From 27d165872847f5ae7417caf09f37edeeba741e1e Mon Sep 17 00:00:00 2001 From: Ajin Abraham Date: Mon, 2 Dec 2024 22:33:01 -0800 Subject: [PATCH] Fixes a stored XSS in Recent Scans diff APK, GHSA-5jc6-h9w7-jm3p --- mobsf/MobSF/init.py | 2 +- mobsf/MobSF/views/home.py | 2 +- mobsf/MobSF/views/scanning.py | 4 +++- mobsf/templates/general/recent.html | 18 +++++++++++++++--- pyproject.toml | 2 +- 5 files changed, 21 insertions(+), 7 deletions(-) diff --git a/mobsf/MobSF/init.py b/mobsf/MobSF/init.py index 812a34818f..b07aa2b954 100644 --- a/mobsf/MobSF/init.py +++ b/mobsf/MobSF/init.py @@ -18,7 +18,7 @@ logger = logging.getLogger(__name__) -VERSION = '4.2.8' +VERSION = '4.2.9' BANNER = r""" __ __ _ ____ _____ _ _ ____ | \/ | ___ | |__/ ___|| ___|_ _| || | |___ \ diff --git a/mobsf/MobSF/views/home.py b/mobsf/MobSF/views/home.py index 7760e60b1e..68614d15fe 100755 --- a/mobsf/MobSF/views/home.py +++ b/mobsf/MobSF/views/home.py @@ -163,7 +163,7 @@ def upload(self): request = self.request scanning = Scanning(request) content_type = self.file.content_type - file_name = self.file.name + file_name = sanitize_filename(self.file.name) logger.info('MIME Type: %s FILE: %s', content_type, file_name) if self.file_type.is_apk(): return scanning.scan_apk() diff --git a/mobsf/MobSF/views/scanning.py b/mobsf/MobSF/views/scanning.py index 68ed6a5b3e..ccf1133525 100644 --- a/mobsf/MobSF/views/scanning.py +++ b/mobsf/MobSF/views/scanning.py @@ -8,6 +8,7 @@ from django.utils import timezone from mobsf.StaticAnalyzer.models import RecentScansDB +from mobsf.MobSF.security import sanitize_filename logger = logging.getLogger(__name__) @@ -62,7 +63,8 @@ class Scanning(object): def __init__(self, request): self.file = request.FILES['file'] - self.file_name = request.FILES['file'].name + self.file_name = sanitize_filename( + request.FILES['file'].name) self.data = { 'analyzer': 'static_analyzer', 'status': 'success', diff --git a/mobsf/templates/general/recent.html b/mobsf/templates/general/recent.html index 9c5e1fa17f..15396b1d44 100644 --- a/mobsf/templates/general/recent.html +++ b/mobsf/templates/general/recent.html @@ -184,6 +184,18 @@

Recent Scans

{% block extra_scripts %}