This is an archive of the discontinued LLVM Phabricator instance.

[analyzer] Add a syntactic security check for ObjC NSCoder API.
ClosedPublic

Authored by NoQ on Dec 19 2019, 2:25 PM.

Details

Summary

Method -[NSCoder decodeValueOfObjCType:at:] is not only deprecated but also a security hazard, hence a loud check.

Diff Detail

Event Timeline

NoQ created this revision.Dec 19 2019, 2:25 PM
Herald added a project: Restricted Project. · View Herald TranscriptDec 19 2019, 2:25 PM
dcoughlin accepted this revision.Dec 19 2019, 2:33 PM

This looks good to me, but I think we need a deployment target check on the diagnostic since the safe API is only available in iOS 11+, macOS 10.13+, tvOS 11+, and watchOS 4.0+. If the deployment target is early than those versions then we should not diagnose.

This revision is now accepted and ready to land.Dec 19 2019, 2:33 PM
This revision was automatically updated to reflect the committed changes.