garfield/wpscan
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

rspec tests

Browse Source
This commit is contained in:
Christian Mehlmauer
2012-09-17 22:43:24 +02:00
parent 6f5a16d066
commit 18cb395b4d
15 changed files with 359 additions and 495 deletions
Download Patch File Download Diff File Expand all files Collapse all files

51
spec/lib/wpscan/wp_item_spec.rb
View File

@@ -19,14 +19,12 @@
require File.expand_path(File.dirname(__FILE__) + '/wpscan_helper')
describe WpPlugin do
before :all do
@browser = Browser.instance(:config_file => SPEC_FIXTURES_CONF_DIR + '/browser/browser.conf.json')
end
before :each do
@instance = WpItem.new(:wp_content_dir => "wp-content",
:url => "http://sub.example.com/path/to/wordpress/",
:path => "plugins/test/asdf.php")
:path => "plugins/test/asdf.php",
:vulns_xml => "XXX.xml"
)
end
describe "#initialize" do
@@ -76,9 +74,20 @@ describe WpPlugin do
@instance.path = "plugins/test/"
@instance.get_url_without_filename.to_s.should == "http://sub.example.com/path/to/wordpress/wp-content/plugins/test/"
end
it "should return the correct url (https)" do
@instance.url = "https://sub.example.com/path/to/wordpress/"
@instance.get_url_without_filename.to_s.should == "https://sub.example.com/path/to/wordpress/wp-content/plugins/test/"
end
it "should add the last slash if it's not present" do
@instance.path = "plugins/test-one"
@instance.get_url_without_filename.to_s.should == "http://sub.example.com/path/to/wordpress/wp-content/plugins/test-one/"
end
end
describe "#version" do
let(:fixtures_dir) { SPEC_FIXTURES_WPSCAN_WP_PLUGIN_DIR + '/version' }
it "should return a version number" do
stub_request(:get, @instance.readme_url.to_s).to_return(:status => 200, :body => "Stable tag: 1.2.4.3.2.1")
@instance.version.should == "1.2.4.3.2.1"
@@ -88,18 +97,38 @@ describe WpPlugin do
stub_request(:get, @instance.readme_url.to_s).to_return(:status => 200, :body => "Stable tag: trunk")
@instance.version.should be nil
end
it "should return nil if the version is invalid (IE : trunk etc)" do
stub_request(:get, @instance.readme_url.to_s).to_return(:status => 200,
:body => File.new(fixtures_dir + '/trunk-version.txt'))
@instance.version.should be_nil
end
it "should return the version 0.4" do
stub_request(:get, @instance.readme_url.to_s).to_return(:status => 200,
:body => File.new(fixtures_dir + '/simple-login-lockdown-0.4.txt'))
@instance.version.should === "0.4"
end
end
describe "#directory_listing?" do
it "should return true" do
stub_request(:get, @instance.get_url_without_filename.to_s).to_return(:status => 200, :body => "<html><head><title>Index of asdf</title></head></html>")
stub_request(:get, @instance.get_url_without_filename.to_s).to_return(:status => 200,
:body => "<html><head><title>Index of asdf</title></head></html>")
@instance.directory_listing?.should == true
end
it "should return false" do
stub_request(:get, @instance.get_url_without_filename.to_s).to_return(:status => 200, :body => "<html><head><title>My Wordpress Site</title></head></html>")
stub_request(:get, @instance.get_url_without_filename.to_s).to_return(:status => 200,
:body => "<html><head><title>My Wordpress Site</title></head></html>")
@instance.directory_listing?.should == false
end
it "should return false on a 404" do
stub_request(:get, @instance.get_url_without_filename.to_s.to_s).to_return(:status => 404)
@instance.directory_listing?.should be_false
end
end
describe "#extract_name_from_url" do
@@ -146,14 +175,18 @@ describe WpPlugin do
it "should return false" do
instance2 = WpItem.new(:wp_content_dir => "wp-content",
:url => "http://sub.example.com/path/to/wordpress/",
:path => "plugins/newname/asdf.php")
:path => "plugins/newname/asdf.php",
:vulns_xml => "XXX.xml"
)
(@instance==instance2).should == false
end
it "should return true" do
instance2 = WpItem.new(:wp_content_dir => "wp-content",
:url => "http://sub.example.com/path/to/wordpress/",
:path => "plugins/test/asdf.php")
:path => "plugins/test/asdf.php",
:vulns_xml => "XXX.xml"
)
(@instance==instance2).should == true
end
end

260
spec/lib/wpscan/wp_plugin_spec.rb
View File

@@ -19,252 +19,60 @@
require File.expand_path(File.dirname(__FILE__) + '/wpscan_helper')
describe WpPlugin do
before :all do
@browser = Browser.instance(:config_file => SPEC_FIXTURES_CONF_DIR + '/browser/browser.conf.json')
end
describe "#location_uri_from_url" do
after :each do
if @url
uri = WpPlugin.location_uri_from_url(@url)
uri.should be_a URI
uri.to_s.should === @expected_uri_string
end
end
#it "should raise an error if the url is not valid" do
# expect { WpPlugin.location_uri_from_url("example.com") }.to raise_error
# expect { WpPlugin.location_uri_from_url("http://example.com/wp-includes/plugins/example/") }.to raise_error
#end
it "should return the uri without the file" do
@url = "http://example.com/wp-content/plugins/example/readme.txt"
@expected_uri_string = "http://example.com/wp-content/plugins/example/"
end
it "should return the uri without the file" do
@url = "https://sub.example.com/path/to/dir/wp-content/plugins/example/readme.txt"
@expected_uri_string = "https://sub.example.com/path/to/dir/wp-content/plugins/example/"
end
it "should return the same uri" do
@url = "http://example.com/wp-content/plugins/hello-world/"
@expected_uri_string = @url
end
# http://code.google.com/p/wpscan/issues/detail?id=146
it "should not raise an error if the url uses https" do
@url = "https://example.com/folder1/folder2/wp-content/plugins/user-role-editor/index.php"
@expected_uri_string = "https://example.com/folder1/folder2/wp-content/plugins/user-role-editor/"
end
it "should add the last slash if it's not present" do
@url = "http://example.com/wp-content/plugins/test-one"
@expected_uri_string = "#{@url}/"
end
end
describe "#extract_name_from_location_url" do
it "should return 'example-plugin'" do
WpPlugin.extract_name_from_location_url('http://example.com/wp-content/plugins/example-plugin/').should === 'example-plugin'
end
it "should return 'example-plugin'" do
WpPlugin.extract_name_from_location_url('https://sub.example.com/path/to/a/wp-content/plugins/example-plugin/').should === 'example-plugin'
end
end
describe "#create_location_url_from_name" do
after :each do
WpPlugin.create_location_url_from_name(@plugin_name, @target_url).should === @expected_url
end
it "should return 'http://example.com/$wp-plugins$/example/'" do
@plugin_name = "example"
@target_url = "http://example.com/"
@expected_url = "http://example.com/$wp-plugins$/example/"
end
it "should return 'http://example.com/$wp-plugins$/example/' even if the last '/' is not in the target url" do
@plugin_name = "example"
@target_url = "http://example.com"
@expected_url = "http://example.com/$wp-plugins$/example/"
end
it "should return http://example.com/$wp-plugins$/example-test/" do
@plugin_name = "example-test"
@target_url = "http://example.com"
@expected_url = "http://example.com/$wp-plugins$/example-test/"
end
it "should return http://example.com/$wp-plugins$/something%20with%20spaces/" do
@plugin_name = "something with spaces"
@target_url = "http://example.com"
@expected_url = URI.escape("http://example.com/$wp-plugins$/something with spaces/")
end
end
describe "#create_url_from_raw" do
it "should return http://example.com/$wp-plugins$/example-test/readme.txt" do
WpPlugin.create_url_from_raw("example-test/readme.txt", URI.parse("http://example.com")).should === "http://example.com/$wp-plugins$/example-test/readme.txt"
end
end
describe "#initialize" do
let(:location_url) { 'http://example.com/wp-content/plugins/example/' }
it "should raise an exception" do
expect { WpPlugin.new('invalid location url') }.to raise_error
it "should not raise an exception" do
expect { WpPlugin.new(:url => "url", :path => "path", :wp_content_dir => "dir", :name => "name") }.to_not raise_error
end
it "should initialize the object (no options given), :name should be 'example'" do
options = WpOptions.get_empty_options
options[:url] = location_url
wp_plugin = WpPlugin.new(options)
wp_plugin.name.should === 'example'
wp_plugin.get_url.should === location_url
it "should raise an exception (url not set)" do
expect { WpPlugin.new(:path => "path", :wp_content_dir => "dir", :name => "name") }.to raise_error
end
it "should initialize the object (options[:name] = 'example')" do
options = WpOptions.get_empty_options
options[:url] = location_url
options[:name] = "example"
wp_plugin = WpPlugin.new(options)
wp_plugin.name.should === 'example'
wp_plugin.location_url.should === location_url
it "should raise an exception (path not set)" do
expect { WpPlugin.new(:url => "url", :wp_content_dir => "dir", :name => "name") }.to raise_error
end
it "should raise an exception (wp_content_dir not set)" do
expect { WpPlugin.new(:url => "url", :path => "path", :name => "name") }.to raise_error
end
it "should raise an exception (name not set)" do
expect { WpPlugin.new(:url => "url", :path => "path", :wp_content_dir => "dir") }.to raise_error
end
end
# TODO
describe "operators : ==, ===, <=>" do
end
#TODO
describe "#location_url" do
end
describe "#version" do
let(:location_url) { 'http://example.localhost/wp-content/plugins/simple-login-lockdown/' }
let(:wp_plugin) { WpPlugin.new(location_url) }
let(:readme_url) { 'http://example.localhost/wp-content/plugins/simple-login-lockdown/readme.txt' }
let(:fixtures_dir) { SPEC_FIXTURES_WPSCAN_WP_PLUGIN_DIR + '/version' }
it "should return nil if the readme.txt does not exist" do
stub_request(:get, readme_url).
to_return(:status => 404)
wp_plugin.version.should be_nil
end
it "should return nil if the version is invalid (IE : trunk etc)" do
stub_request(:get, readme_url).
to_return(:status => 200, :body => File.new(fixtures_dir + '/trunk-version.txt'))
wp_plugin.version.should be_nil
end
it "should return the version 0.4" do
stub_request(:get, readme_url).
to_return(:status => 200, :body => File.new(fixtures_dir + '/simple-login-lockdown-0.4.txt'))
wp_plugin.version.should === '0.4'
describe "#error_log_url" do
it "should return a correct url" do
temp = WpPlugin.new(:url => "http://wordpress.com",
:path => "plugins/test/asdf.php",
:wp_content_dir => "wp-content")
temp.error_log_url.to_s.should == "http://wordpress.com/wp-content/plugins/test/error_log"
end
end
describe "#to_s" do
after :each do
wp_plugin = WpPlugin.new(WpPlugin.create_location_url_from_name(@name, "http://example.localhost"))
wp_plugin.stub(:version => @version)
wp_plugin.to_s.should === @expected
end
it "should not include the version if it's not detected" do
@name = "a-plugin"
@version = nil
@expected = "a-plugin"
end
it "should show the version if it's detected" do
@name = "another-plugin"
@version = "3.2"
@expected = "another-plugin v3.2"
end
end
describe "#vulnerabilities" do
let(:location_url) { 'http://example.localhost/wp-content/plugins/spec-plugin/' }
let(:fixtures_dir) { SPEC_FIXTURES_WPSCAN_WP_PLUGIN_DIR + '/vulnerabilities' }
let(:vulns_xml) { fixtures_dir + '/plugin_vulns.xml' }
let(:wp_plugin) { WpPlugin.new(location_url, :vulns_xml => vulns_xml) }
it "should return an empty array when no vulnerabilities are found" do
WpPlugin.new(
'http://example.localhost/wp-content/plugins/no-vulns/',
:vulns_xml => vulns_xml
).vulnerabilities.should be_empty
end
it "should return an arry with 2 vulnerabilities" do
vulnerabilities = wp_plugin.vulnerabilities
vulnerabilities.should_not be_empty
vulnerabilities.length.should == 2
vulnerabilities.each { |vulnerability| vulnerability.should be_a WpVulnerability }
vulnerabilities[0].title.should === 'WPScan Spec'
vulnerabilities[1].title.should === 'Spec SQL Injection'
end
end
describe "#error_log* (#error_log_url & #error_log?)" do
let(:fixtures_dir) { SPEC_FIXTURES_WPSCAN_WP_PLUGIN_DIR + '/error_log' }
let(:location_url) { 'http://example.localhost/wp-content/plugins/simple-login-lockdown/' }
let(:error_log_url) { 'http://example.localhost/wp-content/plugins/simple-login-lockdown/error_log' }
let(:wp_plugin) { WpPlugin.new(location_url) }
it "should return the url of the error log" do
wp_plugin.error_log_url.should === error_log_url
end
it "should return false on a 404" do
stub_request(:get, error_log_url).
to_return(:status => 404)
wp_plugin.error_log?.should be_false
describe "#error_log?" do
before :each do
@temp = WpPlugin.new(:url => "http://wordpress.com",
:path => "plugins/test/asdf.php",
:wp_content_dir => "wp-content")
end
it "should return true" do
stub_request(:get, error_log_url).
to_return(:status => 200, :body => File.new(fixtures_dir + '/error_log'))
wp_plugin.error_log?.should be_true
end
end
describe "#directory_listing?" do
let(:wp_plugin) { WpPlugin.new('http://example.localhost/wp-content/plugins/simple-login-lockdown/readme.txt') }
it "should return false on a 404" do
stub_request(:get, wp_plugin.location_url).to_return(:status => 404)
wp_plugin.directory_listing?.should be_false
stub_request(:get, @temp.error_log_url.to_s).to_return(:status => 200, :body => "PHP Fatal error")
@temp.error_log?.should be true
end
it "should return false on a blank page" do
stub_request(:get, wp_plugin.location_url).to_return(:status => 200, :body => '')
wp_plugin.directory_listing?.should be_false
it "should return false" do
stub_request(:get, @temp.error_log_url.to_s).to_return(:status => 500, :body => "Access denied")
@temp.error_log?.should be false
end
it "should return true" do
stub_request(:get, wp_plugin.location_url).
to_return(:status => 200, :body => "<title>Index of simple-login-lockdown</title>")
fixtures_dir = SPEC_FIXTURES_WPSCAN_WP_PLUGIN_DIR + "/error_log"
stub_request(:get, @temp.error_log_url.to_s).to_return(:status => 200,
:body => File.new(fixtures_dir + '/error_log'))
wp_plugin.directory_listing?.should be_true
@temp.error_log?.should be true
end
end
end

