def run(request, api=False):
"""View the source of a file."""
try:
logger.info("View Android Source File")
if api:
fil = request.POST['file']
md5 = request.POST['hash']
typ = request.POST['type']
viewsource_form = ViewSourceAndroidApiForm(request.POST)
else:
fil = request.GET['file']
md5 = request.GET['md5']
typ = request.GET['type']
viewsource_form = ViewSourceAndroidForm(request.GET)
if not viewsource_form.is_valid():
err = FormUtil.errors_message(viewsource_form)
if api:
return err
context = {
'title': 'Error',
'exp': 'Error Description',
'doc': err
}
template = "general/error.html"
return render(request, template, context, status=400)
if fil.endswith('.java'):
if typ == 'eclipse':
src = os.path.join(settings.UPLD_DIR, md5 + '/src/')
elif typ == 'studio':
src = os.path.join(settings.UPLD_DIR,
md5 + '/app/src/main/java/')
elif typ == 'apk':
src = os.path.join(settings.UPLD_DIR, md5 + '/java_source/')
elif fil.endswith('.smali'):
src = os.path.join(settings.UPLD_DIR, md5 + '/smali_source/')
sfile = os.path.join(src, fil)
dat = ''
with io.open(sfile, mode='r', encoding="utf8",
errors="ignore") as file_pointer:
dat = file_pointer.read()
context = {
'title': escape(ntpath.basename(fil)),
'file': escape(ntpath.basename(fil)),
'dat': dat
}
template = "static_analysis/view_source.html"
if api:
return context
return render(request, template, context)
except Exception as exp:
msg = str(exp)
exp = exp.__doc__
if api:
return print_n_send_error_response(request, msg, True, exp)
else:
return print_n_send_error_response(request, msg, False, exp)
def api_viewsource_ios(request):
"""
viewsource for ios file
"""
viewsource_form = ViewSourceIosForm(request.GET)
if not viewsource_form.is_valid():
return JsonResponse(FormUtil.errors_message(viewsource_form),
status=BAD_REQUEST)
view_source = ViewSourceIos(request)
return view_source.api()
def run(request, api=False):
"""View the source of a file."""
try:
logger.info('View Android Source File')
exp = 'Error Description'
if api:
fil = request.POST['file']
md5 = request.POST['hash']
typ = request.POST['type']
viewsource_form = ViewSourceAndroidApiForm(request.POST)
else:
fil = request.GET['file']
md5 = request.GET['md5']
typ = request.GET['type']
viewsource_form = ViewSourceAndroidForm(request.GET)
if not viewsource_form.is_valid():
err = FormUtil.errors_message(viewsource_form)
return print_n_send_error_response(request, err, api, exp)
base = Path(settings.UPLD_DIR) / md5
if typ == 'smali':
src = base / 'smali_source'
syntax = 'smali'
else:
try:
src, syntax, _ = find_java_source_folder(base)
except StopIteration:
msg = 'Invalid Directory Structure'
return print_n_send_error_response(request, msg, api)
sfile = src / fil
if not is_safe_path(src, sfile.as_posix()):
msg = 'Path Traversal Detected!'
return print_n_send_error_response(request, msg, api)
context = {
'title': escape(ntpath.basename(fil)),
'file': escape(ntpath.basename(fil)),
'data': sfile.read_text('utf-8', 'ignore'),
'type': syntax,
'sqlite': {},
'version': settings.MOBSF_VER,
}
template = 'general/view.html'
if api:
return context
return render(request, template, context)
except Exception as exp:
logger.exception('Error Viewing Source')
msg = str(exp)
exp = exp.__doc__
return print_n_send_error_response(request, msg, api, exp)
def upload_api(self):
"""API File Upload."""
api_response = {}
request = self.request
if not self.form.is_valid():
api_response['error'] = FormUtil.errors_message(self.form)
return api_response, HTTP_BAD_REQUEST
self.file = request.FILES['file']
self.file_type = FileType(self.file)
if not self.file_type.is_allow_file():
api_response['error'] = 'File format not Supported!'
return api_response, HTTP_BAD_REQUEST
api_response = self.upload()
return api_response, 200
def upload_api(self):
"""API File Upload."""
