AppAuth-iOS icon indicating copy to clipboard operation
AppAuth-iOS copied to clipboard

Published 20 hours ago verified publisher icon openid

Replace NSLog with AppAuthRequestTrace

Open mattio opened this issue 4 years ago • 4 comments

IANS did a pen test for us on our app, which uses AppAuth. They included a low risk finding in part because of some calls to NSLog. There were some in our code and I noticed there are a couple in AppAuth.

What do we think about replacing them with calls to AppAuthRequestTrace instead?

I'm happy to submit a PR for the change.

mattio avatar Apr 01 '20 16:04 mattio

Hello, Following security tests with the Fortify tool, I obtained the same vulnerability. Would it be possible to correct / improve this log? Thank you

cap-dbaronnet avatar May 19 '20 09:05 cap-dbaronnet

Is the issue that the NSLog dumps the object?

Happy to see a PR. I'd suggest in that case having 2 lines: the same NSLog without the object included, and a statement to enable tracing to debug, and then a trace one with it included.

WilliamDenniss avatar May 29 '20 23:05 WilliamDenniss

Here's the CWE they referenced: https://cwe.mitre.org/data/definitions/532.html

Sounds like they're issue is the presence of NSLog at all.

My assumption is if I could point our InfoSec team to the source and they could see it's innocuous and works as you describe, and I could demonstrate how the compiler settings don't include the trace, everyone would be happy.

Super minor, but will try to make time for the PR.

mattio avatar Jun 11 '20 18:06 mattio

Any update on this? I also found this vulnerability in my Fortify scan results. The PR has been open for quite some time.

reline avatar Feb 09 '21 21:02 reline