v4.3.3 Security Updates (#2518)

* Fix GHSA-mwfg-948f-2cc5

* stricter email case validation

* Fix GHSA-c5vg-26p8-q8cr

* Bump deps

* Lint QA

Author: ajinabraham

.github/SECURITY.md

@@ -10,6 +10,8 @@ Please report all security issues [here](https://github.com/MobSF/Mobile-Securit
 
 | Vulnerability | Affected Versions |
 | ------- | ------------------ |
+| [Zip bomb Denial of Service (DoS) via Resource Exhaustion (Disk Space)](https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-c5vg-26p8-q8cr) | `<=4.3.2` |
+| [Stored Cross Site Scripting (XSS) via malicious SVG app icon](https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-mwfg-948f-2cc5) | `<=4.3.2` |
 | [SSRF on assetlinks_check with DNS Rebinding](https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-fcfq-m8p6-gw56) | `<=4.3.1` |
 | [Partial Denial of Service due to strict regex check in iOS report view URL](https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-jrm8-xgf3-fwqr) | `<=4.3.0` |
 | [Local Privilege escalation due to leaked REST API key in web UI](https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-79f6-p65j-3m2m) | `<=4.3.0` |

.github/workflows/codeql-analysis.yml

@@ -6,12 +6,12 @@ on:
   pull_request:
     branches: [ "master" ]
   schedule:
-    - cron: '18 14 * * 3'
+    - cron: '45 23 * * 4'
 
 jobs:
   analyze:
     name: Analyze (${{ matrix.language }})
-    runs-on: ubuntu-latest
+    runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
     permissions:
       # required for all workflows
       security-events: write
@@ -27,21 +27,59 @@ jobs:
       fail-fast: false
       matrix:
         include:
+        - language: actions
+          build-mode: none
+        - language: javascript-typescript
+          build-mode: none
         - language: python
           build-mode: none
-  
+        # CodeQL supports the following values keywords for 'language': 'actions', 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift'
+        # Use `c-cpp` to analyze code written in C, C++ or both
+        # Use 'java-kotlin' to analyze code written in Java, Kotlin or both
+        # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both
+        # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis,
+        # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning.
+        # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how
+        # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
     steps:
     - name: Checkout repository
       uses: actions/checkout@v4
 
+    # Add any setup steps before running the `github/codeql-action/init` action.
+    # This includes steps like installing compilers or runtimes (`actions/setup-node`
+    # or others). This is typically only required for manual builds.
+    # - name: Setup runtime (example)
+    #   uses: actions/setup-example@v1
+
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
       uses: github/codeql-action/init@v3
       with:
         languages: ${{ matrix.language }}
         build-mode: ${{ matrix.build-mode }}
-        config-file: .github/codeql-config.yml
-      
+        # If you wish to specify custom queries, you can do so here or in a config file.
+        # By default, queries listed here will override any specified in a config file.
+        # Prefix the list here with "+" to use these queries and those in the config file.
+
+        # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+        # queries: security-extended,security-and-quality
+
+    # If the analyze step fails for one of the languages you are analyzing with
+    # "We were unable to automatically build your code", modify the matrix above
+    # to set the build mode to "manual" for that language. Then modify this step
+    # to build your code.
+    # ℹ️ Command-line programs to run using the OS shell.
+    # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
+    - if: matrix.build-mode == 'manual'
+      shell: bash
+      run: |
+        echo 'If you are using a "manual" build mode for one or more of the' \
+          'languages you are analyzing, replace this with the commands to build' \
+          'your code, for example:'
+        echo '  make bootstrap'
+        echo '  make release'
+        exit 1
+
     - name: Perform CodeQL Analysis
       uses: github/codeql-action/analyze@v3
       with:

mobsf/MobSF/forms.py

@@ -47,7 +47,7 @@ class RegisterForm(UserCreationForm):
 
     def clean_email(self):
         email = self.cleaned_data.get('email')
-        if User.objects.filter(email=email).exists():
+        if User.objects.filter(email__iexact=email).exists():
             raise forms.ValidationError('Email already exists')
         return email
 

mobsf/MobSF/init.py

@@ -18,7 +18,7 @@
 
 logger = logging.getLogger(__name__)
 
