[HN Gopher] Remote Code Execution Found in CococaPods ___________________________________________________________________ Remote Code Execution Found in CococaPods Author : st3fan Score : 179 points Date : 2021-04-20 13:56 UTC (9 hours ago) (HTM) web link (justi.cz) (TXT) w3m dump (justi.cz) | QuercusMax wrote: | There's a typo in the title; Should be CocoaPods, not Cococa. | [deleted] | [deleted] | mcraiha wrote: | We only need CocoaPods, because Apple couldn't build a proper | package manager for XCode. And I am quite sure event Apple uses | CocoaPods internally. | | CocoaPods itself is quite problematic: You need Ruby to run it. | Definitions aren't strict enough (you can use too old CocoaPods | binary for package that doesn't support it). Pods can cause build | conflicts/issues that might only be visible when you run your | app. | jquery wrote: | > I am quite sure event Apple uses CocoaPods internally. | | I'd be very surprised if Apple wasn't dogfooding their own tool | chain | dep_b wrote: | Apple probably uses SPM for new projects. But existing | projects are probably not switching to SPM soon. | danpalmer wrote: | I think the success and rapid adoption of Swift Package Manager | as it has become a viable solution speaks to this deep desire | in the community to have an Apple provided solution to it. | | CocoaPods was a hugely important part of the iOS ecosystem and | will be for years to come, but SPM is a great next step. | Duckton wrote: | I think you overestimate how long CocoaPods will be used, all | third party libraries I've used in the last 6-12 months | supports SPM | throw14082020 wrote: | Pseudo-counter point: SPM for firebase iOS SDK is in beta, | and was released 2 weeks ago. Before this, you couldn't use | SPM. The readme recommended (defaulted) to Cocoapods, with | "experimental instructions for carthage". Therefore | Cocoapods is likely used by most iOS apps with firebase. | username_my1 wrote: | Our app is in objC and we're not planning a rewrite anytime | soon. | RandallBrown wrote: | And none of the ones I use support SPM. | dep_b wrote: | So apparently a lot of them do support SPM even when it | doesn't say so in the README. Confusing, annoying. Out of | a project with 10 dependencies I thought only 4 supported | SPM by reading the README but in the end only one (which | was my own...) Cocoapad didn't have SPM support. | jonas21 wrote: | Not to mention that things like stats (useful for assessing | quality) and search ranking have been broken for years [1]. | | This isn't meant as a criticism of the CocoaPods team, who seem | to be doing the best they can given that they're working on a | volunteer basis and even had to pay for infrastructure costs | out of pocket. It just amazes me that Apple couldn't donate a | little bit to help out such a critical part of their developer | ecosystem. | | [1] https://github.com/CocoaPods/cocoapods-stats/issues/32 | Steltek wrote: | Brew, CocoaPods, who else is carrying Apple's water? It seems | to me that Apple never sold a Unix-like dev machine, they | provided hardware and a kernel for others to do so for free. | Cloudef wrote: | Brew and CocoaPods are quite horrible hacks, but still | better than nothing. Apple systems aren't very nice if you | have to delve out from the non apple garden. | st3fan wrote: | Pretty sure Apple funded MacPorts | lyptt wrote: | Swift Package Manager is the official package manager for | Xcode. It's been available for a few years now and a lot of | third party iOS/macOS projects support it. I haven't had to | touch CocoaPods in many years. For the past 5 years I've been | using Carthage, and more recently everything is SPM. | saagarjha wrote: | Sadly, the existence of Swift Package Manager has pretty much | taken all the wind out of the sails of third-party package | managers, and it has done so far too early. | marcusbuffett wrote: | Can confirm Apple iOS projects use CocoaPods internally, at | least the couple I was aware of when I worked there. | saagarjha wrote: | They do, although Apple doesn't use third party libraries | very often and when they do they tend to vendor them. | justicz wrote: | I found this bug! Here's my blog post about it: | https://justi.cz/security/2021/04/20/cocoapods-rce.html | | I started looking because I wanted to find bugs in Signal for | iOS, which uses CocoaPods: https://github.com/signalapp/Signal- | iOS/blob/master/Podfile | sigg3 wrote: | I like your shameless plug: | | > I'm trying to give 10,000 mosquito nets to charity! If you | liked this post please consider donating a $2 