Merge pull request #1 from MobSF/master

ByteSnipers · web-flow · commit 63808e44cd1e · 2025-03-26T04:00:26.000+01:00
Update mobSF
diff --git a/.github/SECURITY.md b/.github/SECURITY.md
@@ -10,6 +10,9 @@ Please report all security issues [here](https://github.com/MobSF/Mobile-Securit
 
 | Vulnerability | Affected Versions |
 | ------- | ------------------ |
+| [Partial Denial of Service due to strict regex check in iOS report view URL](https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-jrm8-xgf3-fwqr) | `<=4.3.0` |
+| [Local Privilege escalation due to leaked REST API key in web UI](https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-79f6-p65j-3m2m) | `<=4.3.0` |
+| [Stored Cross-Site Scripting in iOS dynamic_analysis view via `bundle` id](https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-cxqq-w3x5-7ph3) | `<=4.3.0` |
 | [Stored Cross-Site Scripting Vulnerability in Recent Scans "Diff or Compare"](https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-5jc6-h9w7-jm3p) | `<=4.2.8` |
 | [Zip Slip Vulnerability in .a extraction](https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-4hh3-vj32-gr6j) | `<=4.0.6` |
 | [Open Redirect in Login redirect](https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-8m9j-2f32-2vx4) | `<=4.0.4` |
diff --git a/.github/workflows/mobsf-test.yml b/.github/workflows/mobsf-test.yml
@@ -47,7 +47,9 @@ jobs:
     - name: Install macOS Dependencies
       if: startsWith(matrix.os, 'macOS')
       run: |
-        brew install --cask wkhtmltopdf
+        export WKHTML_URL=https://github.com/wkhtmltopdf/packaging/releases/download/0.12.6-2/
+        export WKHTML_PKG=wkhtmltox-0.12.6-2.macos-cocoa.pkg
+        curl -L ${WKHTML_URL}${WKHTML_PKG} -O && sudo installer -pkg ${WKHTML_PKG} -target ~ && rm -rf ${WKHTML_PKG}
 
     - name: Install Windows Dependencies
       if: startsWith(matrix.os, 'windows')
diff --git a/mobsf/DynamicAnalyzer/views/android/frida_server_download.py b/mobsf/DynamicAnalyzer/views/android/frida_server_download.py
@@ -30,7 +30,7 @@ def clean_up_old_binaries(dirc, version):
                 pass
 
 
-def download_frida_server(url, version, fname, proxies):
+def download_frida_server(url, version, fname, proxies, verify):
     """Download frida-server-binary."""
     try:
         download_dir = Path(settings.DWD_DIR)
@@ -40,6 +40,7 @@ def download_frida_server(url, version, fname, proxies):
                 url,
                 timeout=5,
                 proxies=proxies,
+                verify=verify,
                 stream=True) as r:
             with LZMAFile(r.raw) as f:
                 with open(dwd_loc, 'wb') as flip:
@@ -72,7 +73,7 @@ def update_frida_server(arch, version):
         for item in response.json()['assets']:
             if item['name'] == f'{fserver}.xz':
                 url = item['browser_download_url']
-                return download_frida_server(url, version, fserver, proxies)
+                return download_frida_server(url, version, fserver, proxies, verify)
         return False
     except Exception:
         logger.exception('[ERROR] Fetching Frida Server Release')
diff --git a/mobsf/DynamicAnalyzer/views/ios/corellium_instance.py b/mobsf/DynamicAnalyzer/views/ios/corellium_instance.py
@@ -763,6 +763,8 @@ def download_data(request, bundle_id, api=False):
         if failed:
             return send_response(failed, api)
         if not strict_package_check(bundle_id):
+            # Check bundle_id during call, as the check
+            # is not done in REST API/URL repath.
             data['message'] = 'Invalid iOS Bundle id'
             return send_response(data, api)
         ci = CorelliumInstanceAPI(instance_id)
diff --git a/mobsf/DynamicAnalyzer/views/ios/report.py b/mobsf/DynamicAnalyzer/views/ios/report.py
@@ -49,8 +49,9 @@ def ios_view_report(request, bundle_id, api=False):
         else:
             dev = ''
         if not strict_package_check(bundle_id):
-            # We need this check since bundleid
-            # is not validated in REST API
+            # bundle_id is not validated in REST API.
+            # Also bundleid is not strictly validated
+            # in URL path.
             return print_n_send_error_response(
                 request,
                 'Invalid iOS Bundle id',
diff --git a/mobsf/MobSF/init.py b/mobsf/MobSF/init.py
@@ -18,13 +18,13 @@
 
