding]];
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|