react-native-sqlite-storage icon indicating copy to clipboard operation
react-native-sqlite-storage copied to clipboard

Published 20 hours ago verified publisher icon andpor

Upgrade sqlite to 3.26.0 to fix security vulnerability and add window functions

Open jdanbrown opened this issue 6 years ago • 18 comments

Like https://github.com/litehelpers/Cordova-sqlite-storage/issues/837, which just landed a couple days ago. Many details on the security vulnerability are in the links in that issue.

jdanbrown avatar Dec 20 '18 20:12 jdanbrown

Here's a workaround until a newer sqlite is included as part of react-native-sqlite-storage:

  • Turns out that sqlite is included in ios:
    • https://github.com/yapstudios/YapDatabase/wiki/SQLite-version-(bundled-with-OS)
  • But you can bundle your own sqlite3 dylib that shadows the ios system dylib, e.g. using CocoaPods:
    • https://github.com/stephencelis/SQLite.swift/blob/master/Documentation/Index.md#requiring-a-specific-version-of-sqlite
    • https://github.com/clemensg/sqlite3pod
    • e.g. pod 'sqlite3', '~> 3.27.1'

jdanbrown avatar Feb 26 '19 20:02 jdanbrown

@jdanbrown how do you fix this on Android? Any Ideas

herlarb avatar Feb 27 '19 16:02 herlarb

@herlarb Nope, no idea, haven't tried android.

jdanbrown avatar Feb 27 '19 18:02 jdanbrown

The iOS library does not include SQLite binaries. It uses SQLite that is available on the iOS.

andpor avatar Mar 04 '19 13:03 andpor

how do you fix this on Android? Any Ideas

I recommend rebuilding NDK (*.so) libraries from https://github.com/brodybits/Android-sqlite-ext-native-driver and copying them into src/android-native/libs. The default master branch contains FTS5, R-Tree, REGEXP, and non-standard BASE64 functions; the sqlite-storage-native-driver branch branch does not contain these features.

brodycj avatar Mar 04 '19 18:03 brodycj

The iOS library does not include SQLite binaries. It uses SQLite that is available on the iOS.

Yeah, I didn't realize that at first, but did learn it in the course of figuring out my workaround above.

Another twist (cc @aidanw re #321):

After I followed my workaround I started seeing crashes in places I had not seen before, and the new crashes didn't make much sense to me (EXC_BAD_ACCESS from within the sqlite sql parser—see backtrace screenshot below), so I gave up on the nonstandard sqlite lib (3.27.1 via sqlite3pod) and rolled back to using the built-in ios sqlite lib (3.24.0).

If I were to dive into fixing it I'd start by tweaking sqlite3pod's sqlite build flags to enable some of the ones that increase safety (e.g. SQLITE_THREADSAFE=1—see the sqlite compile flags docs). It looks maybe possible to figure out which sqlite build flags were used for the ios built-in lib—a good first step might just be to match those—and also cordova-sqlite-storage's build flags could be another good reference.

image

jdanbrown avatar Mar 04 '19 19:03 jdanbrown

@andpor Sounds like a wontfix since this is an issue with the built-in ios sqlite lib? Going ahead and closing.

jdanbrown avatar Mar 04 '19 19:03 jdanbrown

@jdanbrown if you use custom sqlite lib, I would recommend you remove all references to libSQLite.a that you see in master/src/ios/SQLite.xcodeproj/project.pbxproj.

I think it is desired to rebuild NDK library objects for Android, as I described in https://github.com/andpor/react-native-sqlite-storage/issues/310#issuecomment-469357373.

brodycj avatar Mar 04 '19 20:03 brodycj

I think it is desired to rebuild NDK library objects for Android, as I described in #310 (comment).

Ah, +1, reopening.

jdanbrown avatar Mar 04 '19 20:03 jdanbrown

So I attempted to build the binaries using latest NDK. armeabi is no longer supported and had some compilation warnings about implicit pointer casts which make me a little uncomfortable. Awaiting some updates from @brodybits on this topic before I proceed.

andpor avatar Mar 05 '19 10:03 andpor

@jdanbrown - can you try new-native-sqlite-libs branch - I uploaded new native libs. Let me know how it works for you.

andpor avatar Mar 11 '19 19:03 andpor

My apologies for the delay. The trick for me was to use android-ndk version 16b (I think) to keep the old armeabi support. (I did already make a note on the Android-sqlite-ext-native-driver project.)

brodycj avatar Mar 11 '19 19:03 brodycj

@jdanbrown - can you try new-native-sqlite-libs branch - I uploaded new native libs. Let me know how it works for you.

I don't have an android build to test against. Maybe @herlarb or @brodybits can try it out?

jdanbrown avatar Mar 11 '19 22:03 jdanbrown

I am actually working on a new update based on a recent version of cordova-sqlite-storage. I hope to have it ready within the next few days or so. I am using create-react-native-module so that it should "just work" with normal automatic installation.

brodycj avatar Mar 13 '19 00:03 brodycj

I just posted the following project that uses SQLite 3.26.0 to support the transaction-based SQLite functionality on Android and iOS: https://github.com/brodybits/react-native-sqlite-plugin-legacy-support

It is based on a very recent release of cordova-sqlite-storage, working on Android and iOS only. The automatic installation should "just work" using Yarn. Note that it does not include some features such as Promise API, pre-populated databases, or ATTACH/DETACH API.

I would like to leave it as an open question whether or not it makes sense to integrate my new work more closely with this project. If not, I will look into supporting Cordova and React Native from almost the same code base moving forward. In any case I would like to express my gratitude to @andpor and others for the work in implementing and supporting this project over the past several years.

P.S. I pushed some documentation updates that were forgotten before. Please feel free to request any clarification that may be needed.

brodycj avatar Mar 15 '19 06:03 brodycj

Hey @brodybits and @andpor this may be more or less related, but we have been using this lib (v3.3.3) on ios for a while and made use of SQLite's JSON1 extension (json_object, json_group_array, ...), which has work out of box on iOS. Now we are porting the app to Android and realized that the old version of SQLite provided by Android does not include the json extension.

Reading this thread I believe you have updated SQLite on the new-native-sqlite-libs branch, but that will probably not change anything about the JSON extension, will it?

I am considering using https://github.com/requery/sqlite-android which has it built in and seems to be a drop-in replacement for android.database.sqlite.SQLiteDatabase.

A little pointer in the right direction would be highly appreciated.

AndreasKlein avatar Apr 03 '19 12:04 AndreasKlein

@AndreasKlein I am not actively supporting this project, I made https://github.com/xpbrew/react-native-sqlite-plugin-legacy-support to support SQLite updates on React Native. I raised https://github.com/xpbrew/react-native-sqlite-plugin-legacy-support/issues/1 to support JSON1 on that project. I hope to do this in the near future.

brodycj avatar Apr 03 '19 17:04 brodycj

@AndreasKlein I tried to update android version to use https://github.com/requery/sqlite-android. I think it looks awesome! As I understood they already support built native libraries packaged to AAR format.

But I couldn't even be able just to build / compile android project using Android Studio. So not sure how to test modifications. If anyone with better native experience could try to use sqlite-android? They provide fresh sqlite version with Android wrappers.

likern avatar Feb 14 '20 00:02 likern