Git Product home page Git Product logo

open-source-requests's Introduction

Request Board for Open Source Projects

Aviyel is on a mission to help Open Source projects sustain by creating communities around them and by incentivizing the contributors.

Open Source Request Board that has a curation of several code and non-code opportunities which include paid requests as well!

PLEASE READ THE GUIDELINES BEFORE WORKING ON A REQUEST.

Checkout the Aviyel platform's projects page to see all of the amazing projects.

To learn more about the projects, visit their about page. We also have an exhaustive list of all the FAQs about these projects to help you get a better working understanding of them. All the relevant links are provided below.

BEFORE PICKING UP AN ISSUE, PLEASE ENSURE IT'S OPEN FOR CONTRIBUTIONS.

1. BoxyHQ

BoxyHQ

BoxyHQ helps startups enable enterprise features in any SaaS app with just a few lines of code. Integrate SAML, Audit Logs, Privacy Vault and Role Based Access in minutes. Open source and free. The project roadmap is available publicly.

  • All of the issues for BoxyHQ are listed on this page, where you can pick them up and work on them.
  • You can find FAQs for BoxyHQ on this link.

2. Chatwoot

Chatwoot

Chatwoot Open-source customer engagement suite, an alternative to Intercom, Zendesk, Salesforce Service Cloud etc. The project roadmap is available publicly.

  • All of the issues for Chatwoot are listed on this page, where you can pick them up and work on them.
  • You can find FAQs for Chatwoot on this link.

3. Docz

Docz

Docz makes it easy to write and publish beautiful interactive documentation for your code. Create MDX files showcasing your code and Docz turns them into a live-reloading, production-ready site.

  • All of the issues for Docz are listed on this page, where you can pick them up and work on them.
  • You can find FAQs for Docz on this link.

4. Medusa

Medusa

The Open Source shopify alternative. Medusa is an open-source headless commerce platform. Use our building blocks and customize your setup in any way you want.

  • All of the issues for Medusa are listed on this page, where you can pick them up and work on them.
  • You can find FAQs for Medusa on this link.

5. Mobile Security Framework

MobSF

MobSF is an automated, all-in-one mobile application (Android/iOS/Windows) pentesting, malware analysis and security assessment framework capable of performing static & dynamic analysis.

  • All of the issues for MobSF are listed on this page, where you can pick them up and work on them.
  • You can find FAQs for MobSF on this link.

6. Typesense

Typesense

Typesense is a fast, typo-tolerant search engine for building delightful search experiences. An Open Source Algolia Alternative & An Easier-to-Use ElasticSearch Alternative.

  • All of the issues for Typesense are listed on this page, where you can pick them up and work on them.
  • You can find FAQs for Typesense on this link.

open-source-requests's People

Contributors

siddharth2798 avatar sankalpswami avatar

Stargazers

avatar Eapen Zacharias avatar Martin Puškáč avatar Amay avatar Abhilipsa Sahoo avatar Mrinal Walia avatar Ayan Mehta avatar Farzad Foruozanfar avatar Timonwa Akintokun avatar Victor He avatar Mudit Mishra avatar Tracy Nuwagaba avatar Dhravya Shah avatar sudo whoami avatar Victor Eke avatar Abhishek Mishra avatar pramitmarattha avatar avatar

Watchers

Sobin George Thomas avatar avatar Jibin Scaria avatar

Forkers

siddharth2798 eoeboh abhiwalia15 rutikab12

open-source-requests's Issues

Add memory dump feature for mobsf

If you're requesting a new feature/enhancement, explain why you'd like it to be added and it's importance.

Is your feature request related to a problem? Please describe.
This is useful for malware and forensic analysis. Support frida based memory dumping

https://github.com/Nightbringer21/fridump

Describe the solution you'd like
A clear and concise description of what you want to happen.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
Add any other context or screenshots about the feature request here.

Provide codes for simplified classification of issues

The JSON reporting API should be extended so that parsing to distinguish different issues is no longer necessary. Introducing such issue codes would greatly simplify machine processing.

Examples:

iOS App Transport Security (ATS) issues:
I suggest issue codes based on the triggered expression.

  • Insecure communication to xxx.xxx.xxx is allowed -> Either NSTemporaryExceptionAllowsInsecureHTTPLoads or NSExceptionAllowsInsecureHTTPLoads
  • NSIncludesSubdomains set to TRUE for xxx.xxx.xxx -> NSIncludesSubdomainsAllowed
  • NSExceptionMinimumTLSVersion set to TLSv1.1 on xxx.xxx.xxx -> NSExceptionMinimumTLSVersion11
  • ...

