[EFR] AuthZ and AuthN for MobSF + Bug Fixes #2366

ajinabraham · 2024-03-23T06:21:53Z

Describe the Pull Request

* Authentication and Authorization (`Maintainer` , Viewer`) support in MobSF
* Basic User Management
* Bug Fixes in Runtime Executable Tampering
* Ratelimiting support for login endpoint
* Disable AuthZ/AuthN for REST API and also via ENV VAR `MOBSF_DISABLE_AUTHENTICATION=1`
* Bug Fix #2285 
* Bug Fix Icon Analysis Nonetype
* Update SSRF Filter
* Dependency Bump
* Beta to Stable release from V4
* Runs with DEBUG=False
* New home screen UI

Checklist for PR

Run MobSF unit tests and lint tox -e lint,test
Tested Working on Linux, Mac, Windows, and Docker
Add unit test for any new Web API (Refer: StaticAnalyzer/tests.py)
Make sure tests are passing on your PR

Additional Comments (if any)

DESCRIBE HERE

github-actions · 2024-03-23T06:22:06Z

👋 @ajinabraham
Thank you for sending this pull request ❤️.
Please make sure you have followed our contribution guidelines. We will review it as soon as possible

mobsf/MobSF/views/authentication.py

… support

ohyeah521 · 2024-03-24T02:38:12Z

Many security issues can be avoided using the django-allauth module.

ajinabraham · 2024-03-24T21:04:37Z

For basic username/password authentication and account management, Django has decent inbuilt authentication APIs. Will consider django-allauth or others if we plan to support other authentication strategies.

matandobr · 2024-05-19T14:56:03Z

@ajinabraham Great stuff, let me test 😊

matandobr

Overall looks good! also tried some Pen testing on it, seems solid
Let me know what you think / if you need help

setup.bat

mobsf/templates/base/nav.html

mobsf/templates/auth/users.html

mobsf/MobSF/views/authorization.py

ajinabraham · 2024-05-19T23:17:54Z

@matandobr I guess, I have addressed the review comments.

Basic Session based Authentication Support

db2ccda

github-advanced-security bot found potential problems Mar 23, 2024

View reviewed changes

mobsf/MobSF/views/authentication.py Dismissed Show dismissed Hide dismissed

mobsf/MobSF/views/authentication.py Dismissed Show dismissed Hide dismissed

ajinabraham added 5 commits March 22, 2024 23:39

Do not expose admin

e44a708

fix 404handler error

73bcf49

Add next capability and docker default user

f694f08

Create default user during setup

00e2538

password change, disable authentication via env vars, proper next url…

47cd471

… support

ajinabraham added 3 commits March 23, 2024 20:08

Add login required decorator to all routes

2cee387

exec 2 tampering code QA

d31eadd

Remove admin static

981d13f

ajinabraham and others added 17 commits March 24, 2024 14:15

add ratelimiting for login endpoint 7 attempt/1min

4d81ba0

Add login_required to upload api

d7f1387

Disable authentication for test runs

a8e9341

Address #2285, prevent analysis failure, skip binary analysis

1ef1629

icon analysis none type fix

dbb6b27

Remove admin, update SSRF filter

bcf6132

bundle id regex update + dep bump

c9d015f

Added support for roles and permissions

5e8efcb

user management

7b1ffc4

user delete for staff

f3453ea

Merge branch 'master' into auth

65f4411

QA

7267180

bump deps

487d830

disable permissions for API

91cf78c

Fix tests, respect API and disable flag

88a4090

Allow viewer to see scan reports

441ed5e

V4 bump

ed08092

ajinabraham marked this pull request as ready for review May 19, 2024 07:17

ajinabraham added 2 commits May 19, 2024 00:35

Applying permissions to more routes

3194cd6

Downgrade lief

6edb7ad

ajinabraham requested review from sydowma, matandobr and superpoussin22 May 19, 2024 08:34

sydowma previously approved these changes May 19, 2024

View reviewed changes

matandobr requested changes May 19, 2024

View reviewed changes

Fix Windows setup, error handlers

83c68f6

ajinabraham dismissed sydowma’s stale review via 83c68f6 May 19, 2024 18:43

ajinabraham added 6 commits May 19, 2024 11:55

fix test files

277fa7f

fix test

dc4001f

remove superuser creation in test

b3d658d

update home view and beta to stable

2b3591d

UI update for users

2afff5a

password validator + email already exist check

75f80f5

ajinabraham self-assigned this May 19, 2024

ajinabraham added 5 commits May 19, 2024 21:45

Home screen ui qa

c1317fd

Use enum

249876a

Code QA

58f6b85

Final QA

354fb23

Request bump

2dc8c61

ajinabraham added this to In progress in MobSF 2024 Development via automation May 20, 2024

ajinabraham mentioned this pull request May 20, 2024

Add Username & ID Options for Security #2317

Closed

matandobr approved these changes May 21, 2024

View reviewed changes

ajinabraham merged commit 76187b8 into master May 21, 2024
12 checks passed

MobSF 2024 Development automation moved this from In progress to Done May 21, 2024

ajinabraham deleted the auth branch May 21, 2024 17:08

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[EFR] AuthZ and AuthN for MobSF + Bug Fixes #2366

[EFR] AuthZ and AuthN for MobSF + Bug Fixes #2366

ajinabraham commented Mar 23, 2024 •

edited

github-actions bot commented Mar 23, 2024

ohyeah521 commented Mar 24, 2024

ajinabraham commented Mar 24, 2024

matandobr commented May 19, 2024

matandobr left a comment

ajinabraham commented May 19, 2024

[EFR] AuthZ and AuthN for MobSF + Bug Fixes #2366

[EFR] AuthZ and AuthN for MobSF + Bug Fixes #2366

Conversation

ajinabraham commented Mar 23, 2024 • edited

Describe the Pull Request

Checklist for PR

Additional Comments (if any)

github-actions bot commented Mar 23, 2024

ohyeah521 commented Mar 24, 2024

ajinabraham commented Mar 24, 2024

matandobr commented May 19, 2024

matandobr left a comment

Choose a reason for hiding this comment

ajinabraham commented May 19, 2024

ajinabraham commented Mar 23, 2024 •

edited