Merge pull request #84 from MobSF/qa

ajinabraham · web-flow · commit 849b749e7f32 · 2024-05-27T13:04:40.000-07:00
New rules and version bump
diff --git a/mobsfscan/__init__.py b/mobsfscan/__init__.py
@@ -6,7 +6,7 @@
 __title__ = 'mobsfscan'
 __authors__ = 'Ajin Abraham'
 __copyright__ = f'Copyright {datetime.now().year} Ajin Abraham, OpenSecurity'
-__version__ = '0.3.8'
+__version__ = '0.3.9'
 __version_info__ = tuple(int(i) for i in __version__.split('.'))
 __all__ = [
     '__title__',
diff --git a/mobsfscan/__main__.py b/mobsfscan/__main__.py
@@ -8,7 +8,7 @@
 from mobsfscan.mobsfscan import MobSFScan
 from mobsfscan.formatters import (
     cli,
-    json,
+    json_fmt,
     sarif,
     sonarqube,
 )
@@ -87,7 +87,7 @@ def main():
                 scan_results,
                 __version__)
         elif args.json:
-            json.json_output(
+            json_fmt.json_output(
                 args.output,
                 scan_results,
                 __version__)
diff --git a/mobsfscan/formatters/json_fmt.py b/mobsfscan/formatters/json_fmt.py
diff --git a/mobsfscan/formatters/sonarqube.py b/mobsfscan/formatters/sonarqube.py
@@ -1,7 +1,7 @@
 # -*- coding: utf_8 -*-
 """Sonarqube output format."""
 
-from mobsfscan.formatters.json import json_output
+from mobsfscan.formatters.json_fmt import json_output
 
 
 def get_sonarqube_issue(mobsfscan_issue):
diff --git a/mobsfscan/manifest.py b/mobsfscan/manifest.py
@@ -54,6 +54,11 @@
     '33': '13',
     '34': '14',
     '35': '15',
+    '36': '16',
+    '37': '17',  # Guess work
+    '38': '18',
+    '39': '19',
+    '40': '20',
 }
 
 
diff --git a/mobsfscan/rules/patterns/android/kotlin/kotlin_rules.yaml b/mobsfscan/rules/patterns/android/kotlin/kotlin_rules.yaml
@@ -80,6 +80,23 @@
     owasp-mobile: m1
     masvs: platform-7
     reference: https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#testing-javascript-execution-in-webviews-mstg-platform-5
+- id: android_kotlin_webview_allow_file_from_url
+  message: >-
+    Ensure that user controlled URLs never reaches the Webview. Enabling file access
+    from URLs in WebView can leak sensitive information from the file system.
+  type: RegexAndOr
+  pattern:
+    - setJavaScriptEnabled\(true\)
+    - - \.setAllowFileAccessFromFileURLs\(true\)
+      - \.setAllowUniversalAccessFromFileURLs\(true\)
+  severity: warning
+  input_case: exact
+  metadata:
+    cvss: 6.1
+    cwe: cwe-200
+    owasp-mobile: m1
+    masvs: platform-7
+    ref: https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#static-analysis-6
 - id: android_kotlin_webview_debug
   message: Remote WebView debugging is enabled.
   type: RegexAnd
diff --git a/mobsfscan/rules/semgrep/webview/webview_allow_file_from_url.yaml b/mobsfscan/rules/semgrep/webview/webview_allow_file_from_url.yaml
@@ -0,0 +1,32 @@
+rules:
+  - id: webview_allow_file_from_url
+    patterns:
+      - pattern-either:
+          - pattern: |
+              setAllowFileAccessFromFileURLs(true)
+          - pattern: |
+              $W.setAllowFileAccessFromFileURLs(true)
+          - pattern: |
+              $X = true;
+              ...
+              $W.setAllowFileAccessFromFileURLs($X);
+          - pattern: |
+              setAllowUniversalAccessFromFileURLs(true)
+          - pattern: |
+              $W.setAllowUniversalAccessFromFileURLs(true)
+          - pattern: |
+              $X = true;
+              ...
+              $W.setAllowUniversalAccessFromFileURLs($X);
+    message: >-
+      Ensure that user controlled URLs never reaches the Webview. Enabling file access
+      from URLs in WebView can leak sensitive information from the file system.
+    languages:
+      - java
+    severity: WARNING
+    metadata:
+      cwe: cwe-200
+      owasp-mobile: m1
+      masvs: platform-7
+      reference: >-
+        https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#static-analysis-6
diff --git a/tests/assets/rules/semgrep/webview/webview_allow_file_from_url.java b/tests/assets/rules/semgrep/webview/webview_allow_file_from_url.java
@@ -0,0 +1,23 @@
+
+package com.company.something;
+
+import android.app.Activity;
+import android.os.Bundle;
+import android.webkit.WebView;
+
+public class HelloWebApp extends Activity {
+    /** Called when the activity is first created. */
+    @Override
+    public void onCreate(Bundle savedInstanceState) {
+        super.onCreate(savedInstanceState);
+        setContentView(R.layout.main);
+        WebView webView = (WebView)findViewById(R.id.webView);
+        String badUrl = getIntent().getStringExtra("URL");
+        WebSettings webSettings = webView.getSettings();
+        webSettings.setJavaScriptEnabled(true);
+        // ruleid:webview_allow_file_from_url
+        webSettings.setAllowFileAccessFromFileURLs(true);
+        webView.setWebChromeClient(new WebChromeClient());
+        webView.loadUrl(badUrl);
+    }
+}
diff --git a/tests/unit/test_mobsfscan.py b/tests/unit/test_mobsfscan.py
@@ -5,7 +5,7 @@
 )
 
 from mobsfscan.formatters import (
-    json,
+    json_fmt,
     sarif,
     sonarqube,
 )
@@ -36,7 +36,7 @@ def test_patterns_and_semgrep():
 
 
 def json_output(res):
-    json_out = json.json_output(None, res, '0.0.0')
+    json_out = json_fmt.json_output(None, res, '0.0.0')
     assert json_out is not None
 
 

Original file line number	Diff line number	Diff line change
`@@ -5,7 +5,7 @@`
`5`	`5`	`)`
`6`	`6`
`7`	`7`	`from mobsfscan.formatters import (`
`8`		`- json,`
	`8`	`+ json_fmt,`
`9`	`9`	`sarif,`
`10`	`10`	`sonarqube,`
`11`	`11`	`)`
`@@ -36,7 +36,7 @@ def test_patterns_and_semgrep():`
`36`	`36`
`37`	`37`
`38`	`38`	`def json_output(res):`
`39`		`- json_out = json.json_output(None, res, '0.0.0')`
	`39`	`+ json_out = json_fmt.json_output(None, res, '0.0.0')`
`40`	`40`	`assert json_out is not None`
`41`	`41`
`42`	`42`