 logger = logging.getLogger(__name__)
 
-VERSION = '4.2.9'
+VERSION = '4.3.1'
 BANNER = r"""
-  __  __       _    ____  _____       _  _    ____  
- |  \/  | ___ | |__/ ___||  ___|_   _| || |  |___ \ 
- | |\/| |/ _ \| '_ \___ \| |_  \ \ / / || |_   __) |
- | |  | | (_) | |_) |__) |  _|  \ V /|__   _| / __/ 
- |_|  |_|\___/|_.__/____/|_|     \_/    |_|(_)_____|
+  __  __       _    ____  _____       _  _    _____ 
+ |  \/  | ___ | |__/ ___||  ___|_   _| || |  |___ / 
+ | |\/| |/ _ \| '_ \___ \| |_  \ \ / / || |_   |_ \ 
+ | |  | | (_) | |_) |__) |  _|  \ V /|__   _| ___) |
+ |_|  |_|\___/|_.__/____/|_|     \_/    |_|(_)____/ 
 """  # noqa: W291
 # ASCII Font: Standard
 
diff --git a/mobsf/MobSF/settings.py b/mobsf/MobSF/settings.py
@@ -379,6 +379,8 @@
 IDP_SSO_URL = os.getenv('MOBSF_IDP_SSO_URL')
 IDP_X509CERT = os.getenv('MOBSF_IDP_X509CERT')
 IDP_IS_ADFS = os.getenv('MOBSF_IDP_IS_ADFS', '0')
+IDP_MAINTAINER_GROUP = os.getenv('MOBSF_IDP_MAINTAINER_GROUP', 'Maintainer')
+IDP_VIEWER_GROUP = os.getenv('MOBSF_IDP_VIEWER_GROUP', 'Viewer')
 # SP Configuration
 SP_HOST = os.getenv('MOBSF_SP_HOST')
 SP_ALLOW_PASSWORD = os.getenv('MOBSF_SP_ALLOW_PASSWORD', '0')
diff --git a/mobsf/MobSF/urls.py b/mobsf/MobSF/urls.py
@@ -52,7 +52,7 @@
 
 from . import settings
 
-bundle_id_regex = r'(?P<bundle_id>([a-zA-Z0-9]{1}[\w.-]{1,255}))$'
+bundle_id_regex = r'(?P<bundle_id>.+)$'
 checksum_regex = r'(?P<checksum>[0-9a-f]{32})'
 paginate = r'(?P<page_size>[0-9]{1,10})/(?P<page_number>[0-9]{1,10})'
 
diff --git a/mobsf/MobSF/utils.py b/mobsf/MobSF/utils.py
@@ -98,6 +98,17 @@ def upstream_proxy(flaw_type):
     return proxies, verify
 