mosquito net. | | https://giveanet.org/ | dgs_sgd wrote: | That's not a shameless plug, just a plug. | spondyl wrote: | Didn't Bill Gates purchase a heap of malaria nets only for it | to turn that out that people were using them for things like | fishing and generally just not using them for their intended | purposes? | | Not to diminish the finding mind you, just that I was | surprised to hear about malaria nets. | | https://www.nytimes.com/2015/01/25/world/africa/mosquito- | net... | tclancy wrote: | So you're saying the world got better because of it? Why is | everything some Benthamite calculus? | spondyl wrote: | > Why is everything some Benthamite calculus | | I don't understand what this means | tweetle_beetle wrote: | Jeremy Bentham [1] was more or less the founder of | utilitarianism [2] as most people understand the notion | today. | | It's a suggestion that everything is only done on the | basis of what will result in the most benefit, ignoring | the mortality of how it is achieved. | | [1] https://en.wikipedia.org/wiki/Jeremy_Bentham [2] | https://en.wikipedia.org/wiki/Jeremy_Bentham | [deleted] | garblegarble wrote: | >So you're saying the world got better because of it? | | Unfortunately not - the hole size on the nets is much | smaller than a normal fishing net, so it doesn't let | juveniles escape, reducing the future fish population. | | A lot of the nets are also treated with insecticide, | which means you're essentially dumping insecticide into | the water, which can be dangerous to humans and toxic to | fish. | ksml wrote: | That was really short and sweet. Thanks for the writeup! | rplnt wrote: | > Then think about how much a security audit would cost. | | This is why some customers require various security | certifications. Too bad the certifications often focus on | whether your employees have three groups of characters in their | passwords instead of an actual security audit with penetration | testing. | | My point being, how to make people want a proper audit and how | to commuicate you had one. From another point of view, how do | you justify the cost without including the risk of being | hacked? Because even in this instance, they were (probably) not | hacked, and your reward was likely lower than an audit would | cost. | londons_explore wrote: | You put up a decent sized bug bounty. Whether or not the | bounty is claimed, it shows your company either has good | security, or is prepared to put a lot of resources into | making it good. | kirby88 wrote: | I still don't get why the --upload-pack option execute its | content... Seems pretty dangerous to me. How did you find that | out? | dang wrote: | I think it would be fair for the thread to point to your post, | so I've swapped your URL in for | https://blog.cocoapods.org/CocoaPods-Trunk-RCE/ above. | SiempreViernes wrote: | Honestly surprised this wasn't about some internet connected | coffee machine! | | I expect you could make a hard developer trivia game where people | have to guess if a vulnerability was found in an IOT app or a | SAAS app based only on the name. | amelius wrote: | > Honestly surprised this wasn't about some internet connected | coffee machine! | | Whenever IT folks run out of good names they always turn to | coffee. | hashmush wrote: | Like this one? Not IoT or SaaS, but big data. | https://pixelastic.github.io/pokemonorbigdata/ | ChrisMarshallNY wrote: | Kudos to them for a proactive approach. | | I'm deprecating my use of Cocoapods (for publishing -I never use | them for my own software), in favor of SPM. | | That said, it's clearly a labor of love, and filled an important | niche for years. | zacwest wrote: | SPM has a lot of issues, though. For example: if you depend on | a static library, it will both statically link it _and_ embed | the binary; likewise, a static library dependency in a | framework will cause build failures ~70% of the time when | clean. There's others around resources, etc. | | I do not believe SPM is mature enough to be the entire | platform, and worst yet if you experience any problems it is | entirely impossible to customize the behavior. I think it's | going to be another year or 2 before dropping CocoaPods | entirely is a fair choice for libraries -- SPM works for the | most basic use cases, but not all. | tspike wrote: | Carthage has been a happy middle ground for us. It doesn't | dictate the structure or configuration of your project. | lyptt wrote: | Only annoyance for me with Carthage is needing to strip | architectures out of the built frameworks in order for the | app to