Fix an LFI in icon fetching logic from APK

mobsf/MobSF/init.py

@@ -10,7 +10,7 @@
 
 logger = logging.getLogger(__name__)
 
-VERSION = '3.9.2'
+VERSION = '3.9.3'
 BANNER = """
   __  __       _    ____  _____       _____ ___  
  |  \/  | ___ | |__/ ___||  ___|_   _|___ // _ \ 

mobsf/StaticAnalyzer/views/android/icon_analysis.py

@@ -20,6 +20,7 @@
 from mobsf.MobSF.utils import (
     find_java_binary,
     is_file_exists,
+    is_path_traversal,
 )
 
 
@@ -156,6 +157,8 @@ def get_icon_src(a, app_dic, res_dir):
         icon_name = None
         if a:
             icon_name = a.get_app_icon(max_dpi=icon_resolution)
+            if is_path_traversal(icon_name):
+                icon_name = None
         if not icon_name:
             # androguard cannot find icon file.
             icon_name = ''
@@ -196,6 +199,9 @@ def get_icon_src(a, app_dic, res_dir):
         if icon_src.endswith('.xml'):
             logger.warning('Cannot find icon file from xml')
             icon_src = ''
+        elif not icon_src.endswith(('.png', '.svg', '.webp')):
+            logger.warning('Cannot find a valid icon file')
+            icon_src = ''
         if not icon_name:
             logger.warning('Cannot find icon file')
             icon_src = ''

pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "mobsf"
-version = "3.9.2"
+version = "3.9.3"
 description = "Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis."
 keywords = ["mobsf", "mobile security framework", "mobile security", "security tool", "static analysis", "dynamic analysis", "malware analysis"]
 authors = ["Ajin Abraham <ajin@opensecurity.in>"]