Dep bump + Support HTTPS upgrade for Assetlinks check (#2484)

* Fix false positives caused in Android manifest analysis * Dep bumps + Support HTTPS upgrade for Assetlinks check * MobSF version bump to 4.3.0 --------- Co-authored-by: Nick Lupien <github@worg.io>
MobSF · Jan 23, 2025 · d1d3b7a · d1d3b7a
1 parent 79b2d28
commit d1d3b7a
Show file tree

Hide file tree

Showing 4 changed files with 203 additions and 186 deletions.
diff --git a/mobsf/MobSF/init.py b/mobsf/MobSF/init.py
@@ -18,13 +18,13 @@
 
 logger = logging.getLogger(__name__)
 
-VERSION = '4.2.9'
+VERSION = '4.3.0'
 BANNER = r"""
-  __  __       _    ____  _____       _  _    ____  
- |  \/  | ___ | |__/ ___||  ___|_   _| || |  |___ \ 
- | |\/| |/ _ \| '_ \___ \| |_  \ \ / / || |_   __) |
- | |  | | (_) | |_) |__) |  _|  \ V /|__   _| / __/ 
- |_|  |_|\___/|_.__/____/|_|     \_/    |_|(_)_____|
+  __  __       _    ____  _____       _  _    _____ 
+ |  \/  | ___ | |__/ ___||  ___|_   _| || |  |___ / 
+ | |\/| |/ _ \| '_ \___ \| |_  \ \ / / || |_   |_ \ 
+ | |  | | (_) | |_) |__) |  _|  \ V /|__   _| ___) |
+ |_|  |_|\___/|_.__/____/|_|     \_/    |_|(_)____/ 
 """  # noqa: W291
 # ASCII Font: Standard
 

diff --git a/mobsf/StaticAnalyzer/views/android/manifest_analysis.py b/mobsf/StaticAnalyzer/views/android/manifest_analysis.py
@@ -83,25 +83,32 @@ def assetlinks_check(act_name, well_knowns):
 
 
 def _check_url(host, w_url):
+    """Check for the presence of Assetlinks URL."""
     try:
         iden = 'sha256_cert_fingerprints'
         proxies, verify = upstream_proxy('https')
         status = False
         status_code = 0
 
-        r = requests.get(w_url,
-                         timeout=5,
-                         allow_redirects=False,
-                         proxies=proxies,
-                         verify=verify)
+        urls = {w_url}
+        if w_url.startswith('http://'):
+            # Upgrade http to https
+            urls.add(f'https://{w_url[7:]}')
 
-        status_code = r.status_code
-        if status_code == 302:
-            logger.warning('302 Redirect detected, skipping check')
-            status = False
-        if (str(status_code).startswith('2') and iden in str(r.json())):
-            status = True
+        for url in urls:
+            r = requests.get(url,
+                             timeout=5,
+                             allow_redirects=False,
+                             proxies=proxies,
+                             verify=verify)
 
+            status_code = r.status_code
+            if (str(status_code).startswith('2') and iden in str(r.json())):
+                status = True
+                break
+        if status_code in (301, 302):
+            logger.warning('Status Code: [%d], Redirecting to '
+                           'a different URL, skipping check!', status_code)
         return {'url': w_url,
                 'host': host,
                 'status_code': status_code,