be validated when uploading to App Store Connect. | It's an awesome solution though, and much better than | CocoaPods. | AJRF wrote: | Carthage supports XCFrameworks now which means this is no | longer required. | lyptt wrote: | Nice! Glad to hear that's finally been fixed | AJRF wrote: | > if you depend on a static library, it will both statically | link it _and_ embed the binary | | That's fixed in Xcode 12.5 | https://developer.apple.com/documentation/xcode-release- | note... | ChrisMarshallNY wrote: | Ah. I see why this has not been an issue with me for most | (maybe not all) of my projects. Most have only a single- | layer dependency. | | Looks like this happens for chained dependencies _( "a | Swift package with binary dependencies", below)_, in apps | with extensions (I have none). | | This is from the 12.4 notes[0]: | | _> If you use a Swift package with binary dependencies in | an app with extensions, the build system incorrectly embeds | the binary dependencies alongside the extension in the | PlugIns directory, causing validation of the archived app | to fail. (69834549) (FB8761306) Workaround: Add a scheme | post-build action which removes the embedded binaries from | the PlugIns directory after the build, e.g. rm -rf "${TARG | ET_BUILD_DIR}/${TARGET_NAME}.app"/PlugIns/_.framework.* | | I do not see a note in the 12.5 notes addressing this[1]. | | [0] https://developer.apple.com/documentation/xcode- | release-note... | | [1] https://developer.apple.com/documentation/xcode- | release-note... | danpalmer wrote: | > I think it's going to be another year or 2 before dropping | CocoaPods entirely is a fair choice for libraries | | For libraries this is probably true, but I would imagine that | most apps could start on SPM from today and never need to | introduce CocoaPods or Carthage (we did, ~1 year ago). There | are certainly limitations, but they are disappearing fairly | rapidly, and the advantage of simpler builds, no Ruby setup, | simpler Xcode project structures, etc, are worthwhile. | ChrisMarshallNY wrote: | Well, I won't go into the issues that prevent me from using | CocoaPods, and why I'm not going to be publishing my | libraries on them, from now on, but SPM has worked well for | me. I am _very_ careful about what I include in my projects. | Most of my dependencies are fairly small ones that I wrote | and published. Many are a single source file. | | I don't see the libraries being embedded in my project, but | maybe I need to use something like iMazing to look at the | package. | [deleted] | xucheng wrote: | This seems to be an issue of git. It's very surprising that a git | command would invoke its arguments in shell. | tantalor wrote: | The issue is ruby's `system` method which interprets args in | the shell. | | They should have used `popen` instead. | | This is similar to python's subprocess with `shell=True` | | Edit: I'm wrong! | | > ls-remote has a parameter --upload-pack which can be used to | execute a new shell | xucheng wrote: | I don't believe this is the case. [1] | pry(main)> system "echo", "$(whoami)" $(whoami) | => true [2] pry(main)> system "git", "ls-remote", "-- | upload-pack=$(whoami)", "HEAD" $(whoami) 'HEAD': | USERNAME: command not found fatal: Could not read | from remote repository. Please make sure you | have the correct access rights and the repository | exists. => false | kirby88 wrote: | I had the same reaction as you... it looks like the | vulnerability is coming from git, that's a very dangerous | behavior. | [deleted] | [deleted] | tantalor wrote: | Oh, that's very silly. Don't do that! | [deleted] | [deleted] | [deleted] | AJRF wrote: | Looks like they've made an web-app (https://pod- | sources.cocoapods.org/) to check the distinct sources of a pod so | you can have a fish to see if a source location url changed | behind your back. | | Would be good to show a list of all repositories where there are | more than 1 distinct source as most people who make pods just | point to their Github repo release page. | | It's very tedious to check the impact of this without that list. | w0mbat wrote: | I don't use CocoaPods because a) they are a gaping supply chain | vulnerability and b) they lead to bloat as people routinely pull | in a whole package for one routine. | | I manually import and rewrite snippets of 3rd party code when | needed, or I write needed utils myself. I lean on the OS as much | as possible, not dodgy and often abandoned 3rd party libraries. ___________________________________________________________________ (page generated 2021-04-20 23:00 UTC)