Skip to content

Commit

Permalink
Fixes a stored XSS in Recent Scans diff APK, GHSA-5jc6-h9w7-jm3p
Browse files Browse the repository at this point in the history
  • Loading branch information
ajinabraham committed Dec 3, 2024
1 parent 0d3b1ec commit 27d1658
Show file tree
Hide file tree
Showing 5 changed files with 21 additions and 7 deletions.
2 changes: 1 addition & 1 deletion mobsf/MobSF/init.py
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@

logger = logging.getLogger(__name__)

VERSION = '4.2.8'
VERSION = '4.2.9'
BANNER = r"""
__ __ _ ____ _____ _ _ ____
| \/ | ___ | |__/ ___|| ___|_ _| || | |___ \
Expand Down
2 changes: 1 addition & 1 deletion mobsf/MobSF/views/home.py
Original file line number Diff line number Diff line change
Expand Up @@ -163,7 +163,7 @@ def upload(self):
request = self.request
scanning = Scanning(request)
content_type = self.file.content_type
file_name = self.file.name
file_name = sanitize_filename(self.file.name)
logger.info('MIME Type: %s FILE: %s', content_type, file_name)
if self.file_type.is_apk():
return scanning.scan_apk()
Expand Down
4 changes: 3 additions & 1 deletion mobsf/MobSF/views/scanning.py
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@
from django.utils import timezone

from mobsf.StaticAnalyzer.models import RecentScansDB
from mobsf.MobSF.security import sanitize_filename

logger = logging.getLogger(__name__)

Expand Down Expand Up @@ -62,7 +63,8 @@ class Scanning(object):

def __init__(self, request):
self.file = request.FILES['file']
self.file_name = request.FILES['file'].name
self.file_name = sanitize_filename(
request.FILES['file'].name)
self.data = {
'analyzer': 'static_analyzer',
'status': 'success',
Expand Down
18 changes: 15 additions & 3 deletions mobsf/templates/general/recent.html
Original file line number Diff line number Diff line change
Expand Up @@ -184,6 +184,18 @@ <h3 class="box-title"><i class="fa fa-rocket"></i> Recent Scans</h3>
{% block extra_scripts %}
<script src="{% static "adminlte/plugins/sweetalert2/sweetalert2.min.js" %}"></script>
<script>

// Escape HTML
function escapeHtml(unsafe)
{
return unsafe
.replace(/&/g, "&amp;")
.replace(/</g, "&lt;")
.replace(/>/g, "&gt;")
.replace(/"/g, "&quot;")
.replace(/'/g, "&#039;");
}

// Diff functions
var diff_first_md5 = '';
var diff_first_name = '';
Expand Down Expand Up @@ -231,7 +243,7 @@ <h3 class="box-title"><i class="fa fa-rocket"></i> Recent Scans</h3>
}

function diff_cleanup() {
first_td_id = diff_first_md5 + '_' + diff_first_name;
first_td_id = diff_first_md5 + '_' + escapeHtml(diff_first_name);
$('[id="' + first_td_id + '"]').closest("tr").removeClass("selected");
$('[id="' + first_td_id + '"]').closest("tbody").removeClass("selectable_table");
diff_first_md5 = "";
Expand All @@ -254,8 +266,8 @@ <h3 class="box-title"><i class="fa fa-rocket"></i> Recent Scans</h3>
title: '<strong>Diff confirmation</strong>',
type: 'info',
html:
'<strong>Do you want to diff - </strong><br />' + diff_first_name +
'<br /> <strong>with - <br /> </strong>' + diff_second_name + ' <br /> <strong>?</strong>',
'<strong>Do you want to diff - </strong><br />' + escapeHtml(diff_first_name) +
'<br /> <strong>with - <br /> </strong>' + escapeHtml(diff_second_name) + ' <br /> <strong>?</strong>',

showCancelButton: true,
cancelButtonText: 'Cancel',
Expand Down
2 changes: 1 addition & 1 deletion pyproject.toml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
[tool.poetry]
name = "mobsf"
version = "4.2.8"
version = "4.2.9"
description = "Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis."
keywords = ["mobsf", "mobile security framework", "mobile security", "security tool", "static analysis", "dynamic analysis", "malware analysis"]
authors = ["Ajin Abraham <ajin@opensecurity.in>"]
Expand Down

0 comments on commit 27d1658

Please sign in to comment.