HOTFIX: Fix and OpenRedirect vulnerability

Author: ajinabraham

mobsf/MobSF/init.py

@@ -10,7 +10,7 @@
 
 logger = logging.getLogger(__name__)
 
-VERSION = '4.0.4'
+VERSION = '4.0.5'
 BANNER = """
   __  __       _    ____  _____       _  _    ___  
  |  \/  | ___ | |__/ ___||  ___|_   _| || |  / _ \ 

mobsf/MobSF/security.py

@@ -195,3 +195,13 @@ def wrap_function(oldfunction, newfunction):
     def run(*args, **kwargs):
         return newfunction(oldfunction, *args, **kwargs)
     return run
+
+
+def sanitize_redirect(url):
+    """Sanitize Redirect URL."""
+    root = '/'
+    if url.startswith('//'):
+        return root
+    elif url.startswith('/'):
+        return url
+    return root

mobsf/MobSF/views/authentication.py

@@ -18,6 +18,10 @@
 from django.contrib import messages
 from django.contrib.auth.decorators import login_required as lg
 
+from mobsf.MobSF.security import (
+    sanitize_redirect,
+)
+
 from brake.decorators import ratelimit
 
 
@@ -57,7 +61,7 @@ def login_view(request):
     else:
         allow_pwd = False
     nextp = request.GET.get('next', '')
-    redirect_url = nextp if nextp.startswith('/') else '/'
+    redirect_url = sanitize_redirect(nextp)
     if request.user.is_authenticated:
         return redirect(redirect_url)
     if request.method == 'POST':

mobsf/MobSF/views/saml2.py

@@ -26,6 +26,9 @@
 from mobsf.MobSF.utils import (
     print_n_send_error_response,
 )
+from mobsf.MobSF.security import (
+    sanitize_redirect,
+)
 
 logger = logging.getLogger(__name__)
 ASSERTION_IDS = set()
@@ -117,8 +120,8 @@ def get_redirect_url(req):
         return redirect_url
     relay_state = req['post_data']['RelayState']
     # Allow only relative URLs
-    if (relay_state and relay_state.startswith('/')):
-        redirect_url = relay_state
+    if relay_state:
+        redirect_url = sanitize_redirect(relay_state)
     return redirect_url
 
 
@@ -139,7 +142,7 @@ def saml_login(request):
         req = prepare_django_request(request)
         auth = init_saml_auth(req)
         nextp = request.GET.get('next', '')
-        redirect_url = nextp if nextp.startswith('/') else '/'
+        redirect_url = sanitize_redirect(nextp)
         return redirect(auth.login(return_to=redirect_url))
     except Exception as exp:
         return print_n_send_error_response(

pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "mobsf"
-version = "4.0.4"
+version = "4.0.5"
 description = "Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis."
 keywords = ["mobsf", "mobile security framework", "mobile security", "security tool", "static analysis", "dynamic analysis", "malware analysis"]
 authors = ["Ajin Abraham <[email protected]>"]