Merge branch 'master' into master

.dockerignore

@@ -24,4 +24,5 @@ mobsf/downloads
 mobsf/uploads
 mobsf/debug.log
 mobsf/secret
-mobsf/StaticAnalyzer/test_files/
+mobsf/StaticAnalyzer/test_files/
+TODO.md

.github/CONTRIBUTING.md

@@ -15,7 +15,7 @@ The issue tracker is the preferred channel for [bug reports](#bugs),
 [features requests](#features) and [submitting pull
 requests](#pull-requests), but please respect the following restrictions:
 
-* Please **do not** use the issue tracker for personal support requests (use [MobSF Slack channel](https://join.slack.com/t/mobsf/shared_invite/zt-153nfus2r-hMCGrwzm8Lyy3OxsihnolQ) or 
+* Please **do not** use the issue tracker for personal support requests (use [MobSF Slack channel](https://join.slack.com/t/mobsf/shared_invite/zt-2umjnqlsm-sNSh9g4GFraPUBPqatwTxw) or 
   [Stack Overflow](https://stackoverflow.com/search?q=mobsf)).
 
 * Please **do not** derail or troll issues. Keep the discussion on topic and

.github/ISSUE_TEMPLATE/bug_report.md

@@ -8,9 +8,9 @@ assignees: ''
 ---
 
 <!-- ## IMPORTANT -->
-<!-- Issues are ONLY for reporting BUGS. For support, feature requests, questions, queries, and discussions use our slack channel for limited support. Join MobSF Slack channel: https://join.slack.com/t/mobsf/shared_invite/zt-153nfus2r-hMCGrwzm8Lyy3OxsihnolQ
+<!-- Issues are ONLY for reporting BUGS. For support, feature requests, questions, queries, and discussions use our slack channel for limited support. Join MobSF Slack channel: https://join.slack.com/t/mobsf/shared_invite/zt-2umjnqlsm-sNSh9g4GFraPUBPqatwTxw
 -->
-<!-- If you see errors while running setup/run scripts, it is mostly because you haven't installed the required dependencies correctly. You will have to look into the errors and figure out what is causing them and solve them accordingly. Make sure you have installed all the required dependencies and their correct versions as per the latest documentation. If you still find yourself at a dead end, join MobSF Slack channel:https://join.slack.com/t/mobsf/shared_invite/zt-153nfus2r-hMCGrwzm8Lyy3OxsihnolQ
+<!-- If you see errors while running setup/run scripts, it is mostly because you haven't installed the required dependencies correctly. You will have to look into the errors and figure out what is causing them and solve them accordingly. Make sure you have installed all the required dependencies and their correct versions as per the latest documentation. If you still find yourself at a dead end, join MobSF Slack channel:https://join.slack.com/t/mobsf/shared_invite/zt-2umjnqlsm-sNSh9g4GFraPUBPqatwTxw
 Please do not post support/help request in GitHub issues, doing so will definitely waste our time get them closed without further response. -->
 
 ## ENVIRONMENT
@@ -26,7 +26,7 @@ MobSF Version:
 ```
 What happens, under which versions, under what conditions, when, and what were you expecting instead.
 ```
-<!-- If you see errors while running setup/run scripts, join MobSF Slack channel: https://bit.ly/3mCMNOx to get limited support. -->
+<!-- If you see errors while running setup/run scripts, join MobSF Slack channel: https://join.slack.com/t/mobsf/shared_invite/zt-2umjnqlsm-sNSh9g4GFraPUBPqatwTxw to get limited support. -->
 
 ## STEPS TO REPRODUCE THE ISSUE
 

.github/SECURITY.md

@@ -1,14 +1,6 @@
 # Security Policy
 
-## Supported Versions
-
-| Version | Supported          |
-| ------- | ------------------ |
-| 1.0.x   | :x:                |
-| 2.0.x   | :x:                |
-| 3.0.x   | :white_check_mark: |
-| 4.0.x   | :white_check_mark: |
-
+Keeping MobSF updated to the latest version is essential for ensuring security and stability.
 
 ## Reporting a Vulnerability
 
@@ -18,6 +10,9 @@ Please report all security issues [here](https://github.com/MobSF/Mobile-Securit
 
 | Vulnerability | Affected Versions |
 | ------- | ------------------ |
+| [Stored Cross-Site Scripting Vulnerability in Recent Scans "Diff or Compare"](https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-5jc6-h9w7-jm3p) | `<=4.2.8` |
+| [Zip Slip Vulnerability in .a extraction](https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-4hh3-vj32-gr6j) | `<=4.0.6` |
+| [Open Redirect in Login redirect](https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-8m9j-2f32-2vx4) | `<=4.0.4` |
 | [SSRF in firebase database check](https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-wpff-wm84-x5cx) | `<=3.9.7` |
 | [SSRF in AppLink check via abusing url redirect](https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-m435-9v6r-v5f6) | `<=3.9.6` |
 | [SSRF in AppLink check via crafted android:host](https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-wfgj-wrgh-h3r3) | `<=3.9.5`|

.github/SUPPORT.md

@@ -1 +1 @@
-Github Issues are ONLY for reporting bugs and feature requests. For support, questions, queries and discussions use our slack channel. [Join MobSF Slack Channel](https://join.slack.com/t/mobsf/shared_invite/zt-153nfus2r-hMCGrwzm8Lyy3OxsihnolQ)
+Github Issues are ONLY for reporting bugs and feature requests. For support, questions, queries and discussions use our slack channel. [Join MobSF Slack Channel](https://join.slack.com/t/mobsf/shared_invite/zt-2umjnqlsm-sNSh9g4GFraPUBPqatwTxw)