api_response = {}
request = self.request
if not self.form.is_valid():
api_response['error'] = FormUtil.errors_message(self.form)
return api_response, HTTP_BAD_REQUEST
self.file_content_type = request.FILES['file'].content_type
self.file_name_lower = request.FILES['file'].name.lower()
self.file_type = FileType(self.file_content_type, self.file_name_lower)
if not self.file_type.is_allow_file():
api_response['error'] = 'File format not Supported!'
return api_response, HTTP_BAD_REQUEST
data = self.upload()
api_response = {
'scan_type': data['scan_type'],
'hash': data['hash'],
'file_name': data['file_name'],
}
return api_response, 200
def upload_api(self):
api_response = {}
request = self.request
if not self.form.is_valid():
api_response['error'] = FormUtil.errors_message(self.form)
return JsonResponse(data=api_response, status=HTTP_BAD_REQUEST)
self.file_content_type = request.FILES['file'].content_type
self.file_name_lower = request.FILES['file'].name.lower()
self.file_type = FileType(self.file_content_type, self.file_name_lower)
if not self.file_type.is_allow_file():
api_response["error"] = "File format not Supported!"
return JsonResponse(data=api_response, status=HTTP_BAD_REQUEST)
data = self.upload()
return JsonResponse({
'scan_type': data['scan_type'],
'hash': data['hash'],
'file_name': data['file_name']
})
def upload_api(self):
"""
API File Upload
"""
api_response = {}
request = self.request
if not self.form.is_valid():
api_response['error'] = FormUtil.errors_message(self.form)
return api_response, HTTP_BAD_REQUEST
self.file_content_type = request.FILES['file'].content_type
self.file_name_lower = request.FILES['file'].name.lower()
self.file_type = FileType(self.file_content_type, self.file_name_lower)
if not self.file_type.is_allow_file():
api_response["error"] = "File format not Supported!"
return api_response, HTTP_BAD_REQUEST
data = self.upload()
api_response = {
'scan_type': data['scan_type'],
'hash': data['hash'],
'file_name': data['file_name']
}
return api_response, 200
def run(request, api=False):
"""View the source of a file."""
try:
print("[INFO] View Android Source File")
if api:
fil = request.POST['file']
md5 = request.POST['hash']
typ = request.POST['type']
viewsource_form = ViewSourceAndroidApiForm(request.POST)
else:
fil = request.GET['file']
md5 = request.GET['md5']
typ = request.GET['type']
viewsource_form = ViewSourceAndroidForm(request.GET)
if not viewsource_form.is_valid():
err = FormUtil.errors_message(viewsource_form)
if api:
return err
context = {
'title': 'Error',
'exp': 'Error Description',
'doc': err
}
template = "general/error.html"
return render(request, template, context, status=400)
if fil.endswith('.java'):
if typ == 'eclipse':
src = os.path.join(settings.UPLD_DIR, md5 + '/src/')
elif typ == 'studio':
src = os.path.join(
settings.UPLD_DIR, md5 + '/app/src/main/java/')
elif typ == 'apk':
src = os.path.join(
settings.UPLD_DIR, md5 + '/java_source/')
elif fil.endswith('.smali'):
src = os.path.join(settings.UPLD_DIR,
md5 + '/smali_source/')
sfile = os.path.join(src, fil)
dat = ''
with io.open(
sfile,
mode='r',
encoding="utf8",
errors="ignore"
) as file_pointer:
dat = file_pointer.read()
context = {
'title': escape(ntpath.basename(fil)),
'file': escape(ntpath.basename(fil)),
'dat': dat
}
template = "static_analysis/view_source.html"
if api:
return context
return render(request, template, context)
except Exception as exp:
msg = str(exp)
exp = exp.__doc__
if api:
return print_n_send_error_response(request, msg, True, exp)
else:
return print_n_send_error_response(request, msg, False, exp)
def run(request, api=False):
"""View iOS Files."""