 
+def get_system_resources():
+    """Get CPU and Memory Available."""
+    # Get number of physical cores
+    physical_cores = psutil.cpu_count(logical=False)
+    # Get number of logical processors (threads)
+    logical_processors = psutil.cpu_count(logical=True)
+    # Get total RAM
+    total_ram = psutil.virtual_memory().total / (1024 ** 3)  # Convert bytes to GB
+    return physical_cores, logical_processors, total_ram
+
+
 def print_version():
     """Print MobSF Version."""
     logger.info(settings.BANNER)
@@ -122,6 +133,8 @@ def print_version():
         dst_str = f' ({dist}) '
     env_str = f'OS Environment: {os}{dst_str}{pltfm}'
     logger.info(env_str)
+    cores, threads, ram = get_system_resources()
+    logger.info('CPU Cores: %s, Threads: %s, RAM: %.2f GB', cores, threads, ram)
     find_java_binary()
     check_basic_env()
     thread = threading.Thread(target=check_update, name='check_update')
diff --git a/mobsf/MobSF/views/authorization.py b/mobsf/MobSF/views/authorization.py
@@ -49,8 +49,8 @@ class Permissions(Enum):
     DELETE = f'StaticAnalyzer.{PERM_CAN_DELETE}'
 
 
-MAINTAINER_GROUP = 'Maintainer'
-VIEWER_GROUP = 'Viewer'
+MAINTAINER_GROUP = settings.IDP_MAINTAINER_GROUP
+VIEWER_GROUP = settings.IDP_VIEWER_GROUP
 
 
 def permission_required(perm):
diff --git a/mobsf/StaticAnalyzer/views/android/kb/android_manifest_desc.py b/mobsf/StaticAnalyzer/views/android/kb/android_manifest_desc.py
@@ -219,12 +219,12 @@
         'name': 'Data SMS Receiver Set on Port: %s Found. [android:port]',
     },
     'high_intent_priority_found': {
-        'title': 'High Intent Priority (%s)<br>[android:priority]',
+        'title': 'High Intent Priority (%s) - {%s} Hit(s)<br>[android:priority]',
         'level': 'warning',
         'description': ('By setting an intent priority higher than another'
                         ' intent, the app effectively overrides '
                         'other requests.'),
-        'name': 'High Intent Priority (%s). [android:priority]',
+        'name': 'High Intent Priority (%s) - {%s} Hit(s) [android:priority]',
     },
     'high_action_priority_found': {
         'title': 'High Action Priority (%s)<br>[android:priority] ',
diff --git a/mobsf/StaticAnalyzer/views/android/manifest_analysis.py b/mobsf/StaticAnalyzer/views/android/manifest_analysis.py
@@ -83,25 +83,32 @@ def assetlinks_check(act_name, well_knowns):
 
 
 def _check_url(host, w_url):
+    """Check for the presence of Assetlinks URL."""
     try:
         iden = 'sha256_cert_fingerprints'
         proxies, verify = upstream_proxy('https')
         status = False
         status_code = 0
 
-        r = requests.get(w_url,
-                         timeout=5,
-                         allow_redirects=False,
-                         proxies=proxies,
-                         verify=verify)
+        urls = {w_url}
+        if w_url.startswith('http://'):
+            # Upgrade http to https
+            urls.add(f'https://{w_url[7:]}')
 
-        status_code = r.status_code
-        if status_code == 302:
-            logger.warning('302 Redirect detected, skipping check')
-            status = False
-        if (str(status_code).startswith('2') and iden in str(r.json())):
-            status = True
+        for url in urls:
+            r = requests.get(url,
+                             timeout=5,
+                             allow_redirects=False,
+                             proxies=proxies,
+                             verify=verify)
 
+            status_code = r.status_code
+            if (str(status_code).startswith('2') and iden in str(r.json())):
+                status = True
+                break
+        if status_code in (301, 302):
+            logger.warning('Status Code: [%d], Redirecting to '
+                           'a different URL, skipping check!', status_code)
         return {'url': w_url,
                 'host': host,
                 'status_code': status_code,
@@ -761,12 +768,18 @@ def manifest_analysis(app_dic, man_data_dic):
                 dataport = data.getAttribute(f'{ns}:port')
                 ret_list.append(('sms_receiver_port_found', (dataport,), ()))
         # INTENTS
+        processed_priorities = {}
         for intent in intents:
             if intent.getAttribute(f'{ns}:priority').isdigit():
                 value = intent.getAttribute(f'{ns}:priority')
                 if int(value) > 100:
-                    ret_list.append(
-                        ('high_intent_priority_found', (value,), ()))
+                    if value not in processed_priorities:
+                        processed_priorities[value] = 1
+                    else:
+                        processed_priorities[value] += 1
+        for priority, count in processed_priorities.items():
+            ret_list.append(
+                ('high_intent_priority_found', (priority, count,), ()))
         # ACTIONS
         for action in actions:
             if action.getAttribute(f'{ns}:priority').isdigit():
diff --git a/mobsf/StaticAnalyzer/views/android/views/source_tree.py b/mobsf/StaticAnalyzer/views/android/views/source_tree.py
@@ -10,7 +10,6 @@
     render,
 )
 
