[HN Gopher] Remote Code Execution Found in CococaPods
___________________________________________________________________
Remote Code Execution Found in CococaPods
Author : st3fan
Score : 179 points
Date : 2021-04-20 13:56 UTC (9 hours ago)
(HTM) web link (justi.cz)
(TXT) w3m dump (justi.cz)
| QuercusMax wrote:
| There's a typo in the title; Should be CocoaPods, not Cococa.
| [deleted]
| [deleted]
| mcraiha wrote:
| We only need CocoaPods, because Apple couldn't build a proper
| package manager for XCode. And I am quite sure event Apple uses
| CocoaPods internally.
|
| CocoaPods itself is quite problematic: You need Ruby to run it.
| Definitions aren't strict enough (you can use too old CocoaPods
| binary for package that doesn't support it). Pods can cause build
| conflicts/issues that might only be visible when you run your
| app.
| jquery wrote:
| > I am quite sure event Apple uses CocoaPods internally.
|
| I'd be very surprised if Apple wasn't dogfooding their own tool
| chain
| dep_b wrote:
| Apple probably uses SPM for new projects. But existing
| projects are probably not switching to SPM soon.
| danpalmer wrote:
| I think the success and rapid adoption of Swift Package Manager
| as it has become a viable solution speaks to this deep desire
| in the community to have an Apple provided solution to it.
|
| CocoaPods was a hugely important part of the iOS ecosystem and
| will be for years to come, but SPM is a great next step.
| Duckton wrote:
| I think you overestimate how long CocoaPods will be used, all
| third party libraries I've used in the last 6-12 months
| supports SPM
| throw14082020 wrote:
| Pseudo-counter point: SPM for firebase iOS SDK is in beta,
| and was released 2 weeks ago. Before this, you couldn't use
| SPM. The readme recommended (defaulted) to Cocoapods, with
| "experimental instructions for carthage". Therefore
| Cocoapods is likely used by most iOS apps with firebase.
| username_my1 wrote:
| Our app is in objC and we're not planning a rewrite anytime
| soon.
| RandallBrown wrote:
| And none of the ones I use support SPM.
| dep_b wrote:
| So apparently a lot of them do support SPM even when it
| doesn't say so in the README. Confusing, annoying. Out of
| a project with 10 dependencies I thought only 4 supported
| SPM by reading the README but in the end only one (which
| was my own...) Cocoapad didn't have SPM support.
| jonas21 wrote:
| Not to mention that things like stats (useful for assessing
| quality) and search ranking have been broken for years [1].
|
| This isn't meant as a criticism of the CocoaPods team, who seem
| to be doing the best they can given that they're working on a
| volunteer basis and even had to pay for infrastructure costs
| out of pocket. It just amazes me that Apple couldn't donate a
| little bit to help out such a critical part of their developer
| ecosystem.
|
| [1] https://github.com/CocoaPods/cocoapods-stats/issues/32
| Steltek wrote:
| Brew, CocoaPods, who else is carrying Apple's water? It seems
| to me that Apple never sold a Unix-like dev machine, they
| provided hardware and a kernel for others to do so for free.
| Cloudef wrote:
| Brew and CocoaPods are quite horrible hacks, but still
| better than nothing. Apple systems aren't very nice if you
| have to delve out from the non apple garden.
| st3fan wrote:
| Pretty sure Apple funded MacPorts
| lyptt wrote:
| Swift Package Manager is the official package manager for
| Xcode. It's been available for a few years now and a lot of
| third party iOS/macOS projects support it. I haven't had to
| touch CocoaPods in many years. For the past 5 years I've been
| using Carthage, and more recently everything is SPM.
| saagarjha wrote:
| Sadly, the existence of Swift Package Manager has pretty much
| taken all the wind out of the sails of third-party package
| managers, and it has done so far too early.
| marcusbuffett wrote:
| Can confirm Apple iOS projects use CocoaPods internally, at
| least the couple I was aware of when I worked there.
| saagarjha wrote:
| They do, although Apple doesn't use third party libraries
| very often and when they do they tend to vendor them.
| justicz wrote:
| I found this bug! Here's my blog post about it:
| https://justi.cz/security/2021/04/20/cocoapods-rce.html
|
| I started looking because I wanted to find bugs in Signal for
| iOS, which uses CocoaPods: https://github.com/signalapp/Signal-
| iOS/blob/master/Podfile
| sigg3 wrote:
| I like your shameless plug:
|
| > I'm trying to give 10,000 mosquito nets to charity! If you
| liked this post please consider donating a $2 mosquito net.