try:
logger.info('View iOS Source File')
file_format = 'cpp'
if api:
fil = request.POST['file']
md5_hash = request.POST['hash']
mode = request.POST['type']
viewsource_form = ViewSourceIOSApiForm(request.POST)
else:
fil = request.GET['file']
md5_hash = request.GET['md5']
mode = request.GET['type']
viewsource_form = ViewSourceIOSForm(request.GET)
typ = set_ext_api(fil)
if not viewsource_form.is_valid():
err = FormUtil.errors_message(viewsource_form)
if api:
return err
context = {
'title': 'Error',
'exp': 'Error Description',
'doc': err,
}
template = 'general/error.html'
return render(request, template, context, status=400)
if mode == 'ipa':
src = os.path.join(settings.UPLD_DIR, md5_hash + '/Payload/')
elif mode == 'ios':
src = os.path.join(settings.UPLD_DIR, md5_hash + '/')
sfile = os.path.join(src, fil)
dat = ''
if typ == 'm':
file_format = 'cpp'
with io.open(sfile, mode='r', encoding='utf8',
errors='ignore') as flip:
dat = flip.read()
elif typ == 'xml':
file_format = 'xml'
with io.open(sfile, mode='r', encoding='utf8',
errors='ignore') as flip:
dat = flip.read()
elif typ == 'plist':
file_format = 'json'
dat = biplist.readPlist(sfile)
try:
dat = json.dumps(dat, indent=4, sort_keys=True)
except Exception:
pass
elif typ == 'db':
file_format = 'asciidoc'
dat = read_sqlite(sfile)
elif typ == 'txt' and fil == 'classdump.txt':
file_format = 'cpp'
app_dir = os.path.join(settings.UPLD_DIR, md5_hash + '/')
cls_dump_file = os.path.join(app_dir, 'classdump.txt')
if is_file_exists(cls_dump_file):
with io.open(cls_dump_file,
mode='r',
encoding='utf8',
errors='ignore') as flip:
dat = flip.read()
else:
dat = 'Class Dump result not Found'
else:
if api:
return {'error': 'Invalid Parameters'}
return HttpResponseRedirect('/error/')
context = {
'title': escape(ntpath.basename(fil)),
'file': escape(ntpath.basename(fil)),
'type': file_format,
'dat': dat
}
template = 'general/view.html'
if api:
return context
return render(request, template, context)
except Exception as exp:
logger.exception('Error Viewing Source')
msg = str(exp)
exp = exp.__doc__
if api:
return print_n_send_error_response(request, msg, True, exp)
else:
return print_n_send_error_response(request, msg, False, exp)
def run(request, api=False):
"""View iOS Files"""
try:
print("[INFO] View iOS Source File")
file_format = "cpp"
if api:
fil = request.POST['file']
md5_hash = request.POST['hash']
mode = request.POST['type']
viewsource_form = ViewSourceIOSApiForm(request.POST)
else:
fil = request.GET['file']
md5_hash = request.GET['md5']
mode = request.GET['type']
viewsource_form = ViewSourceIOSForm(request.GET)
typ = set_ext_api(fil)
if not viewsource_form.is_valid():
err = FormUtil.errors_message(viewsource_form)
if api:
return err
context = {
'title': 'Error',
'exp': 'Error Description',
'doc': err
}
template = "general/error.html"
return render(request, template, context, status=400)
if mode == 'ipa':
src = os.path.join(settings.UPLD_DIR,
md5_hash + '/Payload/')
elif mode == 'ios':
src = os.path.join(settings.UPLD_DIR, md5_hash + '/')
sfile = os.path.join(src, fil)
dat = ''
if typ == 'm':
file_format = 'cpp'
with io.open(sfile, mode='r', encoding="utf8", errors="ignore") as flip:
dat = flip.read()
elif typ == 'xml':
file_format = 'xml'
with io.open(sfile, mode='r', encoding="utf8", errors="ignore") as flip:
dat = flip.read()
elif typ == 'db':
file_format = 'asciidoc'
dat = read_sqlite(sfile)
elif typ == 'txt' and fil == "classdump.txt":
file_format = 'cpp'
app_dir = os.path.join(settings.UPLD_DIR, md5_hash + '/')
cls_dump_file = os.path.join(app_dir, "classdump.txt")
if isFileExists(cls_dump_file):
with io.open(cls_dump_file,
mode='r',
encoding="utf8",
errors="ignore"
) as flip:
dat = flip.read()
else:
dat = "Class Dump result not Found"
else:
if api:
return {"error": "Invalid Parameters"}
return HttpResponseRedirect('/error/')
context = {'title': escape(ntpath.basename(fil)),
'file': escape(ntpath.basename(fil)),
'type': file_format,
'dat': dat}
template = "general/view.html"
if api:
return context
return render(request, template, context)
except Exception as exp:
msg = str(exp)
exp = exp.__doc__
if api:
return print_n_send_error_response(request, msg, True, exp)
else:
return print_n_send_error_response(request, msg, False, exp)
def run(request, api=False):
"""View the source of a file."""
