Fix secure coding bugs in MFA (#10633)

igor-makarov · web-flow · commit 1095aaf47fe6 · 2023-01-04T13:39:34.000-08:00
diff --git a/FirebaseAuth/Sources/MultiFactor/FIRMultiFactor.m b/FirebaseAuth/Sources/MultiFactor/FIRMultiFactor.m
@@ -178,17 +178,20 @@ + (BOOL)supportsSecureCoding {
 - (nullable instancetype)initWithCoder:(NSCoder *)aDecoder {
   self = [self init];
   if (self) {
+    NSSet *enrolledFactorsClasses = [NSSet setWithArray:@[
+      [NSArray class], [FIRMultiFactorInfo class], [FIRPhoneMultiFactorInfo class]
+    ]];
     NSArray<FIRMultiFactorInfo *> *enrolledFactors =
-        [aDecoder decodeObjectForKey:kEnrolledFactorsCodingKey];
+        [aDecoder decodeObjectOfClasses:enrolledFactorsClasses forKey:kEnrolledFactorsCodingKey];
     _enrolledFactors = enrolledFactors;
-    _user = [aDecoder decodeObjectOfClass:[FIRUser class] forKey:kUserCodingKey];
+    // Do not decode `user` weak property.
   }
   return self;
 }
 
 - (void)encodeWithCoder:(NSCoder *)aCoder {
   [aCoder encodeObject:_enrolledFactors forKey:kEnrolledFactorsCodingKey];
-  [aCoder encodeObject:_user forKey:kUserCodingKey];
+  // Do not encode `user` weak property.
 }
 
 @end
diff --git a/FirebaseAuth/Sources/User/FIRUser.m b/FirebaseAuth/Sources/User/FIRUser.m
@@ -380,6 +380,7 @@ - (nullable instancetype)initWithCoder:(NSCoder *)aDecoder {
                                                                 heartbeatLogger:nil];
 #if TARGET_OS_IOS
     _multiFactor = multiFactor ?: [[FIRMultiFactor alloc] init];
+    _multiFactor.user = self;
 #endif
   }
   return self;

Original file line number	Diff line number	Diff line change
`@@ -380,6 +380,7 @@ - (nullable instancetype)initWithCoder:(NSCoder *)aDecoder {`
`380`	`380`	`heartbeatLogger:nil];`
`381`	`381`	`#if TARGET_OS_IOS`
`382`	`382`	`_multiFactor = multiFactor ?: [[FIRMultiFactor alloc] init];`
	`383`	`+ _multiFactor.user = self;`
`383`	`384`	`#endif`
`384`	`385`	`}`
`385`	`386`	`return self;`