Issues in other sections do not contain contextual information (or provide a field like name in the Android manifest analysis) afaik. However, it is desirable to use a one-word code instead of a sentence - the former is imho less likely to be edited.

BatchJob entity model

We should introduce a new BatchJob entity to model the status of a batch upload job (unit of batch upload or download work).

BatchJob {
  status: created | processing | awaiting_confirmation | completed
  type:  product_export | product_import 
  context:  json #  e.g. object containing product filters
  result: json blob of the resulting summary. Can e.g. contain a download_url
  created_by: the id of the user that created the job
}

Mobile-Security API-Framework-MobSF within MISP Project about IOC

By doing static analysis and dynamic analysis of malware for android, ios and windows mobile, we can find several IOCs (https://en.wikipedia.org/wiki/Indicator_of_compromise)
these IOCs could be automatically inserted via Mobile-Security API-Framework-MobSF within MISP Project by creating automatic events:
https://www.misp-project.org/features.html
That would be a huge feature for Mobile-Security-Framework-MobSF, before the MISP Project and Mobile-Security-Framework-MobSF, will be seen by over 6,000,000 renowned institutions worldwide.

StaticAnalysis: Allow different source paths for Android Studio when using zip format

If you're requesting a new feature/enhancement, explain why you'd like it to be added and it's importance.

Is your feature request related to a problem? Please describe.
The zipped source code analysis expects Android Studio projects to have their source directory at app/src/main.
However, app/ can be named anything, based on the project's discretion. This means that the zip analysis does not work for a lot of projects who have chosen to name their source directory something else.

Describe the solution you'd like
Detect the source directory automatically by searching.

Describe alternatives you've considered
We could, maybe, specify a parameter indicating what the source directory is. However, this would disrupt the drag-and-drop upload experience that we currently have.

Android Static Analysis test request

Internal username and path disclosure:
I believe this also applies to iOS but apple strips this data out before it goes to iTunes.

If you run strings \*|grep "/Users/" on any of the compiled library .so files you get the username of the developer who compiled the binary. You also get the folder structure/layout of the developers local machine.
That is if they are running on a mac. Similar strings could be searched for windows/nix based.
Love the tool, thanks!

Please add code path diagrams

EXPLANATION OF THE ISSUE
I had a feature request that would really improve MobSF. Are you able to add code path diagrams.
This would make tracking back through the code much easier. At present you have to keep searching for where functions are called.

Find API keys/secrets by matching regex

If you're requesting a new feature/enhancement, explain why you'd like it to be added and it's importance.

We currently have a feature which find possible hardcoded secrets. But there could be false positives. So I am suggesting a feature which will use regex to find API keys. I currently have a command line program called dora which does exactly this. But would of course be very nice if this was implemented into this program so we'd get exact matches to those API keys/secrets.

Is your feature request related to a problem? Please describe.
It is not a problem.

Describe the solution you'd like
Use a list of regex that match certain API keys/secrets so they will be found without any false positives. I am willing to provide the regex patterns if needed.

Describe alternatives you've considered
I currently use my program called dora but if MobSF had this inbuilt, it would be ease my workflow.

Split settings.py

If you're requesting a new feature/enhancement, explain why you'd like it to be added and it's importance.

Is your feature request related to a problem? Please describe.
settings.py hosts both required MobSF/Django config and local config.
Each time MobSF version is updated, need to merge local settings (e.g., USE_HOME, DB config, ALLOWED_HOSTS) into the updated settings.py

~/MobSF/config.py allows for customizing some values, but can't host Django settings.

Describe the solution you'd like
Split the file into settings.py and local_settings.py (ideally loaded from ~/.MobSF).