try:
logger.info('View Android Source File')
exp = 'Error Description'
if api:
fil = request.POST['file']
md5 = request.POST['hash']
typ = request.POST['type']
viewsource_form = ViewSourceAndroidApiForm(request.POST)
else:
fil = request.GET['file']
md5 = request.GET['md5']
typ = request.GET['type']
viewsource_form = ViewSourceAndroidForm(request.GET)
if not viewsource_form.is_valid():
err = FormUtil.errors_message(viewsource_form)
if api:
return err
return print_n_send_error_response(request, err, False, exp)
base = Path(settings.UPLD_DIR) / md5
syntax = 'java'
if fil.endswith(('.java', '.kt')):
if typ == 'eclipse':
src = base / 'src'
elif typ == 'studio':
src = base / 'app' / 'src' / 'main' / 'java'
kt = base / 'app' / 'src' / 'main' / 'kotlin'
if not src.exists() and kt.exists():
src = kt
syntax = 'kotlin'
elif typ == 'apk':
src = base / 'java_source'
elif fil.endswith('.smali'):
src = base / 'smali_source'
syntax = 'smali'
else:
msg = 'Not Found'
doc = 'File not Found!'
is_api = False
if api:
is_api = True
return print_n_send_error_response(request, msg, is_api, doc)
sfile = src / fil
if not is_safe_path(src, sfile.as_posix()):
msg = 'Path Traversal Detected!'
if api:
return {'error': 'Path Traversal Detected!'}
return print_n_send_error_response(request, msg, False, exp)
context = {
'title': escape(ntpath.basename(fil)),
'file': escape(ntpath.basename(fil)),
'data': sfile.read_text('utf-8', 'ignore'),
'type': syntax,
'sqlite': {},
'version': settings.MOBSF_VER,
}
template = 'general/view.html'
if api:
return context
return render(request, template, context)
except Exception as exp:
logger.exception('Error Viewing Source')
msg = str(exp)
exp = exp.__doc__
if api:
return print_n_send_error_response(request, msg, True, exp)
else:
return print_n_send_error_response(request, msg, False, exp)
def run(request, api=False):
"""View iOS Files"""
try:
print("[INFO] View iOS Source File")
file_format = "cpp"
if api:
fil = request.POST['file']
md5_hash = request.POST['hash']
mode = request.POST['type']
viewsource_form = ViewSourceIOSApiForm(request.POST)
else:
fil = request.GET['file']
md5_hash = request.GET['md5']
mode = request.GET['type']
viewsource_form = ViewSourceIOSForm(request.GET)
typ = set_ext_api(fil)
if not viewsource_form.is_valid():
err = FormUtil.errors_message(viewsource_form)
if api:
return err
context = {
'title': 'Error',
'exp': 'Error Description',
'doc': err
}
template = "general/error.html"
return render(request, template, context, status=400)
if mode == 'ipa':
src = os.path.join(settings.UPLD_DIR, md5_hash + '/Payload/')
elif mode == 'ios':
src = os.path.join(settings.UPLD_DIR, md5_hash + '/')
sfile = os.path.join(src, fil)
dat = ''
if typ == 'm':
file_format = 'cpp'
with io.open(sfile, mode='r', encoding="utf8",
errors="ignore") as flip:
dat = flip.read()
elif typ == 'xml':
file_format = 'xml'
with io.open(sfile, mode='r', encoding="utf8",
errors="ignore") as flip:
dat = flip.read()
elif typ == 'db':
file_format = 'asciidoc'
dat = read_sqlite(sfile)
elif typ == 'txt' and fil == "classdump.txt":
file_format = 'cpp'
app_dir = os.path.join(settings.UPLD_DIR, md5_hash + '/')
cls_dump_file = os.path.join(app_dir, "classdump.txt")
if isFileExists(cls_dump_file):
with io.open(cls_dump_file,
mode='r',
encoding="utf8",
errors="ignore") as flip:
dat = flip.read()
else:
dat = "Class Dump result not Found"
else:
if api:
return {"error": "Invalid Parameters"}
return HttpResponseRedirect('/error/')
context = {
'title': escape(ntpath.basename(fil)),
'file': escape(ntpath.basename(fil)),
'type': file_format,
'dat': dat
}
template = "general/view.html"
if api:
return context
return render(request, template, context)
except Exception as exp:
msg = str(exp)
exp = exp.__doc__
if api:
return print_n_send_error_response(request, msg, True, exp)
else:
return print_n_send_error_response(request, msg, False, exp)
def api_find(request):
form = forms.FindForm(request.POST)
if not form.is_valid():
return JsonResponse(FormUtil.errors_message(form), status=400)
return find.run(request, IS_API)
def api_java_file(request):
form = forms.JavaFileForm(request.GET)
if not form.is_valid():
return JsonResponse(FormUtil.errors_message(form), status=400)
return java_file.run(request, IS_API)
def run(request, api=False):
"""View the source of a file."""
