MobSF · ajinabraham · May 23, 2024 · May 23, 2024 · May 23, 2024 · May 23, 2024
diff --git a/mobsf/MobSF/settings.py b/mobsf/MobSF/settings.py
@@ -326,16 +326,24 @@
 JADX_TIMEOUT = int(os.getenv('MOBSF_JADX_TIMEOUT', 1800))
 DISABLE_AUTHENTICATION = os.getenv('MOBSF_DISABLE_AUTHENTICATION')
 RATELIMIT = os.getenv('MOBSF_RATELIMIT', '7/1m')
+USE_X_FORWARDED_HOST = bool(
+    os.getenv('MOBSF_USE_X_FORWARDED_HOST', '1') == '1')
+USE_X_FORWARDED_PORT = bool(
+    os.getenv('MOBSF_USE_X_FORWARDED_PORT', '1') == '1')
+SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
 # ===========================
 # ENTERPRISE FEATURE REQUESTS
 # ===========================
 EFR_01 = os.getenv('EFR_01', '0')
 # SAML SSO
+# IdP Configuration
 IDP_METADATA_URL = os.getenv('MOBSF_IDP_METADATA_URL')
 IDP_ENTITY_ID = os.getenv('MOBSF_IDP_ENTITY_ID')
 IDP_SSO_URL = os.getenv('MOBSF_IDP_SSO_URL')
 IDP_X509CERT = os.getenv('MOBSF_IDP_X509CERT')
 IDP_IS_ADFS = os.getenv('MOBSF_IDP_IS_ADFS', '0')
+# SP Configuration
+SP_HOST = os.getenv('MOBSF_SP_HOST')
 SP_ALLOW_PASSWORD = os.getenv('MOBSF_SP_ALLOW_PASSWORD', '0')
 # ===================
 # USER CONFIGURATION

diff --git a/mobsf/MobSF/views/saml2.py b/mobsf/MobSF/views/saml2.py
@@ -1,4 +1,5 @@
 """SAML2 SSO logic."""
+from urllib.parse import urlparse
 import logging
 
 from onelogin.saml2.auth import (
@@ -30,63 +31,72 @@
 ASSERTION_IDS = set()
 
 
+def get_url_components(url):
+    """Get URL components."""
+    purl = urlparse(url)
+    return purl.scheme, purl.netloc, purl.port
+
+
 def init_saml_auth(req):
     """Initialize SAML auth."""
-    try:
-        host = req['http_host']
-        if req['https'] == 'on':
-            host = f'https://{host}'
-        else:
-            host = f'http://{host}'
-        acs_route = reverse('saml_acs')
-        saml_settings = {
-            'strict': True,
-            'debug': True,
-            'sp': {
-                'entityId': f'{host}{acs_route}',
-                'assertionConsumerService': {
-                    'url': f'{host}{acs_route}',
-                    'binding': ('urn:oasis:names:tc:'
-                                'SAML:2.0:bindings:HTTP-POST'),
-                },
+    host = req['sp_url']
+    acs_route = reverse('saml_acs')
+    saml_settings = {
+        'strict': True,
+        'debug': True,
+        'sp': {
+            'entityId': f'{host}{acs_route}',
+            'assertionConsumerService': {
+                'url': f'{host}{acs_route}',
+                'binding': ('urn:oasis:names:tc:'
+                            'SAML:2.0:bindings:HTTP-POST'),
             },
-            'idp': {
-                'entityId': settings.IDP_ENTITY_ID,
-                'singleSignOnService': {
-                    'url': settings.IDP_SSO_URL,
-                    'binding': ('urn:oasis:names:tc:'
-                                'SAML:2.0:bindings:HTTP-Redirect'),
-                },
-                'x509cert': settings.IDP_X509CERT,
+        },
+        'idp': {
+            'entityId': settings.IDP_ENTITY_ID,
+            'singleSignOnService': {
+                'url': settings.IDP_SSO_URL,
+                'binding': ('urn:oasis:names:tc:'
+                            'SAML:2.0:bindings:HTTP-Redirect'),
             },
-        }
-        try:
-            idp_data = None
-            if settings.IDP_METADATA_URL:
-                idp_data = OneLogin_Saml2_IdPMetadataParser.parse_remote(
-                    settings.IDP_METADATA_URL,
-                    timeout=5)
-            if idp_data:
-                saml_settings['idp'] = idp_data['idp']
-        except Exception:
-            logger.exception('[ERROR] parsing IdP metadata URL.')
-        auth = OneLogin_Saml2_Auth(req, saml_settings)
+            'x509cert': settings.IDP_X509CERT,
+        },
+    }
+    try:
+        idp_data = None
+        if settings.IDP_METADATA_URL:
+            idp_data = OneLogin_Saml2_IdPMetadataParser.parse_remote(
+                settings.IDP_METADATA_URL,
+                timeout=5)
+        if idp_data:
+            saml_settings['idp'] = idp_data['idp']
     except Exception:
-        logger.exception('[ERROR] initializing SAML auth.')
-    return auth
+        logger.exception('[ERROR] parsing IdP metadata URL.')
+    return OneLogin_Saml2_Auth(req, saml_settings)
 
 
 def prepare_django_request(request):
     """Prepare Django request for SAML."""
+    scheme = 'https' if request.is_secure() else 'http'
+    netloc = request.get_host()
+    port = request.get_port()
+    if settings.SP_HOST:
+        scheme, netloc, port = get_url_components(
+            settings.SP_HOST.strip('/'))
+        if not port:
+            port = 443 if scheme == 'https' else 80
+    https_state = 'on' if scheme == 'https' else 'off'
+    sp_url = f'{scheme}://{netloc}'
     result = {
-        'https': 'on' if request.is_secure() else 'off',
-        'http_host': request.META['HTTP_HOST'],
-        'script_name': request.META['PATH_INFO'],
-        'server_port': request.META['SERVER_PORT'],
+        'https': https_state,
+        'http_host': netloc,
+        'server_port': port,
+        'script_name': request.get_full_path_info(),
         'get_data': request.GET.copy(),
         'post_data': request.POST.copy(),
         'lowercase_urlencoding': bool(settings.IDP_IS_ADFS == '1'),
         'query_string': request.META['QUERY_STRING'],
+        'sp_url': sp_url,
     }
     return result
 

diff --git a/tox.ini b/tox.ini
@@ -37,7 +37,7 @@ deps =
 commands =
     flake8 {posargs}
     codespell --ignore-words-list="doubleclick,dout,ne,upto,lief,afile" \
-        --skip="./mobsf/StaticAnalyzer/tools/*,./mobsf/signatures/*,*.map,*.js,*.svg,./build/*,./.tox/*,./venv/*,./.git/*,./poetry.lock"
+        --skip="./mobsf/StaticAnalyzer/tools/*,./mobsf/signatures/*,./mobsf/StaticAnalyzer/views/android/rules/*,.*.map,*.js,*.svg,./build/*,./.tox/*,./venv/*,./.git/*,./poetry.lock"
 
 [testenv:clean]
 deps =