-VERSION = '4.3.2'
+VERSION = '4.3.3'
 BANNER = r"""
   __  __       _    ____  _____       _  _    _____ 
  |  \/  | ___ | |__/ ___||  ___|_   _| || |  |___ / 

mobsf/MobSF/security.py

@@ -325,3 +325,40 @@ def valid_host(host):
     finally:
         # Restore default socket timeout
         socket.setdefaulttimeout(default_timeout)
+
+
+def sanitize_svg(svg_content):
+    """Sanitize SVG content to prevent XSS attacks."""
+    logger.info('Sanitizing SVG contents')
+    import bleach
+    # Allow standard SVG tags and attributes, but remove scripts and event handlers
+    safe_tags = [
+        'svg', 'g', 'path', 'rect', 'circle', 'ellipse',
+        'line', 'polyline', 'polygon', 'text', 'tspan',
+        'defs', 'use', 'image', 'mask', 'clipPath',
+        'filter', 'linearGradient', 'radialGradient', 'stop',
+    ]
+    safe_attrs = {
+        '*': ['id', 'class', 'transform', 'fill', 'stroke', 'stroke-width', 'opacity'],
+        'svg': ['width', 'height', 'viewBox', 'xmlns', 'version'],
+        'path': ['d'],
+        'rect': ['x', 'y', 'width', 'height', 'rx', 'ry'],
+        'circle': ['cx', 'cy', 'r'],
+        'ellipse': ['cx', 'cy', 'rx', 'ry'],
+        'line': ['x1', 'y1', 'x2', 'y2'],
+        'polyline': ['points'],
+        'polygon': ['points'],
+        'text': ['x', 'y', 'font-family', 'font-size'],
+        'image': ['x', 'y', 'width', 'height', 'href'],
+        'use': ['x', 'y', 'width', 'height', 'href'],
+        'filter': ['x', 'y', 'width', 'height', 'href'],
+        'linearGradient': ['x1', 'y1', 'x2', 'y2'],
+        'radialGradient': ['cx', 'cy', 'r', 'fx', 'fy'],
+        'stop': ['offset', 'stop-color', 'stop-opacity'],
+    }
+    return bleach.clean(
+        svg_content,
+        tags=safe_tags,
+        attributes=safe_attrs,
+        strip=True,
+    )

mobsf/MobSF/settings.py

@@ -241,8 +241,12 @@
 STATIC_URL = '/static/'
 STATIC_ROOT = os.path.join(BASE_DIR, 'static')
 STATICFILES_STORAGE = 'whitenoise.storage.CompressedStaticFilesStorage'
-# 256MB
-DATA_UPLOAD_MAX_MEMORY_SIZE = 268435456
+# 256MB limit for file uploads
+DATA_UPLOAD_MAX_MEMORY_SIZE = 256 * 1024 * 1024
+# 400MB per file limit for uncompressed files
+ZIP_MAX_UNCOMPRESSED_FILE_SIZE = 400 * 1024 * 1024
+# 3GB total limit for all uncompressed files
+ZIP_MAX_UNCOMPRESSED_TOTAL_SIZE = 3000 * 1024 * 1024
 LOGIN_URL = 'login'
 LOGOUT_REDIRECT_URL = '/'
 AUTH_PASSWORD_VALIDATORS = [

mobsf/MobSF/views/home.py

@@ -35,7 +35,7 @@
     python_dict,
 )
 from mobsf.MobSF.init import api_key
-from mobsf.MobSF.security import sanitize_filename
+from mobsf.MobSF.security import sanitize_filename, sanitize_svg
 from mobsf.MobSF.views.helpers import FileType
 from mobsf.MobSF.views.scanning import Scanning
 from mobsf.MobSF.views.apk_downloader import apk_download
@@ -402,15 +402,32 @@ def scan_status(request, api=False):
 