Describe alternatives you've considered
Manual merge

Additional context
Django wiki about splitting settings: https://code.djangoproject.com/wiki/SplitSettings

Implement BatchJobService

Add a BatchJobService. Should have the following methods:

class BatchJobService extends BaseService {

  static Events = {
    CREATED: "batch.created",
    CANCELED: "batch.canceled",
    COMPLETED: "batch.completed",
  }

  // constructor...

  async create(data: BatchJobCreateProps): Promise<BatchJob> {
    // logic...

    await this.eventBus_
        .withTransaction(manager)
        .emit(BatchJobService.Events.CREATED, {
          id: result.id,
        })

    return result
  }

  async update(batchJobId: string, data: BatchJobUpdateProps): Promise<BatchJob> {
    // logic...
  }

  async cancel(
    batchJobId: string,
    userId: string 
  ): Promise<void {
    // logic...
   await this.eventBus_
        .withTransaction(manager)
        .emit(BatchJobService.Events.CREATED, {
          id: result.id,
        })

    return result
  }

  async listAndCount(
    selector: FilterableBatchJobProps,
    config: FindConfig<BatchJob> = { relations: [], skip: 0, take: 20 }
  ): Promise<[BatchJob[], number]> {
    // see other implementations of listAndCount
  }

  async retrieve(
    batchJobId: string,
    userId: string,
    config: FindConfig<BatchJob>
  ): Promise<BatchJob> {
    // retrieve logic...
  }
  
  /** 
  * if job is started with dry_run: true, then it's required
  * to complete the job before it's written to DB
  */
  async complete(
    batchJobId: string,
    userId: string,
  ): Promise<BatchJob> {
    // logic...

    await this.eventBus_
        .withTransaction(manager)
        .emit(BatchJobService.Events.CREATED, {
          id: result.id,
        })

    return result
  }
}

Dynamic Analysis of iOS apps utilizing jailbroken iPhones

If you're requesting a new feature/enhancement, explain why you'd like it to be added and it's importance.
The importance of being able to dynamically analyze iOS apps is no difference then the importance of being able to dynamically analyze Android Apps. With the release of exploits for iOS, such as the permanent unpatchable bootrom exploit, many security researchers have the ability to utilize this to perform dynamic analysis of apps on iOS with ease.

Is your feature request related to a problem? Please describe.
The problem being that dynamic analysis of IPA's is not supported with MobSF.

Describe the solution you'd like
Tools such as GrapeFruit https://github.com/ChiChou/Grapefruit or https://github.com/chaitin/passionfruit are good references to the capabilities that are missing. Implementing the features such as recording traffic, like we can in Android and running Frida scripts.

Describe alternatives you've considered
Using tools such as GrapeFruit https://github.com/ChiChou/Grapefruit or https://github.com/chaitin/passionfruit

Allow for CSV export of findings

If you're requesting a new feature/enhancement, explain why you'd like it to be added and it's importance.

Is your feature request related to a problem? Please describe.
I use this tool for FedRAMP penetration testing against Federal companies. As such, there are very strict documentation standards. Allowing export of a CSV file would greatly streamline my reporting as currently I am having to copy/paste from PDFs unless I want to work on the report instantly.

Describe the solution you'd like
I would like a function added that could either export as CSV or even XML that could be converted to CSV through scripting in Python. Anything but a PDF that cannot be properly parsed.

Describe alternatives you've considered
I am currently working on attempting to pull the HTML down and use Beautiful soup to perform the parsing, however I feel that if I am needing this functionality, multiple other people may be wanting it as well.

Additional context
No additional however I do want to take a moment to thank you for making this tool. It is an amazing addition to the community.

CSS file loading fail in China

the page loading time is more than 15 seconds.
Because live-in China users do not access fonts.googleapi.com site.
Could we put the font file in the code repository or use CDN?

snapshot

      <!-- Google Font: Source Sans Pro -->
      <link href="https://fonts.googleapis.com/css?family=Source+Sans+Pro:300,400,400i,700" rel="stylesheet">

Recent scan page

It would be great to see things like the appscores CVSS/security score/trackers detection on the recent scan page.
sort-able would be amazing but being able to just view it on the page would be great. for overview and metrics.
img
img
Thanks!

Create non root docker image

6. Create non root docker image

If you're requesting a new feature/enhancement, explain why you'd like it to be added and it's importance.

It is not a good practise to run a docker image as root. It would be a good improvement to build this image with a lower privilege user, MobSF

API: List batch operations

Lists the BatchJobs created by the authenticated user.

GET /admin/batch

Response
- count
- limit
- offset
- batch_jobs - { id, status, progress, ... }

DoD

  • should respond with the batch jobs that are created by the user

  • calls BatchJobService.listAndCount

  • Posted by: @srindom

  • Standard: Unpaid

  • Original Issue Link

Unable to use negation filter to integer field

Description
Can not use negation filter to numeric field.

Steps to reproduce
Use status:!=1 on numeric field (type: int32 or int64).

