garfield/wpscan
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fixes incorrect detection of a response from the API in some cases (better)

Browse Source
This commit is contained in:
erwanlr
2020-12-15 12:05:06 +01:00
parent 1c30743a11
commit 3638241513
2 changed files with 5 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
lib/wpscan/typhoeus/response.rb
View File

@@ -7,7 +7,8 @@ module Typhoeus
# #
# @return [ Boolean ] # @return [ Boolean ]
def from_vuln_api? def from_vuln_api?
effective_url.start_with?(WPScan::DB::VulnApi.uri.to_s) && !effective_url.include?('v3/status') effective_url.start_with?(WPScan::DB::VulnApi.uri.to_s) &&
!effective_url.start_with?(WPScan::DB::VulnApi.uri.join('status').to_s)
end end
end end
end end

10
spec/lib/typhoeus/response_spec.rb
View File

@@ -1,15 +1,13 @@
# frozen_string_literal: true # frozen_string_literal: true
describe Typhoeus::Response do describe Typhoeus::Response do
subject(:response) { described_class.new(options) }
let(:options) { { return_code: 200 } }
describe '#from_vuln_api?' do describe '#from_vuln_api?' do
context 'when response from the Vuln API' do context 'when a response from the Vuln API' do
%w[ %w[
https://wpscan.com/api/v3/plugins/wpscan https://wpscan.com/api/v3/plugins/wpscan
https://wpscan.com/api/v3/plugins/status-test https://wpscan.com/api/v3/plugins/status-test
https://wpscan.com/api/v3/themes/test https://wpscan.com/api/v3/themes/test
https://wpscan.com/api/v3/plugins/test/v3/status
].each do |response_url| ].each do |response_url|
it "returnse false for #{response_url}" do it "returnse false for #{response_url}" do
expect(described_class.new(return_code: 200, effective_url: response_url).from_vuln_api?).to be true expect(described_class.new(return_code: 200, effective_url: response_url).from_vuln_api?).to be true
@@ -17,15 +15,13 @@ describe Typhoeus::Response do
end end
end end
context 'when not a response from the Vuln API' do context 'when not a response from the Vuln API (/status endpoint is ignored)' do
%w[ %w[
https://wpscan.com/something https://wpscan.com/something
http://wp.lab/ http://wp.lab/
https://wp.lab/status https://wp.lab/status
https://wpscan.com/api/v3/status https://wpscan.com/api/v3/status
].each do |response_url| ].each do |response_url|
let(:options) { super().merge(effective_url: response_url) }
it "returns false for #{response_url}" do it "returns false for #{response_url}" do
expect(described_class.new(return_code: 200, effective_url: response_url).from_vuln_api?).to be false expect(described_class.new(return_code: 200, effective_url: response_url).from_vuln_api?).to be false
end end