 def file_download(dwd_file, filename, content_type):
     """HTTP file download response."""
-    with open(dwd_file, 'rb') as file:
-        wrapper = FileWrapper(file)
-        response = HttpResponse(wrapper, content_type=content_type)
-        response['Content-Length'] = dwd_file.stat().st_size
+    def create_response(content, is_binary=True):
+        """Helper function to create HTTP response."""
+        if is_binary:
+            wrapper = FileWrapper(content)
+            response = HttpResponse(wrapper, content_type=content_type)
+            response['Content-Length'] = dwd_file.stat().st_size
+        else:
+            response = HttpResponse(content, content_type=content_type)
         if filename:
-            val = f'attachment; filename="{filename}"'
+            # Remove CRLF from filename to prevent header injection
+            safe_filename = filename.replace('\r', '').replace('\n', '')
+            val = f'attachment; filename="{safe_filename}"'
             response['Content-Disposition'] = val
         return response
 
+    # Handle SVG files with bleach cleaning to prevent XSS attacks
+    if dwd_file.suffix == '.svg':
+        with open(dwd_file, 'r', encoding='utf-8') as file:
+            svg_content = file.read()
+            cleaned_svg = sanitize_svg(svg_content)
+            return create_response(cleaned_svg, is_binary=False)
+
+    # Handle all other binary file types
+    with open(dwd_file, 'rb') as file:
+        return create_response(file)
+
 
 @login_required
 @require_http_methods(['GET'])

mobsf/StaticAnalyzer/views/common/shared_func.py

@@ -120,6 +120,8 @@ def unzip(checksum, app_path, ext_path):
     try:
         with zipfile.ZipFile(app_path, 'r') as zipptr:
             files = zipptr.namelist()
+            total_size = 0
+            stop_fallback_extraction = False
             for fileinfo in zipptr.infolist():
                 ext_path = original_ext_path
 
@@ -145,8 +147,26 @@ def unzip(checksum, app_path, ext_path):
                     msg = ('Zip slip detected. skipped extracting'
                            f' {sanitize_for_logging(file_path)}')
                     logger.error(msg)
+                    stop_fallback_extraction = True
                     continue
 
+                # Check uncompressed size
+                if not fileinfo.is_dir():
+                    total_size += fileinfo.file_size
+                    if fileinfo.file_size > settings.ZIP_MAX_UNCOMPRESSED_FILE_SIZE:
+                        size_mb = fileinfo.file_size / (1024 * 1024)
+                        msg = (f'File too large ({size_mb:.2f} MB). Skipping '
+                               f'{sanitize_for_logging(file_path)}')
+                        logger.warning(msg)
+                    if total_size > settings.ZIP_MAX_UNCOMPRESSED_TOTAL_SIZE:
+                        stop_fallback_extraction = True
+                        total_size_mb = total_size / (1024 * 1024)
+                        msg = ('Total uncompressed size '
+                               f'({total_size_mb:.2f} MB) exceeds limit. '
+                               'Aborting extraction.')
+                        logger.error(msg)
+                        raise Exception(msg)
+
                 # Fix permissions
                 if fileinfo.is_dir():
                     # Directories should have rwxr-xr-x (755)
@@ -167,6 +187,11 @@ def unzip(checksum, app_path, ext_path):
         msg = f'Unzipping Error - {str(exp)}'
         logger.error(msg)
         append_scan_status(checksum, msg, repr(exp))
+        # Do not fallback to OS unzip
+        # if the total uncompressed file size is too large
+        # or if zip slip is detected
+        if stop_fallback_extraction:
+            return files
         # Fallback to OS unzip
         ofiles = os_unzip(checksum, app_path, ext_path)
         if not files: