[SECURITY][HOTFIX] Fixes GHSA-4hh3-vj32-gr6j (#2421)

* Fixes GHSA-4hh3-vj32-gr6j * update SECURITY.md * update dependencies
MobSF · Aug 18, 2024 · cc625fe · cc625fe
1 parent 5b7c5c0
commit cc625fe
Show file tree

Hide file tree

Showing 5 changed files with 398 additions and 364 deletions.
diff --git a/.github/SECURITY.md b/.github/SECURITY.md
@@ -18,6 +18,7 @@ Please report all security issues [here](https://github.com/MobSF/Mobile-Securit
 
 | Vulnerability | Affected Versions |
 | ------- | ------------------ |
+| [Zip Slip Vulnerability in .a extraction](https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-4hh3-vj32-gr6j) | `<=4.0.6` |
 | [Open Redirect in Login redirect](https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-8m9j-2f32-2vx4) | `<=4.0.4` |
 | [SSRF in firebase database check](https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-wpff-wm84-x5cx) | `<=3.9.7` |
 | [SSRF in AppLink check via abusing url redirect](https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-m435-9v6r-v5f6) | `<=3.9.6` |

diff --git a/mobsf/MobSF/init.py b/mobsf/MobSF/init.py
@@ -10,7 +10,7 @@
 
 logger = logging.getLogger(__name__)
 
-VERSION = '4.0.6'
+VERSION = '4.0.7'
 BANNER = """
   __  __       _    ____  _____       _  _    ___  
  |  \/  | ___ | |__/ ___||  ___|_   _| || |  / _ \ 

diff --git a/mobsf/StaticAnalyzer/views/common/shared_func.py b/mobsf/StaticAnalyzer/views/common/shared_func.py
@@ -30,6 +30,7 @@
     URL_REGEX,
     append_scan_status,
     is_md5,
+    is_path_traversal,
     is_safe_path,
     print_n_send_error_response,
     upstream_proxy,
@@ -185,9 +186,12 @@ def ar_extract(checksum, src, dst):
         ar.read_all_headers()
         for a, val in ar.archived_files.items():
             # Handle archive slip attacks
-            filtered = a.decode(
-                'utf-8', 'ignore').replace(
-                '../', '').replace('..\\', '')
+            filtered = a.decode('utf-8', 'ignore')
+            if is_path_traversal(filtered):
+                msg = f'Zip slip detected. skipped extracting {filtered}'
+                logger.warning(msg)
+                append_scan_status(checksum, msg)
+                continue
             out = Path(dst) / filtered
             out.write_bytes(val.read())
     except Exception: