.github/FUNDING.yml

@@ -1,2 +1 @@
-ko_fi: dwisiswant0
-custom: ["https://paypal.me/dw1s", "https://saweria.co/dwisiswant0"]
+github: ["dwisiswant0"]

.github/workflows/publish.yaml

@@ -5,36 +5,32 @@ on:
       - v*
 
 jobs: 
-  release: 
+  publish: 
     name: "Publish to DockerHub"
     runs-on: ubuntu-latest
     steps:
       - name: "Check out code"
-        uses: actions/checkout@v2
-
-      - name: "Set variables"
-        id: vars
-        run: echo ::set-output name=tag::${GITHUB_REF#refs/*/}
+        uses: actions/checkout@v3
 
       - name: "Set up QEMU"
-        uses: docker/setup-qemu-action@v1.0.1
+        uses: docker/setup-qemu-action@v2.1.0
 
       - name: "Set up Docker Buildx"
-        uses: docker/setup-buildx-action@v1.1.1
+        uses: docker/setup-buildx-action@v2.4.1
 
       - name: "Login to DockerHub"
-        uses: docker/login-action@v1.8.0
+        uses: docker/login-action@v2.1.0
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_TOKEN }}
 
       - name: "Build and push"
         id: docker_build
-        uses: docker/build-push-action@v2.3.0
+        uses: docker/build-push-action@v4.0.0
         with:
           push: true
-          build-args: "VERSION=${{ steps.vars.outputs.tag }}"
-          tags: "${{ github.repository }}:latest,${{ github.repository }}:${{ steps.vars.outputs.tag }}"
+          build-args: "VERSION=${{ github.ref_name }}"
+          tags: "${{ github.repository }}:latest,${{ github.repository }}:${{ github.ref_name }}"
 
       - name: "Image digest"
         run: echo ${{ steps.docker_build.outputs.digest }}

.gitignore

@@ -2,4 +2,5 @@ jadx/
 *.pyc
 *.egg-info/
 build/
-dist/
+dist/
+venv/

Dockerfile

@@ -1,15 +1,25 @@
-FROM python:3.8-slim-buster as build
+FROM python:3-slim
 
 LABEL description="Scanning APK file for URIs, endpoints & secrets."
 LABEL repository="https://github.com/dwisiswant0/apkleaks"
 LABEL maintainer="dwisiswant0"
 
+RUN apt-get update && \
+    apt-get install -y openjdk-17-jre-headless && \
+    apt-get install -y unzip && \
+    rm -rf /var/lib/apt/lists/*
+
+# Instal jadx 1.2.0
+ADD https://github.com/skylot/jadx/releases/download/v1.2.0/jadx-1.2.0.zip /tmp/jadx.zip
+RUN unzip /tmp/jadx.zip -d /opt/jadx && \
+    rm /tmp/jadx.zip && \
+    ln -s /opt/jadx/bin/jadx /usr/local/bin/jadx
+
 WORKDIR /app
-COPY requirements.txt requirements.txt
-RUN pip3 install -r requirements.txt
-COPY . .
 
-FROM openjdk:slim-buster
+COPY requirements.txt .
+RUN python -m ensurepip
+RUN pip install -r requirements.txt
+COPY . .
 
-COPY --from=build / /
-ENTRYPOINT ["/app/apkleaks.py"]
+ENTRYPOINT ["python", "/app/apkleaks.py"]

LICENSE

@@ -186,7 +186,7 @@
       same "printed page" as the copyright notice for easier
       identification within third-party archives.
 
-   Copyright 2020-2021 dwisiswant0
+   Copyright 2020-2024 dwisiswant0
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.

Makefile

@@ -0,0 +1,54 @@
+AUTHOR  := dwisiswant0
+APP     := apkleaks
+IMAGE   := $(AUTHOR)/$(APP)
+VERSION := $(shell cat VERSION | tr -d '\n')
+PACKAGE := $(APP)-$(shell echo $(VERSION) | cut -c 2-)
+
+VENV := venv
+PYTHON := python3
+# PIP := pip3
+
+ifneq ($(wildcard $(VENV)),)
+	PYTHON = $(VENV)/bin/python3
+	# PIP = $(VENV)/bin/pip3
+endif
+
+venv:
+	python3 -m venv $(VENV)
+
+setup:
+	$(PYTHON) -m pip install -r requirements.txt
+	$(PYTHON) -m pip install build twine
+
+setup-venv: venv
+setup-venv: PYTHON = $(VENV)/bin/python3
+setup-venv: setup
+
+build-package:
+	@$(PYTHON) -m build
+
+check-package:
+	@$(PYTHON) -m twine check dist/$(PACKAGE)*
+
+upload-package:
+	@$(PYTHON) -m twine upload dist/$(PACKAGE)*
+
+pypi: check-package build-package
+
+build-images:
+	@docker build -t $(IMAGE):latest .
+	@docker tag $(IMAGE):latest $(IMAGE):$(VERSION)
+
+upload-images:
+	@docker push $(IMAGE):latest
+	@docker push $(IMAGE):$(VERSION)
+
+docker: build-images
+
+build-all: build-package build-images
+
+upload-all: upload-package upload-images
+
+clean:
+	@rm -rfv dist/ venv/
+	@docker image rm -f dwisiswant0/apkleaks

README.md

@@ -14,8 +14,7 @@ Scanning APK file for URIs, endpoints & secrets.
   - [Options](#options)
     - [Output](#output)
     - [Pattern](#pattern)
-    - [Pattern](#pattern)
-    - [Arguments (disassembler)](#arguments-disassembler)
+    - [Arguments (for disassembler)](#arguments-for-disassembler)
 - [License](#license)
 - [Acknowledments](#acknowledments)
 
@@ -51,7 +50,7 @@ $ docker pull dwisiswant0/apkleaks:latest
 
 ### Dependencies
 
-APKLeaks using [jadx](https://github.com/skylot/jadx) disassembler to decompile APK file. If it doesn't exist in your environment, it'll ask you to download.
+The APKLeaks utilizes the [jadx](https://github.com/skylot/jadx) disassembler to decompile APK files. If jadx is not present in your system, it will prompt you to download it.
 
 ## Usage
 
@@ -75,29 +74,32 @@ Here are all the options it supports.
 | -o, --output  	| Write to file results _(random if not set)_ 	| `apkleaks -f file.apk -o results.txt`                         |
 | -p, --pattern 	| Path to custom patterns JSON                	| `apkleaks -f file.apk -p custom-rules.json`                   |
 | -a, --args    	| Disassembler arguments                      	| `apkleaks -f file.apk --args="--deobf --log-level DEBUG"`     |
-| --json        	| Save as JSON format                         	| `apkleaks -f file.apk -o results.json --json`                 |
+|     --json      | Save as JSON format                         	| `apkleaks -f file.apk -o results.json --json`                 |
 
 ### Output
 
 In general, if you don't provide `-o` argument, then it will generate results file automatically.
 
-**NOTE:** By default it will also save the results in text format, use `--json` argument if you want JSON output format.
+> [!TIP]
+> By default it will also save the results in text format, use `--json` argument if you want JSON output format.
 
 ### Pattern
 
-Custom patterns can be added with the following argument to provide sensitive _search rules_ in the JSON file format: `--pattern /path/to/custom-rules.json`. If not set, it'll use default patterns from [regexes.json](https://github.com/dwisiswant0/apkleaks/blob/master/config/regexes.json) file.
+Custom patterns can be added with the following argument to provide sensitive _search rules_ in the JSON file format: `--pattern /path/to/custom-rules.json`. If no file is set, the tool will use the default patterns found in [regexes.json](https://github.com/dwisiswant0/apkleaks/blob/master/config/regexes.json) file.
 
-Example patterns file:
+Here's an example of what a custom pattern file could look like:
 
 ```json
 // custom-rules.json
 {
   "Amazon AWS Access Key ID": "AKIA[0-9A-Z]{16}",
-  ...
+  // ...
 }
 ```
 
-```
+To run the tool using these custom rules, use the following command:
+
+```bash
 $ apkleaks -f /path/to/file.apk -p rules.json -o ~/Documents/apkleaks-results.txt
 ```
 
@@ -109,7 +111,8 @@ We give user complete discretion to pass the disassembler arguments. For example
 $ apkleaks -f /path/to/file.apk -a "--deobf --log-level DEBUG"
 ```
 
-**NOTE:** Please pay attention to the default disassembler arguments we use to prevent collisions.
+> [!WARNING]
+> Please pay attention to the default disassembler arguments we use to prevent collisions.
 
