From 15cb99977b7067abf7e9e89bd48e009ee0216b8a Mon Sep 17 00:00:00 2001 From: erwanlr Date: Sat, 28 Dec 2019 13:10:57 +0000 Subject: [PATCH 1/6] Fixes #1444 --- app/models/wp_item.rb | 11 +++-------- .../target/platform/wordpress/custom_directories.rb | 4 ++-- spec/app/models/wp_item_spec.rb | 2 +- 3 files changed, 6 insertions(+), 11 deletions(-) diff --git a/app/models/wp_item.rb b/app/models/wp_item.rb index e001946b..ad67bd20 100644 --- a/app/models/wp_item.rb +++ b/app/models/wp_item.rb @@ -23,7 +23,7 @@ module WPScan # @option opts [ Hash ] :version_detection The options to use when looking for the version # @option opts [ String ] :url The URL of the item def initialize(slug, blog, opts = {}) - @slug = URI.decode(slug) + @slug = Addressable::URI.unencode(slug) @blog = blog @uri = Addressable::URI.parse(opts[:url]) if opts[:url] @@ -83,11 +83,6 @@ module WPScan end end - # URI.encode is preferered over Addressable::URI.encode as it will encode - # leading # character: - # URI.encode('#t#') => %23t%23 - # Addressable::URI.encode('#t#') => #t%23 - # # @param [ String ] path Optional path to merge with the uri # # @return [ String ] @@ -95,7 +90,7 @@ module WPScan return unless @uri return @uri.to_s unless path - @uri.join(URI.encode(path)).to_s + @uri.join(Addressable::URI.encode(path)).to_s end # @return [ Boolean ] @@ -166,7 +161,7 @@ module WPScan # @return [ Typhoeus::Response ] def head_and_get(path, codes = [200], params = {}) final_path = +@path_from_blog - final_path << URI.encode(path) unless path.nil? + final_path << path unless path.nil? blog.head_and_get(final_path, codes, params) end diff --git a/lib/wpscan/target/platform/wordpress/custom_directories.rb b/lib/wpscan/target/platform/wordpress/custom_directories.rb index 3ca40412..d0d85f65 100644 --- a/lib/wpscan/target/platform/wordpress/custom_directories.rb +++ b/lib/wpscan/target/platform/wordpress/custom_directories.rb @@ -71,7 +71,7 @@ module WPScan # # @return [ String ] def plugin_url(slug) - plugins_uri.join("#{URI.encode(slug)}/").to_s + plugins_uri.join("#{Addressable::URI.encode(slug)}/").to_s end # @return [ String ] @@ -93,7 +93,7 @@ module WPScan # # @return [ String ] def theme_url(slug) - themes_uri.join("#{URI.encode(slug)}/").to_s + themes_uri.join("#{Addressable::URI.encode(slug)}/").to_s end # @return [ String, False ] String of the sub_dir found, false otherwise diff --git a/spec/app/models/wp_item_spec.rb b/spec/app/models/wp_item_spec.rb index 38641737..a982575b 100644 --- a/spec/app/models/wp_item_spec.rb +++ b/spec/app/models/wp_item_spec.rb @@ -46,7 +46,7 @@ describe WPScan::Model::WpItem do end it 'encodes the path' do - expect(wp_item.url('#t#')).to eql "#{item_url}%23t%23" + expect(wp_item.url('#t#')).to eql "#{item_url}#t%23" expect(wp_item.url('t .txt')).to eql "#{item_url}t%20.txt" end end From 025c9c24ca9d0c8c280abcf897d4760612e38944 Mon Sep 17 00:00:00 2001 From: erwanlr Date: Thu, 2 Jan 2020 12:51:23 +0000 Subject: [PATCH 2/6] Fixes GH Action --- .github/workflows/gempush.yml | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/.github/workflows/gempush.yml b/.github/workflows/gempush.yml index 4865674c..8fd43a6d 100644 --- a/.github/workflows/gempush.yml +++ b/.github/workflows/gempush.yml @@ -14,19 +14,19 @@ jobs: - name: Set up Ruby 2.6 uses: actions/setup-ruby@v1 with: - version: 2.6.x + ruby-version: 2.6.x - - name: Publish to GPR - run: | - mkdir -p $HOME/.gem - touch $HOME/.gem/credentials - chmod 0600 $HOME/.gem/credentials - printf -- "---\n:github: Bearer ${GEM_HOST_API_KEY}\n" > $HOME/.gem/credentials - gem build *.gemspec - gem push --KEY github --host