-from mobsf.MobSF.init import api_key
 from mobsf.MobSF.utils import (
     is_md5,
     print_n_send_error_response,
@@ -71,7 +70,6 @@ def run(request):
             'hash': md5,
             'source_type': typ,
             'version': settings.MOBSF_VER,
-            'api_key': api_key(settings.MOBSF_HOME),
         }
         template = 'static_analysis/source_tree.html'
         return render(request, template, context)
diff --git a/mobsf/StaticAnalyzer/views/android/views/view_source.py b/mobsf/StaticAnalyzer/views/android/views/view_source.py
@@ -1,13 +1,13 @@
 # -*- coding: utf_8 -*-
 """View Source of a file."""
-
 import logging
 import ntpath
 from pathlib import Path
 
 from django.conf import settings
 from django.shortcuts import render
 from django.utils.html import escape
+from django.http import JsonResponse
 
 from mobsf.MobSF.forms import FormUtil
 from mobsf.MobSF.utils import (
@@ -28,9 +28,26 @@
 logger = logging.getLogger(__name__)
 
 
+def send_json(data):
+    return JsonResponse(data, safe=False)
+
+
+def send_error(request, err, api_mode, json_resp, exp=None):
+    """Send error message as dict or JSON."""
+    if exp:
+        res = print_n_send_error_response(request, err, api_mode, exp)
+    else:
+        res = print_n_send_error_response(request, err, api_mode)
+    if json_resp:
+        return send_json(res)
+    return res
+
+
 @login_required
 def run(request, api=False):
     """View the source of a file."""
+    json_resp = request.GET.get('json', '0') == '1'
+    api_mode = api or json_resp
     try:
         logger.info('View Java Source File')
         exp = 'Error Description'
@@ -46,8 +63,7 @@ def run(request, api=False):
             viewsource_form = ViewSourceAndroidForm(request.GET)
         if not viewsource_form.is_valid():
             err = FormUtil.errors_message(viewsource_form)
-            return print_n_send_error_response(request, err, api, exp)
-
+            return send_error(request, err, api_mode, json_resp, exp)
         base = Path(settings.UPLD_DIR) / md5
         if typ == 'smali':
             src = base / 'smali_source'
@@ -57,12 +73,12 @@ def run(request, api=False):
                 src, syntax, _ = find_java_source_folder(base)
             except StopIteration:
                 msg = 'Invalid directory or file extension'
-                return print_n_send_error_response(request, msg, api)
+                return send_error(request, msg, api_mode, json_resp)
 
