Fixes a stored XSS in Recent Scans diff APK, GHSA-5jc6-h9w7-jm3p

MobSF · Dec 3, 2024 · 27d1658 · 27d1658
1 parent 0d3b1ec
commit 27d1658
Show file tree

Hide file tree

Showing 5 changed files with 21 additions and 7 deletions.
diff --git a/mobsf/MobSF/init.py b/mobsf/MobSF/init.py
@@ -18,7 +18,7 @@
 
 logger = logging.getLogger(__name__)
 
-VERSION = '4.2.8'
+VERSION = '4.2.9'
 BANNER = r"""
   __  __       _    ____  _____       _  _    ____  
  |  \/  | ___ | |__/ ___||  ___|_   _| || |  |___ \ 

diff --git a/mobsf/MobSF/views/home.py b/mobsf/MobSF/views/home.py
@@ -163,7 +163,7 @@ def upload(self):
         request = self.request
         scanning = Scanning(request)
         content_type = self.file.content_type
-        file_name = self.file.name
+        file_name = sanitize_filename(self.file.name)
         logger.info('MIME Type: %s FILE: %s', content_type, file_name)
         if self.file_type.is_apk():
             return scanning.scan_apk()

diff --git a/mobsf/MobSF/views/scanning.py b/mobsf/MobSF/views/scanning.py
@@ -8,6 +8,7 @@
 from django.utils import timezone
 
 from mobsf.StaticAnalyzer.models import RecentScansDB
+from mobsf.MobSF.security import sanitize_filename
 
 logger = logging.getLogger(__name__)
 
@@ -62,7 +63,8 @@ class Scanning(object):
 
     def __init__(self, request):
         self.file = request.FILES['file']
-        self.file_name = request.FILES['file'].name
+        self.file_name = sanitize_filename(
+            request.FILES['file'].name)
         self.data = {
             'analyzer': 'static_analyzer',
             'status': 'success',

diff --git a/mobsf/templates/general/recent.html b/mobsf/templates/general/recent.html
@@ -184,6 +184,18 @@ <h3 class="box-title"><i class="fa fa-rocket"></i> Recent Scans</h3>
 {% block extra_scripts %}
 <script src="{% static "adminlte/plugins/sweetalert2/sweetalert2.min.js" %}"></script>
 <script>
+
+    // Escape HTML
+    function escapeHtml(unsafe)
+    {
+        return unsafe
+            .replace(/&/g, "&amp;")
+            .replace(/</g, "&lt;")
+            .replace(/>/g, "&gt;")
+            .replace(/"/g, "&quot;")
+            .replace(/'/g, "&#039;");
+    }
+
     // Diff functions
     var diff_first_md5 = '';
     var diff_first_name = '';
@@ -231,7 +243,7 @@ <h3 class="box-title"><i class="fa fa-rocket"></i> Recent Scans</h3>
     }
 
     function diff_cleanup() {
-        first_td_id = diff_first_md5 + '_' + diff_first_name;
+        first_td_id = diff_first_md5 + '_' + escapeHtml(diff_first_name);
         $('[id="' + first_td_id + '"]').closest("tr").removeClass("selected");
         $('[id="' + first_td_id + '"]').closest("tbody").removeClass("selectable_table");
         diff_first_md5 = "";
@@ -254,8 +266,8 @@ <h3 class="box-title"><i class="fa fa-rocket"></i> Recent Scans</h3>
             title: '<strong>Diff confirmation</strong>',
             type: 'info',
             html:
-                '<strong>Do you want to diff - </strong><br />' + diff_first_name +
-                '<br /> <strong>with - <br /> </strong>' + diff_second_name + ' <br /> <strong>?</strong>',
+                '<strong>Do you want to diff - </strong><br />' + escapeHtml(diff_first_name) +
+                '<br /> <strong>with - <br /> </strong>' + escapeHtml(diff_second_name) + ' <br /> <strong>?</strong>',
 
             showCancelButton: true,
             cancelButtonText: 'Cancel',

diff --git a/pyproject.toml b/pyproject.toml
@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "mobsf"
-version = "4.2.8"
+version = "4.2.9"
 description = "Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis."
 keywords = ["mobsf", "mobile security framework", "mobile security", "security tool", "static analysis", "dynamic analysis", "malware analysis"]
 authors = ["Ajin Abraham <[email protected]>"]