90
spec/lib/wpscan/wp_theme_spec.rb
View File

@@ -19,7 +19,6 @@
require File.expand_path(File.dirname(__FILE__) + "/wpscan_helper")
describe WpTheme do
before :all do
@target_uri = URI.parse("http://example.localhost/")
@@ -29,21 +28,25 @@ describe WpTheme do
)
end
describe "#to_s" do
it "should return the theme name and the version if there is one" do
wp_theme = WpTheme.new(:name => "bueno", :version => "1.2.3", :url => "", :path => "", :wp_content_dir => "")
wp_theme.to_s.should === "bueno v1.2.3"
describe "#initialize" do
it "should not raise an exception" do
expect { WpTheme.new(:url => "url", :path => "path", :wp_content_dir => "dir", :name => "name") }.to_not raise_error
end
it "should not add the version if there is not" do
style_url = @target_uri.merge("wp-content/themes/hello-world/style.css").to_s
it "should raise an exception (url not set)" do
expect { WpTheme.new(:path => "path", :wp_content_dir => "dir", :name => "name") }.to raise_error
end
stub_request(:get, style_url).to_return(:status => 200, :body => "")
it "should raise an exception (path not set)" do
expect { WpTheme.new(:url => "url", :wp_content_dir => "dir", :name => "name") }.to raise_error
end
wp_theme = WpTheme.new(:name => "hello-world", :style_url => style_url, :url => "", :path => "", :wp_content_dir => "")
it "should raise an exception (wp_content_dir not set)" do
expect { WpTheme.new(:url => "url", :path => "path", :name => "name") }.to raise_error
end
wp_theme.to_s.should === "hello-world"
it "should raise an exception (name not set)" do
expect { WpTheme.new(:url => "url", :path => "path", :wp_content_dir => "dir") }.to raise_error
end
end
@@ -174,4 +177,69 @@ describe WpTheme do
end
end
describe "#===" do
it "should return false (name not equal)" do
instance = WpTheme.new(:wp_content_dir => "wp-content",
:url => "http://sub.example.com/path/to/wordpress/",
:path => "themes/name/asdf.php",
:vulns_xml => "XXX.xml",
:version => "1.0"
)
instance2 = WpTheme.new(:wp_content_dir => "wp-content",
:url => "http://sub.example.com/path/to/wordpress/",
:path => "themes/newname/asdf.php",
:vulns_xml => "XXX.xml",
:version => "1.0"
)
(instance===instance2).should == false
end
it "should return false (version not equal)" do
instance = WpTheme.new(:wp_content_dir => "wp-content",
:url => "http://sub.example.com/path/to/wordpress/",
:path => "themes/name/asdf.php",
:vulns_xml => "XXX.xml",
:version => "1.0"
)
instance2 = WpTheme.new(:wp_content_dir => "wp-content",
:url => "http://sub.example.com/path/to/wordpress/",
:path => "themes/name/asdf.php",
:vulns_xml => "XXX.xml",
:version => "2.0"
)
(instance===instance2).should == false
end
it "should return false (version and name not equal)" do
instance = WpTheme.new(:wp_content_dir => "wp-content",
:url => "http://sub.example.com/path/to/wordpress/",
:path => "themes/name/asdf.php",
:vulns_xml => "XXX.xml",
:version => "1.0"
)
instance2 = WpTheme.new(:wp_content_dir => "wp-content",
:url => "http://sub.example.com/path/to/wordpress/",
:path => "themes/newname/asdf.php",
:vulns_xml => "XXX.xml",
:version => "2.0"
)
(instance===instance2).should == false
end
it "should return true" do
instance = WpTheme.new(:wp_content_dir => "wp-content",
:url => "http://sub.example.com/path/to/wordpress/",
:path => "themes/test/asdf.php",
:vulns_xml => "XXX.xml",
:version => "1.0"
)
instance2 = WpTheme.new(:wp_content_dir => "wp-content",
:url => "http://sub.example.com/path/to/wordpress/",
:path => "themes/test/asdf.php",
:vulns_xml => "XXX.xml",
:version => "1.0"
)
(instance===instance2).should == true
end
end
end

26
spec/lib/wpscan/wp_vulnerability_spec.rb Normal file
View File

@@ -0,0 +1,26 @@
# TODO
describe "#vulnerabilities" do
let(:location_url) { 'http://example.localhost/wp-content/plugins/spec-plugin/' }
let(:fixtures_dir) { SPEC_FIXTURES_WPSCAN_WP_PLUGIN_DIR + '/vulnerabilities' }
let(:vulns_xml) { fixtures_dir + '/plugin_vulns.xml' }
let(:wp_plugin) { WpPlugin.new(location_url, :vulns_xml => vulns_xml) }
it "should return an empty array when no vulnerabilities are found" do
WpPlugin.new(
'http://example.localhost/wp-content/plugins/no-vulns/',
:vulns_xml => vulns_xml
).vulnerabilities.should be_empty
end
it "should return an arry with 2 vulnerabilities" do
vulnerabilities = wp_plugin.vulnerabilities
vulnerabilities.should_not be_empty
vulnerabilities.length.should == 2
vulnerabilities.each { |vulnerability| vulnerability.should be_a WpVulnerability }
vulnerabilities[0].title.should === 'WPScan Spec'
vulnerabilities[1].title.should === 'Spec SQL Injection'
end
end