try:
logger.info('View Android Source File')
if api:
fil = request.POST['file']
md5 = request.POST['hash']
typ = request.POST['type']
viewsource_form = ViewSourceAndroidApiForm(request.POST)
else:
fil = request.GET['file']
md5 = request.GET['md5']
typ = request.GET['type']
viewsource_form = ViewSourceAndroidForm(request.GET)
if not viewsource_form.is_valid():
err = FormUtil.errors_message(viewsource_form)
if api:
return err
context = {
'title': 'Error',
'exp': 'Error Description',
'doc': err,
}
template = 'general/error.html'
return render(request, template, context, status=400)
if fil.endswith('.java'):
if typ == 'eclipse':
src = os.path.join(settings.UPLD_DIR, md5 + '/src/')
elif typ == 'studio':
src = os.path.join(settings.UPLD_DIR,
md5 + '/app/src/main/java/')
elif typ == 'apk':
src = os.path.join(settings.UPLD_DIR, md5 + '/java_source/')
elif fil.endswith('.smali'):
src = os.path.join(settings.UPLD_DIR, md5 + '/smali_source/')
else:
msg = 'Not Found'
doc = 'File not Found!'
is_api = False
if api:
is_api = True
return print_n_send_error_response(request, msg, is_api, doc)
# Unset SRC for any other case.
# Otherwise it will cause Directory Traversal
sfile = os.path.join(src, fil)
dat = ''
with io.open(
sfile,
mode='r',
encoding='utf8',
errors='ignore',
) as file_pointer:
dat = file_pointer.read()
context = {
'title': escape(ntpath.basename(fil)),
'file': escape(ntpath.basename(fil)),
'dat': dat,
}
template = 'static_analysis/view_source.html'
if api:
return context
return render(request, template, context)
except Exception as exp:
logger.exception('Error Viewing Source')
msg = str(exp)
exp = exp.__doc__
if api:
return print_n_send_error_response(request, msg, True, exp)
else:
return print_n_send_error_response(request, msg, False, exp)
def run(request, api=False):
"""View iOS Files."""
try:
logger.info('View iOS Source File')
exp = 'Error Description'
file_format = None
if api:
fil = request.POST['file']
md5_hash = request.POST['hash']
mode = request.POST['type']
viewsource_form = ViewSourceIOSApiForm(request.POST)
else:
fil = request.GET['file']
md5_hash = request.GET['md5']
mode = request.GET['type']
viewsource_form = ViewSourceIOSForm(request.GET)
typ = set_ext_api(fil)
if not viewsource_form.is_valid():
err = FormUtil.errors_message(viewsource_form)
if api:
return err
return print_n_send_error_response(request, err, False, exp)
base = Path(settings.UPLD_DIR) / md5_hash
if mode == 'ipa':
src1 = base / 'payload'
src2 = base / 'Payload'
if src1.exists():
src = src1
elif src2.exists():
src = src2
else:
raise Exception('MobSF cannot find Payload directory')
elif mode == 'ios':
src = base
sfile = src / fil
sfile = sfile.as_posix()
if not is_safe_path(src, sfile):
msg = 'Path Traversal Detected!'
