Add login required decorator to all routes

MobSF · Mar 24, 2024 · 2cee387 · 2cee387
1 parent 47cd471
commit 2cee387
Show file tree

Hide file tree

Showing 23 changed files with 144 additions and 1 deletion.
diff --git a/mobsf/DynamicAnalyzer/views/android/dynamic_analyzer.py b/mobsf/DynamicAnalyzer/views/android/dynamic_analyzer.py
@@ -39,10 +39,14 @@
 )
 from mobsf.MobSF.views.scanning import add_to_recent_scan
 from mobsf.StaticAnalyzer.models import StaticAnalyzerAndroid
+from mobsf.MobSF.views.authentication import (
+    login_required,
+)
 
 logger = logging.getLogger(__name__)
 
 
+@login_required
 def android_dynamic_analysis(request, api=False):
     """Android Dynamic Analysis Entry point."""
     try:
@@ -104,6 +108,7 @@ def android_dynamic_analysis(request, api=False):
         return print_n_send_error_response(request, exp, api)
 
 
+@login_required
 def dynamic_analyzer(request, checksum, api=False):
     """Android Dynamic Analyzer Environment."""
     try:
@@ -220,6 +225,7 @@ def dynamic_analyzer(request, checksum, api=False):
             api)
 
 
+@login_required
 def httptools_start(request):
     """Start httprools UI."""
     logger.info('Starting httptools Web UI')
@@ -241,6 +247,7 @@ def httptools_start(request):
         return print_n_send_error_response(request, err)
 
 
+@login_required
 def logcat(request, api=False):
     logger.info('Starting Logcat streaming')
     try:
@@ -284,6 +291,7 @@ def read_process():
         return print_n_send_error_response(request, err, api)
 
 
+@login_required
 def trigger_static_analysis(request, checksum):
     """On device APK Static Analysis."""
     try:

diff --git a/mobsf/DynamicAnalyzer/views/android/operations.py b/mobsf/DynamicAnalyzer/views/android/operations.py
@@ -29,6 +29,9 @@
     is_number,
 )
 from mobsf.StaticAnalyzer.models import StaticAnalyzerAndroid
+from mobsf.MobSF.views.authentication import (
+    login_required,
+)
 
 logger = logging.getLogger(__name__)
 
@@ -53,6 +56,7 @@ def get_package_name(checksum):
 # AJAX
 
 
+@login_required
 @require_http_methods(['POST'])
 def mobsfy(request, api=False):
     """Configure Instance for Dynamic Analysis."""
@@ -87,6 +91,7 @@ def mobsfy(request, api=False):
 # AJAX
 
 
+@login_required
 @require_http_methods(['POST'])
 def execute_adb(request, api=False):
     """Execute ADB Commands."""
@@ -115,6 +120,7 @@ def execute_adb(request, api=False):
 # AJAX
 
 
+@login_required
 @require_http_methods(['POST'])
 def get_component(request):
     """Get Android Component."""
@@ -135,6 +141,7 @@ def get_component(request):
 # AJAX
 
 
+@login_required
 @require_http_methods(['POST'])
 def run_apk(request):
     """Run Android APK."""
@@ -157,6 +164,7 @@ def run_apk(request):
 # AJAX
 
 
+@login_required
 @require_http_methods(['POST'])
 def take_screenshot(request, api=False):
     """Take Screenshot."""
@@ -186,6 +194,7 @@ def take_screenshot(request, api=False):
 # AJAX
 
 
+@login_required
 @require_http_methods(['POST'])
 def screen_cast(request):
     """ScreenCast."""
@@ -205,6 +214,7 @@ def screen_cast(request):
 # AJAX
 
 
+@login_required
 @require_http_methods(['POST'])
 def touch(request):
     """Sending Touch/Swipe/Text Events."""
@@ -261,6 +271,7 @@ def touch(request):
 # AJAX
 
 
+@login_required
 @require_http_methods(['POST'])
 def mobsf_ca(request, api=False):
     """Install and Remove MobSF Proxy RootCA."""
@@ -284,6 +295,7 @@ def mobsf_ca(request, api=False):
 # AJAX
 
 
+@login_required
 @require_http_methods(['POST'])
 def global_proxy(request, api=False):
     """Set/unset global proxy."""

