Staging URLs present in production code - Security Issue - For our Customer about braintree_ios HOT 18 CLOSED

Hello all -

We will reach out to the 3rd party dependency and pass over your concern. I will reach back out when we have an update from that team.

from braintree_ios.

@samfriedmanfuji thank you for logging this issue. This is impacting several of our tier 1 carriers that use braintree/paypal services. This is a security issue that Staging URLs are present within the client. Without the removal of these URLs we cannot submit our application to the App Store as it is directly against the Security Office requirements. Please treat this with priority please.

from braintree_ios.

Thank you. However, we are using version 5.23 of the Braintree SDK. Can we get a build of the 5.x branch?

Hey @samfriedmanfuji, thanks for letting us know. We will work on getting a new internal build with stage removed for 5.x. I will reopen this issue for the time being to track that this work still needs to be completed on the 5.x branch.

from braintree_ios.

Hey @gjegadesh -

I have a PR up here for the 5.x changes: #1127. Our Carthage asset cache is intermittently not populating the expected files which we have escalated internally. Once that is resolved we should be able to get the release over to you all.

In the meantime if you'd like to confirm that branch works as expected for you all please feel free. As soon as we resolve the asset cache issue we will get the released version over to you all. Thanks for your patience.

from braintree_ios.

thanks @samfriedmanfuji for logging this.
Our security tool flagged this and it is a blocker for us to deliver to our customers and publish to the App Store.

Good to get this fixed quickly.
thanks

from braintree_ios.

This was raised as a security vulnerability by one of our clients. We would appreciate BrainTree addressing this issue as quickly as possible. Thanks.

from braintree_ios.

This issue is blocking me with store submission, It will be helpful if team address this issue asap.

from braintree_ios.

The PR looks to be approved but it is now marked as BLOCKED. We are still waiting on a build; is there an expected date for a release?

from braintree_ios.

Hi @samfriedmanfuji - we plan on having this released by the end of the week. There were some issues with the backend service that hosts our xcframework assets that we are hoping will be ironed out soon.

from braintree_ios.

Hey all -

Version 6.8.0 of the SDK has been released with staging URLs removed. Please let us know if you continue to run into any issues after updating.

from braintree_ios.

Hey all -

Version 6.8.0 of the SDK has been released with staging URLs removed. Please let us know if you continue to run into any issues after updating.

Thank you. However, we are using version 5.23 of the Braintree SDK. Can we get a build of the 5.x branch?

from braintree_ios.

Hello @samfriedmanfuji -

Version 5.24.0 of the SDK has been released with the staging URLs removed. Please let us know if you run into any issues!

from braintree_ios.

@jaxdesmarais Thanks, unfortunately I am encountering several issues with this version. I can still build and run just fine with 5.23, but when I update to 5.24 I am getting 100 "Undefined symbol" build errors - the first 10 are as follows:

• Undefined symbol: _$s12CoreGraphics7CGFloatVMn
• Undefined symbol: _$s12CoreGraphics7CGFloatVN
• Undefined symbol: _$s12CoreGraphics7CGFloatVs7CVarArgAAMc
• Undefined symbol: _$s15_ObjectiveCTypes01_A11CBridgeablePTl
• Undefined symbol: _$s8AllCasess12CaseIterablePTl
• Undefined symbol: _$s8Dispatch0A12TimeIntervalO7secondsyACSicACmFWC
• Undefined symbol: _$s8Dispatch0A12TimeIntervalOMa
• Undefined symbol: _$s8Dispatch0A13WorkItemFlagsVMa
• Undefined symbol: _$s8Dispatch0A13WorkItemFlagsVMn
• Undefined symbol: _$s8Dispatch0A13WorkItemFlagsVs10SetAlgebraAAMc

What's even more concerning, however, is that regardless of whether I am able to build, the original bug is not resolved. I am checking the latest version of PPRiskMagnes from Carthage, and I also downloaded the framework directly from https://assets.braintreegateway.com/mobile/ios/carthage-frameworks/pp-risk-magnes/PPRiskMagnes.5.4.1.xcframework.zip for comparison. In both cases, I am still seeing both stage urls present in the code. Can we please ensure that this is the actual latest version that has the stage urls removed?

from braintree_ios.

Update: I resolved the Undefined symbol errors by simply adding a blank swift file to my project. Now the app builds, but immediately crashes on startup with the error dyld: Library not loaded: @rpath/PPRiskMagnes.framework/PPRiskMagnes . I am getting two different reasons depending on whether I am building for a device or simulator; both say "No suitable image found. Did find" followed by the framework and the reason is:
For simulator, no matching architecture in universal wrapper
For device, unknown file type, first eight bytes: 0x21 0x3C 0x61 0x72 0x63 0x68 0x3E 0x0A

I am using XCode 14.2 and I am targeting iOS 12.
Any help in resolving this (as well as removing the stage URLs) would be much appreciated. Thanks

from braintree_ios.

Hey @samfriedmanfuji -

We can certainly reach out to our 3rd party provider of the Magnes framework to let them know not all of the URLs have been removed as expected. They had assured us stage was fully removed so I will reach back out once we hear back from them.

Regarding the build errors you are seeing, I am not seeing the same warnings on Xcode 14.2 targeting iOS 12. I am using our Demo app from our repo and am able to build for both simulator and device without issue. Are you able to share more about your setup so we can troubleshoot further?

from braintree_ios.

Hello @samfriedmanfuji -

It looks like some of the frameworks uploaded were mixed up and an older version was uploaded for Carthage and the 5.x branch. The 6.x branch contains the correct Framework for Cocoapods and SPM. We will get a PR up to correct the frameworks and let you know when that has been released.

from braintree_ios.

@jaxdesmarais would you have an update to this problem? Hope this is going to be resolved soon. Thanks

from braintree_ios.

Hey all -

This was released in version 5.24.1. Thanks again for your patience and once you've confirmed things are working as expected I will close out this issue.

from braintree_ios.