         sfile = src / fil
         if not is_safe_path(src, sfile.as_posix()):
             msg = 'Path Traversal Detected!'
-            return print_n_send_error_response(request, msg, api)
+            return send_error(request, msg, api_mode, json_resp)
         context = {
             'title': escape(ntpath.basename(fil)),
             'file': escape(ntpath.basename(fil)),
@@ -72,11 +88,13 @@ def run(request, api=False):
             'version': settings.MOBSF_VER,
         }
         template = 'general/view.html'
-        if api:
+        if json_resp:
+            return send_json(context)
+        if api_mode:
             return context
         return render(request, template, context)
     except Exception as exp:
         logger.exception('Error Viewing Source')
         msg = str(exp)
         exp = exp.__doc__
-        return print_n_send_error_response(request, msg, api, exp)
+        return send_error(request, msg, api_mode, json_resp, exp)
diff --git a/mobsf/StaticAnalyzer/views/common/appsec.py b/mobsf/StaticAnalyzer/views/common/appsec.py
@@ -38,9 +38,20 @@ def common_fields(findings, data):
             sev = cd['metadata']['severity']
         desc = cd['metadata']['description']
         ref = cd['metadata'].get('ref', '')
+
+        files_dict = cd.get('files', {})
+        files_lines = [f'{file}, line(s) {lines}'
+                       for file, lines in files_dict.items()]
+        all_files_str = '\n'.join(files_lines)
+
+        if files_dict:
+            fdesc = f'{desc}\n{ref}\n\nFiles:\n{all_files_str}'
+        else:
+            fdesc = f'{desc}\n{ref}'
+
         findings[sev].append({
             'title': cd['metadata']['description'],
-            'description': f'{desc}\n{ref}',
+            'description': fdesc,
             'section': 'code',
         })
     # Permissions
diff --git a/mobsf/StaticAnalyzer/views/common/firebase.py b/mobsf/StaticAnalyzer/views/common/firebase.py
@@ -85,7 +85,7 @@ def open_firebase(checksum, url):
             logger.warning(invalid)
             return url, False
         purl = urlparse(url)
-        if not purl.netloc.endswith('firebaseio.com'):
+        if not purl.netloc.endswith('.firebaseio.com'):
             logger.warning(invalid)
             return url, False
         base_url = f'{purl.scheme}://{purl.netloc}/.json'
@@ -116,7 +116,7 @@ def firebase_db_check(checksum, code_an_dic):
     try:
         urls = list(set(code_an_dic['urls_list']))
         for url in urls:
-            if 'firebaseio.com' not in url:
+            if '.firebaseio.com' not in url:
                 continue
             returl, is_open = open_firebase(checksum, url)
             if is_open:
diff --git a/mobsf/templates/dynamic_analysis/ios/dynamic_analysis.html b/mobsf/templates/dynamic_analysis/ios/dynamic_analysis.html
@@ -403,7 +403,7 @@ <h4 class="modal-title">Create a Corellium iOS VM</h4>
                                   <td><p>
                                       <a class="btn btn-success disable" onclick="dynamic_loader()" href="${url}"><i class="fab fa-apple"></i> Start Dynamic Analysis</a> 
                                       <a class="btn btn-info ${buttonState}" href="../../ios/view_report/${escapeHtml(bundle)}"><i class="fa fa-mobile"></i> View Report </a>
-                                      <a class="btn btn-warning" id="${$('#ios_dynamic').val()}" onclick="remove_app(this, '${bundle}')"><i class="fas fa-trash-alt"></i>  Uninstall</a>
+                                      <a class="btn btn-warning" id="${$('#ios_dynamic').val()}" onclick="remove_app(this, '${escapeHtml(bundle)}')"><i class="fas fa-trash-alt"></i>  Uninstall</a>
                                       </p>
                                   </td></tr>`);
                         }
diff --git a/mobsf/templates/static_analysis/source_tree.html b/mobsf/templates/static_analysis/source_tree.html
@@ -275,17 +275,9 @@ <h2>
 
 function show_file(strPath) {
     $.ajax({
-        type: "POST",
-        url: "{% url "api_view_source" %}",
+        type: "GET",
+        url: "{% url "view_source" %}?json=1&md5={{ hash }}&type={{ source_type }}&file=" + strPath,
         dataType: 'json',
-        headers: {
-            "Authorization": "{{ api_key }}"
-        },
-        data: {
-            type: "{{ source_type }}",
-            hash: "{{ hash }}",
-            file: strPath
-        },
         success: function(strFileData) {
             var code_block = $("pre#fileoutput")
             code_block.text(strFileData.data);
diff --git a/poetry.lock b/poetry.lock
diff --git a/pyproject.toml b/pyproject.toml