.github/codeql-config.yml

@@ -0,0 +1,12 @@
+name: "CodeQL config"
+
+queries:
+  - uses: security-extended
+
+query-filters:
+  - exclude:
+      id: py/path-injection  # To much false positives
+
+paths-ignore:
+  - "**/.git/**"
+  - "**/.github/**"

.github/workflows/auto-comment.yml

@@ -12,7 +12,7 @@ jobs:
           issuesOpened: >
             👋 @{{ author }}
             
-            Issues is only for reporting a bug/feature request. For limited support, questions, and discussions, please join [MobSF Slack channel](https://join.slack.com/t/mobsf/shared_invite/zt-153nfus2r-hMCGrwzm8Lyy3OxsihnolQ)
+            Issues is only for reporting a bug/feature request. For limited support, questions, and discussions, please join [MobSF Slack channel](https://join.slack.com/t/mobsf/shared_invite/zt-2umjnqlsm-sNSh9g4GFraPUBPqatwTxw)
             
             Please include all the requested and relevant information when opening a bug report. Improper reports will be closed without any response.
 

.github/workflows/codeql-analysis.yml

@@ -1,61 +1,48 @@
-name: "CodeQL"
+name: "CodeQL Advanced"
 
 on:
   push:
     branches: [ "master" ]
   pull_request:
-    # The branches below must be a subset of the branches above
     branches: [ "master" ]
   schedule:
-    - cron: '17 16 * * 0'
+    - cron: '18 14 * * 3'
 
 jobs:
   analyze:
-    name: Analyze
+    name: Analyze (${{ matrix.language }})
     runs-on: ubuntu-latest
     permissions:
+      # required for all workflows
+      security-events: write
+
+      # required to fetch internal or private CodeQL packs
+      packages: read
+
+      # only required for workflows in private repositories
       actions: read
       contents: read
-      security-events: write
 
     strategy:
       fail-fast: false
       matrix:
-        language: [ 'python' ]
-        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
-        # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
-
+        include:
+        - language: python
+          build-mode: none
+  
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@v3
       with:
         languages: ${{ matrix.language }}
-        # If you wish to specify custom queries, you can do so here or in a config file.
-        # By default, queries listed here will override any specified in a config file.
-        # Prefix the list here with "+" to use these queries and those in the config file.
-
-        # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
-        # queries: security-extended,security-and-quality
-
-
-    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
-    # If this step fails, then you should remove it and run the build manually (see below)
-    - name: Autobuild
-      uses: github/codeql-action/autobuild@v2
-
-    # ℹ️ Command-line programs to run using the OS shell.
-    # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
-
-    #   If the Autobuild fails above, remove it and uncomment the following three lines. 
-    #   modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
-
-    # - run: |
-    #   echo "Run, Build Application using script"
-    #   ./location_of_script_within_repo/buildscript.sh
-
+        build-mode: ${{ matrix.build-mode }}
+        config-file: .github/codeql-config.yml
+
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@v3
+      with:
+        category: "/language:${{matrix.language}}"

.github/workflows/mobsf-test.yml

@@ -6,13 +6,16 @@ on:
   pull_request:
     branches: [ master ]
 
+env:
+  MOBSF_DISABLE_AUTHENTICATION: "1"
+
 jobs:
   build:
     strategy:
       fail-fast: false
       matrix:
         os: [ubuntu-22.04, macos-latest, windows-latest]
-        python-version: ['3.10', '3.11']
+        python-version: ['3.12']
 
     runs-on: ${{ matrix.os }}
     steps:
@@ -22,14 +25,15 @@ jobs:
       with:
         python-version: ${{ matrix.python-version }}
 
-    - name: Setup Pip and Poetry
+    - name: Setup pip, poetry and tox
       run: |
-        python -m pip install pip==22.3.1 poetry==1.6.1
+        python -m ensurepip --upgrade
+        python -m pip install pip poetry==1.8.4
+        python -m pip install --upgrade setuptools tox
 
     - name: Lint on Ubuntu
       if: startsWith(matrix.os, 'ubuntu')
       run: |
-        python -m pip install --upgrade tox
         tox -e lint
 
     - name: Install Ubuntu Dependencies
@@ -59,9 +63,16 @@ jobs:
         poetry run python manage.py makemigrations
         poetry run python manage.py makemigrations StaticAnalyzer
         poetry run python manage.py migrate
-
+        poetry run python manage.py create_roles
+  
+    - uses: actions/setup-java@v4
+      with:
+        distribution: 'temurin'
+        java-version: '21'
+
     - name: Unit Tests on Ubuntu, macOS and Windows
       run: |
+        java -version
         git submodule update --init --recursive
         poetry run python manage.py test mobsf
 

.github/workflows/python-publish.yml

@@ -18,7 +18,7 @@ jobs:
     - name: Install dependencies
       run: |
         python -m pip install --upgrade pip
-        pip install poetry==1.6.1
+        pip install poetry==1.8.4
     - name: Build and publish
       env:
         PYPI_TOKEN: ${{ secrets.PYPI_PASSWORD }}

.gitignore

@@ -78,3 +78,4 @@ mobsf/secret
 mobsf/StaticAnalyzer/migrations
 mobsf/MobSF/windows_vm_priv_key.asc
 mobsf/setup_done.txt
+TODO.md

.sonarcloud.properties

@@ -1,4 +1,4 @@
 sonar.sources=.
 sonar.exclusions=mobsf/static/**/*,mobsf/templates/**/*
 sonar.sourceEncoding=UTF-8
-sonar.python.version=3.10, 3.11
+sonar.python.version=3.10, 3.11, 3.12