|
| https://giveanet.org/
| dgs_sgd wrote:
| That's not a shameless plug, just a plug.
| spondyl wrote:
| Didn't Bill Gates purchase a heap of malaria nets only for it
| to turn that out that people were using them for things like
| fishing and generally just not using them for their intended
| purposes?
|
| Not to diminish the finding mind you, just that I was
| surprised to hear about malaria nets.
|
| https://www.nytimes.com/2015/01/25/world/africa/mosquito-
| net...
| tclancy wrote:
| So you're saying the world got better because of it? Why is
| everything some Benthamite calculus?
| spondyl wrote:
| > Why is everything some Benthamite calculus
|
| I don't understand what this means
| tweetle_beetle wrote:
| Jeremy Bentham [1] was more or less the founder of
| utilitarianism [2] as most people understand the notion
| today.
|
| It's a suggestion that everything is only done on the
| basis of what will result in the most benefit, ignoring
| the mortality of how it is achieved.
|
| [1] https://en.wikipedia.org/wiki/Jeremy_Bentham [2]
| https://en.wikipedia.org/wiki/Jeremy_Bentham
| [deleted]
| garblegarble wrote:
| >So you're saying the world got better because of it?
|
| Unfortunately not - the hole size on the nets is much
| smaller than a normal fishing net, so it doesn't let
| juveniles escape, reducing the future fish population.
|
| A lot of the nets are also treated with insecticide,
| which means you're essentially dumping insecticide into
| the water, which can be dangerous to humans and toxic to
| fish.
| ksml wrote:
| That was really short and sweet. Thanks for the writeup!
| rplnt wrote:
| > Then think about how much a security audit would cost.
|
| This is why some customers require various security
| certifications. Too bad the certifications often focus on
| whether your employees have three groups of characters in their
| passwords instead of an actual security audit with penetration
| testing.
|
| My point being, how to make people want a proper audit and how
| to commuicate you had one. From another point of view, how do
| you justify the cost without including the risk of being
| hacked? Because even in this instance, they were (probably) not
| hacked, and your reward was likely lower than an audit would
| cost.
| londons_explore wrote:
| You put up a decent sized bug bounty. Whether or not the
| bounty is claimed, it shows your company either has good
| security, or is prepared to put a lot of resources into
| making it good.
| kirby88 wrote:
| I still don't get why the --upload-pack option execute its
| content... Seems pretty dangerous to me. How did you find that
| out?
| dang wrote:
| I think it would be fair for the thread to point to your post,
| so I've swapped your URL in for
| https://blog.cocoapods.org/CocoaPods-Trunk-RCE/ above.
| SiempreViernes wrote:
| Honestly surprised this wasn't about some internet connected
| coffee machine!
|
| I expect you could make a hard developer trivia game where people
| have to guess if a vulnerability was found in an IOT app or a
| SAAS app based only on the name.
| amelius wrote:
| > Honestly surprised this wasn't about some internet connected
| coffee machine!
|
| Whenever IT folks run out of good names they always turn to
| coffee.
| hashmush wrote:
| Like this one? Not IoT or SaaS, but big data.
| https://pixelastic.github.io/pokemonorbigdata/
| ChrisMarshallNY wrote:
| Kudos to them for a proactive approach.
|
| I'm deprecating my use of Cocoapods (for publishing -I never use
| them for my own software), in favor of SPM.
|
| That said, it's clearly a labor of love, and filled an important
| niche for years.
| zacwest wrote:
| SPM has a lot of issues, though. For example: if you depend on
| a static library, it will both statically link it _and_ embed
| the binary; likewise, a static library dependency in a
| framework will cause build failures ~70% of the time when
| clean. There's others around resources, etc.
|
| I do not believe SPM is mature enough to be the entire
| platform, and worst yet if you experience any problems it is
| entirely impossible to customize the behavior. I think it's
| going to be another year or 2 before dropping CocoaPods
| entirely is a fair choice for libraries -- SPM works for the
| most basic use cases, but not all.
| tspike wrote:
| Carthage has been a happy middle ground for us. It doesn't
| dictate the structure or configuration of your project.
| lyptt wrote:
| Only annoyance for me with Carthage is needing to strip
| architectures out of the built frameworks in order for the
| app to be validated when uploading to App Store Connect.
