# # Copyright (c) 2019 Nightwatch Cybersecurity. # # This file is part of truegaze # (see https://github.com/nightwatchcybersecurity/truegaze). # # Licensed to the Apache Software Foundation (ASF) under one # or more contributor license agreements. See the NOTICE file # distributed with this work for additional information # regarding copyright ownership. The ASF licenses this file # to you under the Apache License, Version 2.0 (the # "License"); you may not use this file except in compliance # with the License. You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, # software distributed under the License is distributed on an # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY # KIND, either express or implied. See the License for the # specific language governing permissions and limitations # under the License. # import json import re import click import pkg_resources from jsonschema.validators import validator_for from truegaze.plugins.base import BasePlugin from truegaze.utils import TruegazeUtils # Regex pattern for the configuration file CONFIG_FILE_PATTERN =\ re.compile(r'assets/ADBMobileConfig\.json|ADBMobileConfig\.json|.*/ADBMobileConfig\.json') # Location of the rules file for validation RULES_FILE = pkg_resources.resource_filename('truegaze', 'data/adobe_mobile_sdk.schema') # # Plugin to support detection of incorrect SSL configuration in the Adobe Mobile SDK. This plugin will not # search for config files that are not named in a standard fashion. # # Adobe documentation including field definitions can be found here: # https://docs.adobe.com/content/help/en/mobile-services/android/configuration-android/json-config.html # https://docs.adobe.com/content/help/en/mobile-services/ios/config-ios/json-config.html # class AdobeMobileSdkPlugin(BasePlugin): name = 'AdobeMobileSdk' desc = 'Detection of incorrect SSL configuration\nin the Adobe Mobile SDK' supports_android = True supports_ios = True zip_file = None # Main scanning method def scan(self): # On Android, the config file is usually in the assets folder but can be placed elsewhere. # On iOS the configuration file can be anywhere. # Load file self.zip_file = TruegazeUtils.open_file_as_zip(self.filename) # Search all paths for the config file paths = AdobeMobileSdkPlugin.get_paths(self.zip_file) if len(paths) == 0: click.echo('-- No Adobe integration in this application (no "ADBMobileConfig.json" file); skipping test') return # Loop through files, parse the JSON and analyze click.echo('-- Found ' + str(len(paths)) + ' configuration file(s)') for path in paths: click.echo('-- Scanning "' + path + "'") # Try to parse the data parsed_data = AdobeMobileSdkPlugin.parse_data(self.zip_file, path) if not parsed_data: click.echo('---- ERROR: Unable to parse config file - will skip. File: ' + path) continue # Validate the file messages = AdobeMobileSdkPlugin.validate(parsed_data) if len(messages) > 0: click.echo("-- Found " + str(len(messages)) + ' issues') for message in messages: click.echo(message) else: click.echo("-- No issues found") # Gets paths for the configuration file from the ZIP File @staticmethod def get_paths(zip_file): return TruegazeUtils.get_matching_paths_from_zip(zip_file, CONFIG_FILE_PATTERN) # Parses the config file from a given path @staticmethod def parse_data(zip_file, path): data = zip_file.read(path) try: parsed_data = json.loads(data.decode()) except json.JSONDecodeError: return None return parsed_data # Validates the config file against the JSON schema @staticmethod def validate(parsed_data): # Load the schema schema_file = open(RULES_FILE, 'r') schema_data = json.load(schema_file) # Validate the file validator = validator_for(schema_data) errors = validator(schema=schema_data).iter_errors(parsed_data) # Extract error messages and return messages = [] for error in errors: messages.append('---- ISSUE: ' + error.schema['title'] + '; ' + error.message) return messages