if api:
return {'error': 'Path Traversal Detected!'}
return print_n_send_error_response(request, msg, False, exp)
dat = ''
sql_dump = {}
if typ == 'm':
file_format = 'cpp'
with io.open(sfile, mode='r', encoding='utf8',
errors='ignore') as flip:
dat = flip.read()
elif typ == 'xml':
file_format = 'xml'
with io.open(sfile, mode='r', encoding='utf8',
errors='ignore') as flip:
dat = flip.read()
elif typ == 'plist':
file_format = 'json'
dat = biplist.readPlist(sfile)
try:
dat = json.dumps(dat, indent=4, sort_keys=True)
except Exception:
pass
elif typ == 'db':
file_format = 'asciidoc'
sql_dump = read_sqlite(sfile)
elif typ == 'txt' and fil == 'classdump.txt':
file_format = 'cpp'
app_dir = os.path.join(settings.UPLD_DIR, md5_hash + '/')
cls_dump_file = os.path.join(app_dir, 'classdump.txt')
if is_file_exists(cls_dump_file):
with io.open(cls_dump_file,
mode='r',
encoding='utf8',
errors='ignore') as flip:
dat = flip.read()
else:
dat = 'Class Dump result not Found'
elif typ == 'txt':
file_format = 'text'
with io.open(sfile, mode='r', encoding='utf8',
errors='ignore') as flip:
dat = flip.read()
else:
if api:
return {'error': 'Invalid Parameters'}
return HttpResponseRedirect('/error/')
context = {
'title': escape(ntpath.basename(fil)),
'file': escape(ntpath.basename(fil)),
'type': file_format,
'dat': dat,
'sql': sql_dump,
'version': settings.MOBSF_VER,
}
template = 'general/view.html'
if api:
return context
return render(request, template, context)
except Exception as exp:
logger.exception('Error Viewing Source')
msg = str(exp)
exp = exp.__doc__
if api:
return print_n_send_error_response(request, msg, True, exp)
return print_n_send_error_response(request, msg, False, exp)
def run(request, api=False):
"""View the source of a file."""
try:
logger.info('View Android Source File')
exp = 'Error Description'
if api:
fil = request.POST['file']
md5 = request.POST['hash']
typ = request.POST['type']
viewsource_form = ViewSourceAndroidApiForm(request.POST)
else:
fil = request.GET['file']
md5 = request.GET['md5']
typ = request.GET['type']
viewsource_form = ViewSourceAndroidForm(request.GET)
if not viewsource_form.is_valid():
err = FormUtil.errors_message(viewsource_form)
if api:
return err
return print_n_send_error_response(request, err, False, exp)
if fil.endswith(('.java', '.kt')):
if typ == 'eclipse':
src = os.path.join(settings.UPLD_DIR, md5 + '/src/')
elif typ == 'studio':
src = os.path.join(
settings.UPLD_DIR, md5 + '/app/src/main/java/')
elif typ == 'apk':
src = os.path.join(
settings.UPLD_DIR, md5 + '/java_source/')
elif fil.endswith('.smali'):
src = os.path.join(settings.UPLD_DIR,
md5 + '/smali_source/')
else:
msg = 'Not Found'
doc = 'File not Found!'
is_api = False
if api:
is_api = True
return print_n_send_error_response(request, msg, is_api, doc)
sfile = os.path.join(src, fil)
if not is_safe_path(src, sfile):
msg = 'Path Traversal Detected!'
if api:
return {'error': 'Path Traversal Detected!'}
return print_n_send_error_response(request, msg, False, exp)
dat = ''
with io.open(
sfile,
mode='r',
encoding='utf8',
errors='ignore',
) as file_pointer:
dat = file_pointer.read()
context = {
'title': escape(ntpath.basename(fil)),
'file': escape(ntpath.basename(fil)),
'dat': dat,
'type': 'java',
'sql': {},
'version': settings.MOBSF_VER,
}
template = 'general/view.html'
if api:
return context
return render(request, template, context)
except Exception as exp:
logger.exception('Error Viewing Source')
msg = str(exp)
exp = exp.__doc__
if api:
return print_n_send_error_response(request, msg, True, exp)
else:
return print_n_send_error_response(request, msg, False, exp)