Expected Behavior
Return results that field value not 1.

Actual Behavior
status:!=1 error:
Error with filter field status: Numerical field has an invalid comparator.

status:<>1 error:
Error with filter field status: Not an int32.

Metadata
Typsense Version:
0.22.2

OS:
Ubuntu 20.04

Better handling of info.plist files in IOS Source

If you're requesting a new feature/enhancement, explain why you'd like it to be added and it's importance.

Is your feature request related to a problem? Please describe.
When working with large IOS projects, it is not uncommon, at least in our org, that projects are structured into modules.
Each module has their own info.plist. This causes some problems with mobSF as it appears to simply pick the first info.plist if finds (when scanning IOS Source, it is not an issue in binary as all the plist's are combined into one), which could easily be a sub-module instead of the actual app.

Furthermore, you are free to name the info.plist file as you please. It does not have to be called info.plist.
I would like to hear some opinions on how to solve this and if it even should be solved. Maybe we're the only ones with this issue?

Describe the solution you'd like
Perhaps we could have an optional parameter, in the scan api call, with the name of the configuration that gets built. That way, it could check the project.pbxproj file, and find that configuration.
In the configuration, in the project file, it shows the path the info.plist file and also values that you might replace, in it, using variable placeholders.
Combining these two things could potentially give you the proper info.plist content.

API: Get a batch job

Gets a BatchJob. This endpoint may be used for polling the status of a batch operation. To retrieve the BatchJob with id the authenticated user must be the user identified by created_by.

GET /admin/batch/:id

Response
- batch_job - { id, status, progress, ... }

DoD

  • should respond with the correct batch job

  • if the authenticated user is not the creator of the batch job they should not be able to retrieve the job

  • Posted by: @srindom

  • Standard: Unpaid

  • Original Issue Link

API: Cancel a batch operation

Cancels an operation that is in progress.

POST /admin/batch/:id/cancel

DoD

  • endpoint should be idempotent - e.g. calling cancel on an already canceled job is allowed and responds with 200

  • BatchJobs in a completed state should not be cancelable - should fail with 422

  • Should call BatchJobService.cancel; which in turn potentially cancels the jobs in the worker that are currently being processed.

  • Posted by: @srindom

  • Standard: Unpaid

  • Original Issue Link

API: Complete a batch operation

Completes a previously dry_run'ed job.

POST /admin/batch/:id/complete

DoD

  • should be idempotent - i.e. if trying to complete a job that is currently processing the completion step then nothing should happen and endpoint should respond 200

  • only your own jobs can be completed i.e. req.user.id === batch.created_by must be true

  • should call BatchJobService.complete which in turn calls the underlying handler.

  • Endpoint should not wait for the actual processing of the job to complete

  • Posted by: @srindom

  • Standard: Unpaid

  • Original Issue Link

WebSocket/Server sent events implementation

We want to implement some notion of server transmitted data, as we want to be able to transmit to the client when a batch job is completed, and as an example notify that a file is now ready to be downloaded. Should expandable upon later, such as pushing a notification when a user is mentioned in a comment on an order, etc.

Part of this ticket is investigating how we should approach this, as WebSocket/SSE is not very "RESTy". One idea would be to subscribe to an event, and when detected push to the client "you should GET /admin/batch/<some_id>", to keep it slim and still make use of the existing RESTFUL API.

browse all files

Is your feature request related to a problem? Please describe.
I would like to see the source code for other files besides java and smali, i.e. html. Or download binary files (images, shared objects and so on).

Describe the solution you'd like
Allow the browser access all sorts of files

Sticky horizontal scrollbar in code/xml views

Is your feature request related to a problem? Please describe.
When some lines exceed the viewport width inside the source and smali code views or the Manifest XML view, a horizontal scrollbar is shown.
The problem is, it's all at the bottom of the view which forces the user to scroll all way down to adjust the horizontal scroll.
This interrupts the workflow and is distracting because you have to guess what width is needed to view a specific part of the line.

Describe the solution you'd like
The horizontal scrollbar might be set to stick at the page bottom if it would be outside the viewport otherwise.

