From dfd124524d88eb267e6a4c0372ff807254cac9ab Mon Sep 17 00:00:00 2001 From: Ajin Abraham Date: Mon, 27 May 2024 12:33:13 -0700 Subject: [PATCH 1/3] New rules and version bump --- mobsfscan/__init__.py | 2 +- mobsfscan/__main__.py | 4 +-- mobsfscan/formatters/{json.py => json_fmt.py} | 0 mobsfscan/formatters/sonarqube.py | 2 +- mobsfscan/manifest.py | 5 +++ .../patterns/android/kotlin/kotlin_rules.yaml | 17 ++++++++++ .../webview/webview_allow_file_from_url.yaml | 32 +++++++++++++++++++ .../webview/webview_allow_file_from_url.java | 24 ++++++++++++++ tests/unit/test_mobsfscan.py | 4 +-- 9 files changed, 84 insertions(+), 6 deletions(-) rename mobsfscan/formatters/{json.py => json_fmt.py} (100%) create mode 100644 mobsfscan/rules/semgrep/webview/webview_allow_file_from_url.yaml create mode 100644 tests/assets/rules/semgrep/webview/webview_allow_file_from_url.java diff --git a/mobsfscan/__init__.py b/mobsfscan/__init__.py index 41bbcae..aa5f6aa 100644 --- a/mobsfscan/__init__.py +++ b/mobsfscan/__init__.py @@ -6,7 +6,7 @@ __title__ = 'mobsfscan' __authors__ = 'Ajin Abraham' __copyright__ = f'Copyright {datetime.now().year} Ajin Abraham, OpenSecurity' -__version__ = '0.3.8' +__version__ = '0.3.9' __version_info__ = tuple(int(i) for i in __version__.split('.')) __all__ = [ '__title__', diff --git a/mobsfscan/__main__.py b/mobsfscan/__main__.py index d976ed8..832cc81 100644 --- a/mobsfscan/__main__.py +++ b/mobsfscan/__main__.py @@ -8,7 +8,7 @@ from mobsfscan.mobsfscan import MobSFScan from mobsfscan.formatters import ( cli, - json, + json_fmt, sarif, sonarqube, ) @@ -87,7 +87,7 @@ def main(): scan_results, __version__) elif args.json: - json.json_output( + json_fmt.json_output( args.output, scan_results, __version__) diff --git a/mobsfscan/formatters/json.py b/mobsfscan/formatters/json_fmt.py similarity index 100% rename from mobsfscan/formatters/json.py rename to mobsfscan/formatters/json_fmt.py diff --git a/mobsfscan/formatters/sonarqube.py b/mobsfscan/formatters/sonarqube.py index 743c8f2..93de845 100644 --- a/mobsfscan/formatters/sonarqube.py +++ b/mobsfscan/formatters/sonarqube.py @@ -1,7 +1,7 @@ # -*- coding: utf_8 -*- """Sonarqube output format.""" -from mobsfscan.formatters.json import json_output +from mobsfscan.formatters.json_fmt import json_output def get_sonarqube_issue(mobsfscan_issue): diff --git a/mobsfscan/manifest.py b/mobsfscan/manifest.py index 6a0901f..e5b540c 100644 --- a/mobsfscan/manifest.py +++ b/mobsfscan/manifest.py @@ -54,6 +54,11 @@ '33': '13', '34': '14', '35': '15', + '36': '16', + '37': '17', # Guess work + '38': '18', + '39': '19', + '40': '20', } diff --git a/mobsfscan/rules/patterns/android/kotlin/kotlin_rules.yaml b/mobsfscan/rules/patterns/android/kotlin/kotlin_rules.yaml index dce417b..c79b855 100644 --- a/mobsfscan/rules/patterns/android/kotlin/kotlin_rules.yaml +++ b/mobsfscan/rules/patterns/android/kotlin/kotlin_rules.yaml @@ -80,6 +80,23 @@ owasp-mobile: m1 masvs: platform-7 reference: https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#testing-javascript-execution-in-webviews-mstg-platform-5 +- id: android_kotlin_webview_allow_file_from_url + message: >- + Ensure that user controlled URLs never reaches the Webview. Enabling file access + from URLs in WebView can leak sensitive information from the file system. + type: RegexAnd + pattern: + - setJavaScriptEnabled\(true\) + - \.setAllowFileAccessFromFileURLs\(true\) + - \.setAllowUniversalAccessFromFileURLs\(true\) + severity: warning + input_case: exact + metadata: + cvss: 6.1 + cwe: cwe-200 + owasp-mobile: m1 + masvs: platform-7 + ref: https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#static-analysis-6 - id: android_kotlin_webview_debug message: Remote WebView debugging is enabled. type: RegexAnd diff --git a/mobsfscan/rules/semgrep/webview/webview_allow_file_from_url.yaml b/mobsfscan/rules/semgrep/webview/webview_allow_file_from_url.yaml new file mode 100644 index 0000000..86e4482 --- /dev/null +++ b/mobsfscan/rules/semgrep/webview/webview_allow_file_from_url.yaml @@ -0,0 +1,32 @@ +rules: + - id: webview_allow_file_from_url + patterns: + - pattern-either: + - pattern: | + setAllowFileAccessFromFileURLs(true) + - pattern: | + $W.setAllowFileAccessFromFileURLs(true) + - pattern: | + $X = true; + ... + $W.setAllowFileAccessFromFileURLs($X); + - pattern: | + setAllowUniversalAccessFromFileURLs(true) + - pattern: | + $W.setAllowUniversalAccessFromFileURLs(true) + - pattern: | + $X = true; + ... + $W.setAllowUniversalAccessFromFileURLs($X); + message: >- + Ensure that user controlled URLs never reaches the Webview. Enabling file access + from URLs in WebView can leak sensitive information from the file system. + languages: + - java + severity: WARNING + metadata: + cwe: cwe-200 + owasp-mobile: m1 + masvs: platform-7 + reference: >- + https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#static-analysis-6 diff --git a/tests/assets/rules/semgrep/webview/webview_allow_file_from_url.java b/tests/assets/rules/semgrep/webview/webview_allow_file_from_url.java new file mode 100644 index 0000000..5e02d4f --- /dev/null +++ b/tests/assets/rules/semgrep/webview/webview_allow_file_from_url.java @@ -0,0 +1,24 @@ + +package com.company.something; + +import android.app.Activity; +import android.os.Bundle; +import android.webkit.WebView; + +public class HelloWebApp extends Activity { + /** Called when the activity is first created. */ + @Override + public void onCreate(Bundle savedInstanceState) { + super.onCreate(savedInstanceState); + setContentView(R.layout.main); + WebView webView = (WebView)findViewById(R.id.webView); + String badUrl = getIntent().getStringExtra("URL"); + boolean x = true; + WebSettings webSettings = webView.getSettings(); + webSettings.setJavaScriptEnabled(true); + // ruleid:webview_allow_file_from_url + webSettings.setAllowFileAccessFromFileURLs(x); + webView.setWebChromeClient(new WebChromeClient()); + webView.loadUrl(badUrl); + } +} \ No newline at end of file diff --git a/tests/unit/test_mobsfscan.py b/tests/unit/test_mobsfscan.py index b4d3395..cb0d9c5 100644 --- a/tests/unit/test_mobsfscan.py +++ b/tests/unit/test_mobsfscan.py @@ -5,7 +5,7 @@ ) from mobsfscan.formatters import ( - json, + json_fmt, sarif, sonarqube, ) @@ -36,7 +36,7 @@ def test_patterns_and_semgrep(): def json_output(res): - json_out = json.json_output(None, res, '0.0.0') + json_out = json_fmt.json_output(None, res, '0.0.0') assert json_out is not None From ea72a3f311e3ffde78338401e9008c39751b2f66 Mon Sep 17 00:00:00 2001 From: Ajin Abraham Date: Mon, 27 May 2024 12:43:17 -0700 Subject: [PATCH 2/3] fix semgrep test --- mobsfscan/rules/patterns/android/kotlin/kotlin_rules.yaml | 6 +++--- .../rules/semgrep/webview/webview_allow_file_from_url.java | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/mobsfscan/rules/patterns/android/kotlin/kotlin_rules.yaml b/mobsfscan/rules/patterns/android/kotlin/kotlin_rules.yaml index c79b855..068838b 100644 --- a/mobsfscan/rules/patterns/android/kotlin/kotlin_rules.yaml +++ b/mobsfscan/rules/patterns/android/kotlin/kotlin_rules.yaml @@ -84,11 +84,11 @@ message: >- Ensure that user controlled URLs never reaches the Webview. Enabling file access from URLs in WebView can leak sensitive information from the file system. - type: RegexAnd + type: RegexAndOr pattern: - setJavaScriptEnabled\(true\) - - \.setAllowFileAccessFromFileURLs\(true\) - - \.setAllowUniversalAccessFromFileURLs\(true\) + - - \.setAllowFileAccessFromFileURLs\(true\) + - \.setAllowUniversalAccessFromFileURLs\(true\) severity: warning input_case: exact metadata: diff --git a/tests/assets/rules/semgrep/webview/webview_allow_file_from_url.java b/tests/assets/rules/semgrep/webview/webview_allow_file_from_url.java index 5e02d4f..3ec3853 100644 --- a/tests/assets/rules/semgrep/webview/webview_allow_file_from_url.java +++ b/tests/assets/rules/semgrep/webview/webview_allow_file_from_url.java @@ -13,10 +13,10 @@ public void onCreate(Bundle savedInstanceState) { setContentView(R.layout.main); WebView webView = (WebView)findViewById(R.id.webView); String badUrl = getIntent().getStringExtra("URL"); + // ruleid:webview_allow_file_from_url boolean x = true; WebSettings webSettings = webView.getSettings(); webSettings.setJavaScriptEnabled(true); - // ruleid:webview_allow_file_from_url webSettings.setAllowFileAccessFromFileURLs(x); webView.setWebChromeClient(new WebChromeClient()); webView.loadUrl(badUrl); From 9ab7b0d13de47f6a26d4ac47dd2375014ec239dd Mon Sep 17 00:00:00 2001 From: Ajin Abraham Date: Mon, 27 May 2024 12:59:14 -0700 Subject: [PATCH 3/3] fix test format --- .../rules/semgrep/webview/webview_allow_file_from_url.java | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/tests/assets/rules/semgrep/webview/webview_allow_file_from_url.java b/tests/assets/rules/semgrep/webview/webview_allow_file_from_url.java index 3ec3853..4ad4204 100644 --- a/tests/assets/rules/semgrep/webview/webview_allow_file_from_url.java +++ b/tests/assets/rules/semgrep/webview/webview_allow_file_from_url.java @@ -13,11 +13,10 @@ public void onCreate(Bundle savedInstanceState) { setContentView(R.layout.main); WebView webView = (WebView)findViewById(R.id.webView); String badUrl = getIntent().getStringExtra("URL"); - // ruleid:webview_allow_file_from_url - boolean x = true; WebSettings webSettings = webView.getSettings(); webSettings.setJavaScriptEnabled(true); - webSettings.setAllowFileAccessFromFileURLs(x); + // ruleid:webview_allow_file_from_url + webSettings.setAllowFileAccessFromFileURLs(true); webView.setWebChromeClient(new WebChromeClient()); webView.loadUrl(badUrl); }