def scan(self): # On Android, the config file is usually in the assets folder but can be placed elsewhere. # On iOS the configuration file can be anywhere. # Load file self.zip_file = TruegazeUtils.open_file_as_zip(self.filename) # Search all paths for the config file paths = AdobeMobileSdkPlugin.get_paths(self.zip_file) if len(paths) == 0: click.echo( '-- Cannot find the "ADBMobileConfig.json" file, skipping') return # Loop through files, parse the JSON and analyze click.echo('-- Found ' + str(len(paths)) + ' configuration file(s)') for path in paths: click.echo('-- Scanning "' + path + "'") # Try to parse the data parsed_data = AdobeMobileSdkPlugin.parse_data(self.zip_file, path) if not parsed_data: click.echo( '---- ERROR: Unable to parse config file - will skip. File: ' + path) continue # Validate the file messages = AdobeMobileSdkPlugin.validate(parsed_data) if len(messages) > 0: click.echo("-- Found " + str(len(messages)) + ' issues') for message in messages: click.echo(message) else: click.echo("-- No issues found")
def scan(filenames): """Scan the provided files for vulnerabilities""" for filename in filenames: click.echo('\nProcessing file: ' + filename) # Try to open the provided file as a ZIP, fail otherwise zip_file = TruegazeUtils.open_file_as_zip(filename) if zip_file is None: click.echo( 'ERROR: Unable to open file - please check to make sure it is an APK or IPA file' ) sys.exit(-1) # Detect manifest is_android = False is_ios = False android_manifest = TruegazeUtils.get_android_manifest(zip_file) ios_manifest = TruegazeUtils.get_ios_manifest(zip_file) # Set flags, error out if no manifest is found if android_manifest: click.echo( 'Identified as an Android application via a manifest located at: ' + android_manifest) is_android = True elif ios_manifest: click.echo( 'Identified as an iOS application via a manifest located at: ' + ios_manifest) is_ios = True else: click.echo( 'ERROR: Unable to identify the file as an Android or iOS application' ) sys.exit(-2) # Pass the filename to the individual modules for scanning for PLUGIN in ACTIVE_PLUGINS: click.echo() click.echo('Scanning using the "' + PLUGIN.name + '" plugin') instance = PLUGIN(filename, is_android, is_ios) # Show error if OS is not supported # TODO: Add tests if instance.is_os_supported(): instance.scan() else: click.echo('-- OS is not supported by this plugin, skipping') click.echo("Done!")
def test_valid_zip(self): zip_buffer = io.BytesIO() zip_file = ZipFile(zip_buffer, 'a') zip_file.writestr('testfile', 'testdata') zip_file.close() assert TruegazeUtils.open_file_as_zip(zip_buffer) is not None
def test_invalid_not_zip(self): assert TruegazeUtils.open_file_as_zip( io.StringIO('foobar data')) is None
def test_invalid_empty(self): assert TruegazeUtils.open_file_as_zip(io.BytesIO()) is None
def test_not_found(self): assert TruegazeUtils.open_file_as_zip('blablabla') is None