Web UI elements overlap or spread afar on Mobile & big screen

ENVIRONMENT

MobSF Version: 3.1.7 beta
OS and Version: Windows 10 Chrome , Android 9 Chrome

EXPLANATION OF THE ISSUE
When accessing the web interface via Chrome on Windows 10 or Chrome on Android the layout get "messy" with elements overlapping each other or, when zooming out, spread far from each other.
While on PC there is more freedom to resize a window and zoom-out, on Android 9 (~6 Inch screen) elements from table columns like images or buttons in the static analysis page or the search button on the main page overlap and cover other elements.
Here's an example on both Android & PC:

Chrome on PC (small window) at 100% zoom:

image

Chrome on Android:
image

Batch job *Handlers

  • add support for loading *Handler classes into the Awilix container
    • Awiilix container is allowed to have a single instance of each type of handler
    • enable custom batch job types/handlers from plugins by identifying service using BatchJob type
  • create a common interface that batch job handlers implement:

add support for loading *Handler classes into the Awilix container
Awiilix container is allowed to have a single instance of each type of handler
enable custom batch job types/handlers from plugins by identifying service using BatchJob type
create a common interface that batch job handlers implement:
interface {

  /*
  * Used in the API controller to verify that the `context` param is valid
  */
  validateContext()
  
  /*
  *  Method does the actual processing of the job. Should report back on the progress of the operation.
  */
  processJob()
  
  /*
  *  Method performs the completion of the job. Will not be run if `processJob` has already moved the BatchJob to a `complete` status.
  */
  completeJob()

}

Add "Submit" button in VirusTotal section

Our investigation on mobile app sometime dealing with application in development and we have to disable auto submit to VirusTotal.
But sometime deal with malware or app store application which is available publicly.
Adding "Submit" button in VirusTotal section will be helpful if we need to submit the application to VirusTotal manually.

Ability to apply filters to overrides and pinned hits

This feature allows curated / pinned hits to only be triggered if the pinned hit satisfies the current filter_by query. Available in 0.23.0.rc45.

Example Usage:

curl "http://localhost:8108/collections/products/overrides/customize-apple" -X PUT -H "Content-Type: application/json" \
-H "X-TYPESENSE-API-KEY: ${TYPESENSE_API_KEY}" -d '{
  "rule": {
    "query": "apple",
    "match": "exact"
  },
  "includes": [
    {"id": "422", "position": 1},
    {"id": "54", "position": 2}
  ],
  "filter_curated_hits": true
}'

curl "http://localhost:8108/collections/products/documents/search?q=apple&query_by=name&pinned_hits=422:1&filter_curated_hits=true"

Integration of Library Detection & Analysis into MobSF

Hi!
As we approach the final semester of our bachelor at Saarland University, a friend of mine and me are doing a project this semester. We have been assigned to integrate Android library detection & anaylsis techniques into a popular mobile security analysis tool.
We have chosen MobSF as framework, and will be integrating LibScout, as well as LibID into the static analysis routine of MobSF.
As I like contributing to open source, I wanted to ask if you'd be interested in a pull request once work is finished.
Greetings!

Specify versions of data sets used

Some analysis results are time-dependent; specifically, reported ratings may change with each scan. This applies at least to:

  1. all app metadata retrieved from AppStores
  2. the certificate status of the signer certificate (Android)
  3. domain malware checks (IP address, IP geolocation, status)
  4. VirusTotal results
  5. In order to make test results verifiable and possible differences between two scans comprehensible, a consistent versioning if the data sets used is necessary.

Currently, only the scan date is specified when using the VirusTotal API.

I suggest to add the following information to JSON Report API:

  • time at which an analysis started

  • time at which an analysis was completed (since not all analysis steps are executed in the very beginning and all at once)

  • the version string (if available) and the time at which a data set was successfully updated the last time (for example, the Malware Analysis or IP Geolocation data sets may be cached)

  • Posted by: @ghost

  • Standard: Unpaid

  • Original issue Link

API: Create a batch operation

Creates a batch operation. The type of batch operation determines what should be included in the context. If the batch job is created with dry_run: true final confirmation through /batch/:id/complete will be required before the final data is uploaded to the DB.

POST /admin/batch

Body
- type
- context
- dry_run - true/false
- (potentially a location for a import file)

Response
- batch_job - { id, status ... }

Assets.car parser

Hi, thanks a lot for working on this tool.

During a recent .IPA file review, I discovered multiple Assets.car files with BOMStore header.
After a quick google, I found the following article:
https://blog.timac.org/2018/1112-quicklook-plugin-to-visualize-car-files/

He released few tools (with source code), however they are all for OSX sources.

I was wondering if you can find/write a cross-platform alternative and include this parser into MobSF

Thanks

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.