Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

No trust evaluation handling after receiving the authentication challenge #2263

Open
3 tasks done
vsonawane-csod opened this issue Jun 17, 2024 · 1 comment
Open
3 tasks done

Comments

@vsonawane-csod
Copy link

vsonawane-csod commented Jun 17, 2024

Check List

Thanks for considering to open an issue. Before you submit your issue, please confirm these boxes are checked.

Issue Description

During our projects security scan, we have received a bug related to Manual Server Trust Authentication Attempts which can cause vulnerability in the app by providing a window for the man-in-middle attack.

What

The security scan shows the below evidence that exposes the URL and also it doesn't seem to perform any kind of trust evaluation after delegate method:

func urlSession(
        _ session: URLSession,
        didReceive challenge: URLAuthenticationChallenge
    ) async -> (URLSession.AuthChallengeDisposition, URLCredential?)

Here is the trace:

{
  "class": "KFSessionDelegate",
  "connectingTo": "our_url_here",
  "firstMethod": "- URLSession:didReceiveChallenge:completionHandler:",
  "secondMethod": "NSURLSessionAuthChallengeUseCredential"
} 

Other Comment

Can you please let me know how to deal with this?

@onevcat
Copy link
Owner

onevcat commented Jun 18, 2024

Kingfisher implements these delegate methods in the image downloader and again delegates them out again to allow library users to customize their own logic. By default, as long as you didn't provide your implementation or set the trustedHosts, a .performDefaultHandling and an nil URLCredential is returned, so I don't see an issue in Kingfisher's implementation.

I am not sure what the issue you are facing now. If it is a warning from your security scan, then I believe it is a false positive and maybe it is better to ask the security scan support team to see if there is a way to prevent this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants