diff --git a/mobsfscan/__init__.py b/mobsfscan/__init__.py index 41bbcae..aa5f6aa 100644 --- a/mobsfscan/__init__.py +++ b/mobsfscan/__init__.py @@ -6,7 +6,7 @@ __title__ = 'mobsfscan' __authors__ = 'Ajin Abraham' __copyright__ = f'Copyright {datetime.now().year} Ajin Abraham, OpenSecurity' -__version__ = '0.3.8' +__version__ = '0.3.9' __version_info__ = tuple(int(i) for i in __version__.split('.')) __all__ = [ '__title__', diff --git a/mobsfscan/__main__.py b/mobsfscan/__main__.py index d976ed8..832cc81 100644 --- a/mobsfscan/__main__.py +++ b/mobsfscan/__main__.py @@ -8,7 +8,7 @@ from mobsfscan.mobsfscan import MobSFScan from mobsfscan.formatters import ( cli, - json, + json_fmt, sarif, sonarqube, ) @@ -87,7 +87,7 @@ def main(): scan_results, __version__) elif args.json: - json.json_output( + json_fmt.json_output( args.output, scan_results, __version__) diff --git a/mobsfscan/formatters/json.py b/mobsfscan/formatters/json_fmt.py similarity index 100% rename from mobsfscan/formatters/json.py rename to mobsfscan/formatters/json_fmt.py diff --git a/mobsfscan/formatters/sonarqube.py b/mobsfscan/formatters/sonarqube.py index 743c8f2..93de845 100644 --- a/mobsfscan/formatters/sonarqube.py +++ b/mobsfscan/formatters/sonarqube.py @@ -1,7 +1,7 @@ # -*- coding: utf_8 -*- """Sonarqube output format.""" -from mobsfscan.formatters.json import json_output +from mobsfscan.formatters.json_fmt import json_output def get_sonarqube_issue(mobsfscan_issue): diff --git a/mobsfscan/manifest.py b/mobsfscan/manifest.py index 6a0901f..e5b540c 100644 --- a/mobsfscan/manifest.py +++ b/mobsfscan/manifest.py @@ -54,6 +54,11 @@ '33': '13', '34': '14', '35': '15', + '36': '16', + '37': '17', # Guess work + '38': '18', + '39': '19', + '40': '20', } diff --git a/mobsfscan/rules/patterns/android/kotlin/kotlin_rules.yaml b/mobsfscan/rules/patterns/android/kotlin/kotlin_rules.yaml index dce417b..c79b855 100644 --- a/mobsfscan/rules/patterns/android/kotlin/kotlin_rules.yaml +++ b/mobsfscan/rules/patterns/android/kotlin/kotlin_rules.yaml @@ -80,6 +80,23 @@ owasp-mobile: m1 masvs: platform-7 reference: https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#testing-javascript-execution-in-webviews-mstg-platform-5 +- id: android_kotlin_webview_allow_file_from_url + message: >- + Ensure that user controlled URLs never reaches the Webview. Enabling file access + from URLs in WebView can leak sensitive information from the file system. + type: RegexAnd + pattern: + - setJavaScriptEnabled\(true\) + - \.setAllowFileAccessFromFileURLs\(true\) + - \.setAllowUniversalAccessFromFileURLs\(true\) + severity: warning + input_case: exact + metadata: + cvss: 6.1 + cwe: cwe-200 + owasp-mobile: m1 + masvs: platform-7 + ref: https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#static-analysis-6 - id: android_kotlin_webview_debug message: Remote WebView debugging is enabled. type: RegexAnd diff --git a/mobsfscan/rules/semgrep/webview/webview_allow_file_from_url.yaml b/mobsfscan/rules/semgrep/webview/webview_allow_file_from_url.yaml new file mode 100644 index 0000000..86e4482 --- /dev/null +++ b/mobsfscan/rules/semgrep/webview/webview_allow_file_from_url.yaml @@ -0,0 +1,32 @@ +rules: + - id: webview_allow_file_from_url + patterns: + - pattern-either: + - pattern: | + setAllowFileAccessFromFileURLs(true) + - pattern: | + $W.setAllowFileAccessFromFileURLs(true) + - pattern: | + $X = true; + ... + $W.setAllowFileAccessFromFileURLs($X); + - pattern: | + setAllowUniversalAccessFromFileURLs(true) + - pattern: | + $W.setAllowUniversalAccessFromFileURLs(true) + - pattern: | + $X = true; + ... + $W.setAllowUniversalAccessFromFileURLs($X); + message: >- + Ensure that user controlled URLs never reaches the Webview. Enabling file access + from URLs in WebView can leak sensitive information from the file system. + languages: + - java + severity: WARNING + metadata: + cwe: cwe-200 + owasp-mobile: m1 + masvs: platform-7 + reference: >- + https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#static-analysis-6 diff --git a/tests/assets/rules/semgrep/webview/webview_allow_file_from_url.java b/tests/assets/rules/semgrep/webview/webview_allow_file_from_url.java new file mode 100644 index 0000000..5e02d4f --- /dev/null +++ b/tests/assets/rules/semgrep/webview/webview_allow_file_from_url.java @@ -0,0 +1,24 @@ + +package com.company.something; + +import android.app.Activity; +import android.os.Bundle; +import android.webkit.WebView; + +public class HelloWebApp extends Activity { + /** Called when the activity is first created. */ + @Override + public void onCreate(Bundle savedInstanceState) { + super.onCreate(savedInstanceState); + setContentView(R.layout.main); + WebView webView = (WebView)findViewById(R.id.webView); + String badUrl = getIntent().getStringExtra("URL"); + boolean x = true; + WebSettings webSettings = webView.getSettings(); + webSettings.setJavaScriptEnabled(true); + // ruleid:webview_allow_file_from_url + webSettings.setAllowFileAccessFromFileURLs(x); + webView.setWebChromeClient(new WebChromeClient()); + webView.loadUrl(badUrl); + } +} \ No newline at end of file diff --git a/tests/unit/test_mobsfscan.py b/tests/unit/test_mobsfscan.py index b4d3395..cb0d9c5 100644 --- a/tests/unit/test_mobsfscan.py +++ b/tests/unit/test_mobsfscan.py @@ -5,7 +5,7 @@ ) from mobsfscan.formatters import ( - json, + json_fmt, sarif, sonarqube, ) @@ -36,7 +36,7 @@ def test_patterns_and_semgrep(): def json_output(res): - json_out = json.json_output(None, res, '0.0.0') + json_out = json_fmt.json_output(None, res, '0.0.0') assert json_out is not None