 ## License
 

VERSION

@@ -1 +1 @@
-v2.5.0
+v2.6.3

apkleaks/apkleaks.py

@@ -10,9 +10,9 @@
 import threading
 
 from contextlib import closing
-from distutils.spawn import find_executable
+from shutil import which
 from pathlib import Path
-from pipes import quote
+from shlex import quote
 from urllib.request import urlopen
 from zipfile import ZipFile
 
@@ -24,7 +24,7 @@
 class APKLeaks:
 	def __init__(self, args):
 		self.apk = None
-		self.file = args.file
+		self.file = os.path.realpath(args.file)
 		self.json = args.json
 		self.disarg = args.args
 		self.prefix = "apkleaks-"
@@ -33,7 +33,7 @@ def __init__(self, args):
 		self.output = tempfile.mkstemp(suffix=".%s" % ("json" if self.json else "txt"), prefix=self.prefix)[1] if args.output is None else args.output
 		self.fileout = open(self.output, "%s" % ("w" if self.json else "a"))
 		self.pattern = os.path.join(str(Path(self.main_dir).parent), "config", "regexes.json") if args.pattern is None else args.pattern
-		self.jadx = find_executable("jadx") if find_executable("jadx") is not None else os.path.join(str(Path(self.main_dir).parent), "jadx", "bin", "jadx%s" % (".bat" if os.name == "nt" else ""))
+		self.jadx = which("jadx") if which("jadx") is not None else os.path.join(str(Path(self.main_dir).parent), "jadx", "bin", "jadx%s" % (".bat" if os.name == "nt" else "")).replace("\\","/")
 		self.out_json = {}
 		self.scanned = False
 		logging.config.dictConfig({"version": 1, "disable_existing_loggers": True})
@@ -94,6 +94,7 @@ def decompile(self):
 		except Exception:
 			pass
 		comm = "%s" % (" ".join(quote(arg) for arg in args))
+		comm = comm.replace("\'","\"")
 		os.system(comm)
 
 	def extract(self, name, matches):
@@ -102,8 +103,10 @@ def extract(self, name, matches):
 			util.writeln("\n" + stdout, col.OKGREEN)
 			self.fileout.write("%s" % (stdout + "\n" if self.json is False else ""))
 			for secret in matches:
-				if name == "LinkFinder" and re.match(r"^.(L[a-z]|application|audio|fonts|image|layout|multipart|plain|text|video).*\/.+", secret) is not None:
-					continue
+				if name == "LinkFinder":
+					if re.match(r"^.(L[a-z]|application|audio|fonts|image|kotlin|layout|multipart|plain|text|video).*\/.+", secret) is not None:
+						continue
+					secret = secret[len("'"):-len("'")]
 				stdout = ("- %s" % (secret))
 				print(stdout)
 				self.fileout.write("%s" % (stdout + "\n" if self.json is False else ""))

apkleaks/cli.py

@@ -4,17 +4,20 @@
 import sys
 from pathlib import Path
 
-import pkg_resources
-
 from apkleaks.apkleaks import APKLeaks
 from apkleaks.colors import color as col
 
 def header():
 	try:
-		VERSION = "v" + pkg_resources.require("apkleaks")[0].version
-	except Exception:
-		VERSION = open(os.path.join(str(Path(__file__).parent.parent), "VERSION"), "r").read().strip()
-	print(col.HEADER + "     _    ____  _  ___               _        \n    / \\  |  _ \\| |/ / |    ___  __ _| | _____ \n   / _ \\ | |_) | ' /| |   / _ \\/ _` | |/ / __|\n  / ___ \\|  __/| . \\| |__|  __/ (_| |   <\\__ \\\n /_/   \\_\\_|   |_|\\_\\_____\\___|\\__,_|_|\\_\\___/\n {}\n --\n Scanning APK file for URIs, endpoints & secrets\n (c) 2020-2021, dwisiswant0\n".format(VERSION) + col.ENDC, file=sys.stderr)
+		from importlib import metadata
+		VERSION = "v" + metadata.version("apkleaks")
+	except ImportError:
+		try:
+			import pkg_resources
+			VERSION = "v" + pkg_resources.require("apkleaks")[0].version
+		except Exception:
+			VERSION = open(os.path.join(str(Path(__file__).parent.parent), "VERSION"), "r").read().strip()
+	print(col.HEADER + "     _    ____  _  ___               _        \n    / \\  |  _ \\| |/ / |    ___  __ _| | _____ \n   / _ \\ | |_) | ' /| |   / _ \\/ _` | |/ / __|\n  / ___ \\|  __/| . \\| |__|  __/ (_| |   <\\__ \\\n /_/   \\_\\_|   |_|\\_\\_____\\___|\\__,_|_|\\_\\___/\n {}\n --\n Scanning APK file for URIs, endpoints & secrets\n (c) 2020-2024, dwisiswant0\n".format(VERSION) + col.ENDC, file=sys.stderr)
 
 def argument():
 	parser = argparse.ArgumentParser()