Running Xcodebuild on user supplied code. Could this be insecure on my server

Question

Part of my application allows users to submit their xcode projects to my server and then we will compile them and run various tests.

Right now we've been testing this with several hundred trusted people, but I am wondering if we need some kind of sandboxing for each compilation.

Is there any avenue one could use to do something malicious with this workflow?

Could someone put something inside a repository that would get executed when xcodebuild runs?

Can/Should I disable executables in the directory I store the projects in?

Any other comments are welcome. Thanks

score 1 · Answer 1 · answered May 31 '14 at 02:22

1

Yes, you need some sort of sandboxing for this — it is possible to run arbitrary shell scripts from an Xcode project using a Run Script build phase. Disabling executables will not prevent these scripts from running, and some projects will have a legitimate need for them anyway (e.g, to automatically generate or preprocess source files).

answered May 31 '14 at 02:22

Any suggestions as to how to approach this. @duskwuff – user3583341 May 31 '14 at 02:39

Running Xcodebuild on user supplied code. Could this be insecure on my server

1 Answers1