Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

4.2.0 #2450

Merged
merged 16 commits into from
Nov 18, 2024
Merged

4.2.0 #2450

Show file tree
Hide file tree
Changes from 6 commits
Commits
Show all changes
16 commits
Select commit Hold shift + click to select a range
ba628ec
Added Malware lookup for Android, iOS, Windows and other binary types
ajinabraham Nov 12, 2024
8d3e91a
QA
ajinabraham Nov 12, 2024
0e0040e
File download with sanitized file name
ajinabraham Nov 12, 2024
eb64e83
Split APK and ZIP logic to apk.py
ajinabraham Nov 12, 2024
f36ae46
Optimize apk and src analysis
ajinabraham Nov 13, 2024
d932575
Pathlib optimizations
ajinabraham Nov 13, 2024
e3ce0cf
fix untar permission errors, update ssl pinning scripts, add intent t…
ajinabraham Nov 14, 2024
0753b6f
Add support for async scan with djangoq2, improved frida scripts, new…
ajinabraham Nov 17, 2024
1eee28e
Fix save_ctx for a and dylib
ajinabraham Nov 17, 2024
e228def
Update codeql
ajinabraham Nov 17, 2024
5ff1ec5
suppress noisey rule
ajinabraham Nov 17, 2024
06bc2b4
1G for nginx
ajinabraham Nov 17, 2024
fa4e603
Queue improvements + webview frida scripts
ajinabraham Nov 18, 2024
41f770a
Code QA
ajinabraham Nov 18, 2024
5059941
Code QA
ajinabraham Nov 18, 2024
fbeb8a2
Final QA
ajinabraham Nov 18, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 6 additions & 6 deletions mobsf/MobSF/init.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,13 +18,13 @@

logger = logging.getLogger(__name__)

VERSION = '4.1.9'
VERSION = '4.2.0'
BANNER = r"""
__ __ _ ____ _____ _ _ _
| \/ | ___ | |__/ ___|| ___|_ _| || | / |
| |\/| |/ _ \| '_ \___ \| |_ \ \ / / || |_ | |
| | | | (_) | |_) |__) | _| \ V /|__ _|| |
|_| |_|\___/|_.__/____/|_| \_/ |_|(_)_|
__ __ _ ____ _____ _ _ ____
| \/ | ___ | |__/ ___|| ___|_ _| || | |___ \
| |\/| |/ _ \| '_ \___ \| |_ \ \ / / || |_ __) |
| | | | (_) | |_) |__) | _| \ V /|__ _| / __/
|_| |_|\___/|_.__/____/|_| \_/ |_|(_)_____|
""" # noqa: W291
# ASCII Font: Standard

Expand Down
9 changes: 9 additions & 0 deletions mobsf/MobSF/security.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@
import subprocess
import functools
import logging
import re
import sys
from shutil import which
from pathlib import Path
Expand Down Expand Up @@ -209,3 +210,11 @@ def sanitize_redirect(url):
elif url.startswith('/'):
return url
return root


def sanitize_filename(filename):
"""Sanitize Filename."""
# Remove any characters
# that are not alphanumeric, hyphens, underscores, or dots
safe_filename = re.sub(r'[^a-zA-Z0-9._-]', '_', filename)
return safe_filename
15 changes: 15 additions & 0 deletions mobsf/MobSF/utils.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -966,3 +966,18 @@ def run_func(result, *args, **kwargs):
if result:
return result[0]
return None


def set_permissions(path):
base_path = Path(path)
perm_755 = stat.S_IRWXU | stat.S_IRGRP | stat.S_IXGRP | stat.S_IROTH | stat.S_IXOTH
perm_644 = stat.S_IRUSR | stat.S_IWUSR | stat.S_IRGRP | stat.S_IROTH
# Set permissions for directories and files
for item in base_path.rglob('*'):

Check failure

Code scanning / CodeQL

Uncontrolled data used in path expression

This path depends on a [user-provided value](1). This path depends on a [user-provided value](2). This path depends on a [user-provided value](3). This path depends on a [user-provided value](4).

Copilot Autofix AI 2 months ago

To fix the problem, we need to ensure that the constructed file path is contained within a safe root folder. This can be achieved by normalizing the path using os.path.normpath and then checking that the normalized path starts with the root folder. This approach will prevent path traversal attacks by ensuring that the path does not escape the intended directory.

  1. Normalize the path using os.path.normpath.
  2. Check that the normalized path starts with the intended base directory.
  3. If the check fails, raise an exception or handle the error appropriately.
Suggested changeset 1
mobsf/MobSF/utils.py

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/mobsf/MobSF/utils.py b/mobsf/MobSF/utils.py
--- a/mobsf/MobSF/utils.py
+++ b/mobsf/MobSF/utils.py
@@ -965,2 +965,6 @@
     base_path = Path(path)
+    base_dir = Path(settings.BASE_DIR)
+    normalized_path = base_path.resolve()
+    if not str(normalized_path).startswith(str(base_dir)):
+        raise Exception("Path traversal attempt detected")
     perm_755 = stat.S_IRWXU | stat.S_IRGRP | stat.S_IXGRP | stat.S_IROTH | stat.S_IXOTH
@@ -968,3 +972,3 @@
     # Set permissions for directories and files
-    for item in base_path.rglob('*'):
+    for item in normalized_path.rglob('*'):
         try:
EOF
@@ -965,2 +965,6 @@
base_path = Path(path)
base_dir = Path(settings.BASE_DIR)
normalized_path = base_path.resolve()
if not str(normalized_path).startswith(str(base_dir)):
raise Exception("Path traversal attempt detected")
perm_755 = stat.S_IRWXU | stat.S_IRGRP | stat.S_IXGRP | stat.S_IROTH | stat.S_IXOTH
@@ -968,3 +972,3 @@
# Set permissions for directories and files
for item in base_path.rglob('*'):
for item in normalized_path.rglob('*'):
try:
Copilot is powered by AI and may make mistakes. Always verify output.
Unable to commit as this autofix suggestion is now outdated
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
try:
if item.is_dir():
item.chmod(perm_755)
elif item.is_file():
item.chmod(perm_644)
except Exception:
pass
3 changes: 2 additions & 1 deletion mobsf/MobSF/views/home.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,7 @@
python_dict,
)
from mobsf.MobSF.init import api_key
from mobsf.MobSF.security import sanitize_filename
from mobsf.MobSF.views.helpers import FileType
from mobsf.MobSF.views.scanning import Scanning
from mobsf.MobSF.views.apk_downloader import apk_download
Expand Down Expand Up @@ -430,7 +431,7 @@ def download_binary(request, checksum, api=False):
status=HTTP_STATUS_404)
return file_download(
dwd_file,
filename,
sanitize_filename(robj.FILE_NAME),
allowed_exts[file_ext])
except Exception:
logger.exception('Download Binary Failed')
Expand Down
Loading
Loading