| It's an awesome solution though, and much better than
| CocoaPods.
| AJRF wrote:
| Carthage supports XCFrameworks now which means this is no
| longer required.
| lyptt wrote:
| Nice! Glad to hear that's finally been fixed
| AJRF wrote:
| > if you depend on a static library, it will both statically
| link it _and_ embed the binary
|
| That's fixed in Xcode 12.5
| https://developer.apple.com/documentation/xcode-release-
| note...
| ChrisMarshallNY wrote:
| Ah. I see why this has not been an issue with me for most
| (maybe not all) of my projects. Most have only a single-
| layer dependency.
|
| Looks like this happens for chained dependencies _( "a
| Swift package with binary dependencies", below)_, in apps
| with extensions (I have none).
|
| This is from the 12.4 notes[0]:
|
| _> If you use a Swift package with binary dependencies in
| an app with extensions, the build system incorrectly embeds
| the binary dependencies alongside the extension in the
| PlugIns directory, causing validation of the archived app
| to fail. (69834549) (FB8761306) Workaround: Add a scheme
| post-build action which removes the embedded binaries from
| the PlugIns directory after the build, e.g. rm -rf "${TARG
| ET_BUILD_DIR}/${TARGET_NAME}.app"/PlugIns/_.framework.*
|
| I do not see a note in the 12.5 notes addressing this[1].
|
| [0] https://developer.apple.com/documentation/xcode-
| release-note...
|
| [1] https://developer.apple.com/documentation/xcode-
| release-note...
| danpalmer wrote:
| > I think it's going to be another year or 2 before dropping
| CocoaPods entirely is a fair choice for libraries
|
| For libraries this is probably true, but I would imagine that
| most apps could start on SPM from today and never need to
| introduce CocoaPods or Carthage (we did, ~1 year ago). There
| are certainly limitations, but they are disappearing fairly
| rapidly, and the advantage of simpler builds, no Ruby setup,
| simpler Xcode project structures, etc, are worthwhile.
| ChrisMarshallNY wrote:
| Well, I won't go into the issues that prevent me from using
| CocoaPods, and why I'm not going to be publishing my
| libraries on them, from now on, but SPM has worked well for
| me. I am _very_ careful about what I include in my projects.
| Most of my dependencies are fairly small ones that I wrote
| and published. Many are a single source file.
|
| I don't see the libraries being embedded in my project, but
| maybe I need to use something like iMazing to look at the
| package.
| [deleted]
| xucheng wrote:
| This seems to be an issue of git. It's very surprising that a git
| command would invoke its arguments in shell.
| tantalor wrote:
| The issue is ruby's `system` method which interprets args in
| the shell.
|
| They should have used `popen` instead.
|
| This is similar to python's subprocess with `shell=True`
|
| Edit: I'm wrong!
|
| > ls-remote has a parameter --upload-pack which can be used to
| execute a new shell
| xucheng wrote:
| I don't believe this is the case. [1]
| pry(main)> system "echo", "$(whoami)" $(whoami)
| => true [2] pry(main)> system "git", "ls-remote", "--
| upload-pack=$(whoami)", "HEAD" $(whoami) 'HEAD':
| USERNAME: command not found fatal: Could not read
| from remote repository. Please make sure you
| have the correct access rights and the repository
| exists. => false
| kirby88 wrote:
| I had the same reaction as you... it looks like the
| vulnerability is coming from git, that's a very dangerous
| behavior.
| [deleted]
| [deleted]
| tantalor wrote:
| Oh, that's very silly. Don't do that!
| [deleted]
| [deleted]
| [deleted]
| AJRF wrote:
| Looks like they've made an web-app (https://pod-
| sources.cocoapods.org/) to check the distinct sources of a pod so
| you can have a fish to see if a source location url changed
| behind your back.
|
| Would be good to show a list of all repositories where there are
| more than 1 distinct source as most people who make pods just
| point to their Github repo release page.
|
| It's very tedious to check the impact of this without that list.
| w0mbat wrote:
| I don't use CocoaPods because a) they are a gaping supply chain
| vulnerability and b) they lead to bloat as people routinely pull
| in a whole package for one routine.
|
| I manually import and rewrite snippets of 3rd party code when
| needed, or I write needed utils myself. I lean on the OS as much
| as possible, not dodgy and often abandoned 3rd party libraries.
___________________________________________________________________
(page generated 2021-04-20 23:00 UTC)