diff --git a/mobsf/DynamicAnalyzer/views/android/report.py b/mobsf/DynamicAnalyzer/views/android/report.py
@@ -29,12 +29,15 @@
     key,
     print_n_send_error_response,
 )
-
+from mobsf.MobSF.views.authentication import (
+    login_required,
+)
 
 logger = logging.getLogger(__name__)
 register.filter('key', key)
 
 
+@login_required
 def view_report(request, checksum, api=False):
     """Dynamic Analysis Report Generation."""
     logger.info('Dynamic Analysis Report Generation')

diff --git a/mobsf/DynamicAnalyzer/views/android/tests_common.py b/mobsf/DynamicAnalyzer/views/android/tests_common.py
@@ -32,11 +32,17 @@
     python_list,
 )
 from mobsf.StaticAnalyzer.models import StaticAnalyzerAndroid
+from mobsf.MobSF.views.authentication import (
+    login_required,
+)
 
 logger = logging.getLogger(__name__)
 
 
 # AJAX
+
+
+@login_required
 @require_http_methods(['POST'])
 def start_activity(request, api=False):
     """Lunch a specific activity."""
@@ -68,6 +74,9 @@ def start_activity(request, api=False):
 
 
 # AJAX
+
+
+@login_required
 @require_http_methods(['POST'])
 def activity_tester(request, api=False):
     """Exported & non exported activity Tester."""
@@ -129,6 +138,7 @@ def activity_tester(request, api=False):
 # AJAX
 
 
+@login_required
 @require_http_methods(['POST'])
 def download_data(request, api=False):
     """Download Application Data from Device."""
@@ -164,6 +174,7 @@ def download_data(request, api=False):
 # AJAX
 
 
+@login_required
 @require_http_methods(['POST'])
 def collect_logs(request, api=False):
     """Collecting Data and Cleanup."""
@@ -208,6 +219,7 @@ def collect_logs(request, api=False):
 # AJAX
 
 
+@login_required
 @require_http_methods(['POST'])
 def tls_tests(request, api=False):
     """Perform TLS tests."""

diff --git a/mobsf/DynamicAnalyzer/views/android/tests_frida.py b/mobsf/DynamicAnalyzer/views/android/tests_frida.py
@@ -27,12 +27,16 @@
     print_n_send_error_response,
     strict_package_check,
 )
+from mobsf.MobSF.views.authentication import (
+    login_required,
+)
 
 logger = logging.getLogger(__name__)
 
 # AJAX
 
 
+@login_required
 @require_http_methods(['POST'])
 def get_runtime_dependencies(request, api=False):
     """Get App runtime dependencies."""
@@ -56,6 +60,7 @@ def get_runtime_dependencies(request, api=False):
 # AJAX
 
 
+@login_required
 @require_http_methods(['POST'])
 def instrument(request, api=False):
     """Instrument app with frida."""
@@ -123,6 +128,7 @@ def instrument(request, api=False):
     return send_response(data, api)
 
 
+@login_required
 def live_api(request, api=False):
     try:
         if api:

diff --git a/mobsf/DynamicAnalyzer/views/common/device.py b/mobsf/DynamicAnalyzer/views/common/device.py
@@ -8,6 +8,9 @@
 from django.shortcuts import render
 from django.utils.html import escape
 
+from mobsf.MobSF.views.authentication import (
+    login_required,
+)
 from mobsf.MobSF.utils import (
     is_md5,
     is_path_traversal,
@@ -24,6 +27,7 @@
 logger = logging.getLogger(__name__)
 
 
+@login_required
 def view_file(request, api=False):
     """View File in app data directory."""
     logger.info('Viewing File')

diff --git a/mobsf/DynamicAnalyzer/views/common/frida.py b/mobsf/DynamicAnalyzer/views/common/frida.py
@@ -17,6 +17,9 @@
     is_safe_path,
     print_n_send_error_response,
 )
+from mobsf.MobSF.views.authentication import (
+    login_required,
+)
 
 
 logger = logging.getLogger(__name__)
@@ -25,6 +28,7 @@
 # AJAX
 
 
+@login_required
 @require_http_methods(['POST'])
 def list_frida_scripts(request, api=False):
     """List frida scripts from others."""
@@ -47,6 +51,7 @@ def list_frida_scripts(request, api=False):
 # AJAX
 
 
+@login_required
 @require_http_methods(['POST'])
 def get_script(request, api=False):
     """Get frida scripts from others."""
@@ -77,6 +82,7 @@ def get_script(request, api=False):
 # AJAX + HTML
 
 
+@login_required
 def frida_logs(request, api=False):
     try:
         data = {