[Security] Fix Local File Inclusion Vulnerability in ViewSource Function. Version <= v0.9.2

[thongngo]

Hi Ajin,

I've found a Local File Inclusion Vulnerablity in StaticAnalyzer/views.py (Version <= v0.9.2)

Detail: Bypass "md5" varriable by

• An actual md5 string (e.g: an uploaded file) at the head.
• Null-byte at the end of string

PoC:
http://127.0.0.1:8000/ViewSource/
?file=de/robv/android/xposed/installer/repo/RepoDb.java
&md5=36570c6fac687ffe08107e6a72bd3da7/../../../../../../../../../../../private/etc/passwd%00
&type=apk

Before fixing: read /private/etc/passwd on MAC OS

After Fixed

I'm still working on contributing this great project.
Thanks for all

[ajinabraham]

Nice Catch!.
There is an easy fix for this.
The regex that checks for MD5 is not bounded now. doing strict boundary check will prevent this bug.

[ajinabraham]

@thongngo The reported bug should be fixed by ajinabraham@b9cdd1f

Can you please pull the latest master and see if this is fixed?

[thongngo]

@ajinabraham Nice Fix! Ajin. The latest master works well. Thank you.

[ajinabraham]

Verified the fix.