Potential path-traversal vulnerability in the messaging component of Firebase SDK for iOS

[ztp-mino]

Description

The vulnerability is hypothetical and was found using a source code scanner on an unrelated project using Firebase SDK for iOS. I have no way to test it. It was previously reported to the security issue tracker and found to be not important enough. So I am reporting it again here.

Affected Branch: main (all since PR #6591) File: firebase-ios-sdk/FirebaseMessaging/Sources/FIRMessagingExtensionHelper.m

The method "fileExtensionForResponse" (line 140) attempts to construct a proper file extension for image files using the MIME Type received in the response to a network request. This is done by stripping away the "image/" portion of the MIME Type and replacing it with a dot ("."). The constructed extension is later used by simply appending it to a file path (lines 170-173). There is no check if the MIME Type is sane. If the MIME Type is, for example "image/png/../../../target_file", an unrelated file could be overwritten.

Reproducing the issue

It is unclear how or if this can actually be exploited. An exploit would require downloading of an attachment from a malicious web server.

Firebase SDK Version

main (all since PR #6591)

Xcode Version

N/A

Installation Method

N/A

Firebase Product(s)

Messaging

Targeted Platforms

N/A

Relevant Log Output

If using Swift Package Manager, the project's Package.resolved

If using CocoaPods, the project's Podfile.lock