https://rubygems.pkg.github.com/${OWNER} *.gem - env: - GEM_HOST_API_KEY: ${{secrets.GITHUB_TOKEN}} - OWNER: username + #- name: Publish to GPR + # run: | + # mkdir -p $HOME/.gem + # touch $HOME/.gem/credentials + # chmod 0600 $HOME/.gem/credentials + # printf -- "---\n:github: Bearer ${GEM_HOST_API_KEY}\n" > $HOME/.gem/credentials + # gem build *.gemspec + # gem push --KEY github --host https://rubygems.pkg.github.com/${OWNER} *.gem + # env: + # GEM_HOST_API_KEY: ${{secrets.GITHUB_TOKEN}} + # OWNER: wpscanteam - name: Publish to RubyGems run: | From e766e7392a9aea9d53bb4003f9ca00620c1e3413 Mon Sep 17 00:00:00 2001 From: erwanlr Date: Thu, 2 Jan 2020 12:52:03 +0000 Subject: [PATCH 3/6] Updates CMScanner dep --- wpscan.gemspec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wpscan.gemspec b/wpscan.gemspec index 9fb5ec0e..687936b1 100644 --- a/wpscan.gemspec +++ b/wpscan.gemspec @@ -21,7 +21,7 @@ Gem::Specification.new do |s| s.executables = ['wpscan'] s.require_paths = ['lib'] - s.add_dependency 'cms_scanner', '~> 0.7.1' + s.add_dependency 'cms_scanner', '~> 0.8.0' s.add_development_dependency 'bundler', '>= 1.6' s.add_development_dependency 'coveralls', '~> 0.8.0' From a62c16d7ccd790deeeec48cf151596c0e14b8393 Mon Sep 17 00:00:00 2001 From: erwanlr Date: Thu, 2 Jan 2020 13:04:01 +0000 Subject: [PATCH 4/6] Fixes Rubocop warning --- .rubocop.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.rubocop.yml b/.rubocop.yml index e61179b1..f7e386e4 100644 --- a/.rubocop.yml +++ b/.rubocop.yml @@ -4,6 +4,8 @@ AllCops: Exclude: - '*.gemspec' - 'vendor/**/*' +Layout/LineLength: + Max: 120 Lint/UriEscapeUnescape: Enabled: false Metrics/AbcSize: @@ -17,8 +19,6 @@ Metrics/ClassLength: - 'app/controllers/enumeration/cli_options.rb' Metrics/CyclomaticComplexity: Max: 8 -Metrics/LineLength: - Max: 120 Metrics/MethodLength: Max: 20 Exclude: From ad4eeb9f819e7795118fb0fb24952e1293bcafef Mon Sep 17 00:00:00 2001 From: erwanlr Date: Thu, 2 Jan 2020 13:29:30 +0000 Subject: [PATCH 5/6] Fixes specs --- app/finders/config_backups/known_filenames.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/finders/config_backups/known_filenames.rb b/app/finders/config_backups/known_filenames.rb index 017ddc6c..01d0359b 100644 --- a/app/finders/config_backups/known_filenames.rb +++ b/app/finders/config_backups/known_filenames.rb @@ -32,7 +32,7 @@ module WPScan urls = {} File.open(opts[:list]).each_with_index do |file, index| - urls[target.url(file.chomp)] = index + urls[target.url(file.chomp).gsub('#', '%23')] = index end urls From 5887fede15f7bb0f6724e0a681d4ff8e4d5fb9d8 Mon Sep 17 00:00:00 2001 From: erwanlr Date: Thu, 2 Jan 2020 13:53:28 +0000 Subject: [PATCH 6/6] Updates deps --- app/finders/config_backups/known_filenames.rb | 2 +- wpscan.gemspec | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/app/finders/config_backups/known_filenames.rb b/app/finders/config_backups/known_filenames.rb index 01d0359b..017ddc6c 100644 --- a/app/finders/config_backups/known_filenames.rb +++ b/app/finders/config_backups/known_filenames.rb @@ -32,7 +32,7 @@ module WPScan urls = {} File.open(opts[:list]).each_with_index do |file, index| - urls[target.url(file.chomp).gsub('#', '%23')] = index + urls[target.url(file.chomp)] = index end urls diff --git a/wpscan.gemspec b/wpscan.gemspec index 687936b1..4dedaa22 100644 --- a/wpscan.gemspec +++ b/wpscan.gemspec @@ -21,7 +21,7 @@ Gem::Specification.new do |s| s.executables = ['wpscan'] s.require_paths = ['lib'] - s.add_dependency 'cms_scanner', '~> 0.8.0' + s.add_dependency 'cms_scanner', '~> 0.8.1' s.add_development_dependency 'bundler', '>= 1.6' s.add_development_dependency 'coveralls', '~> 0.8.0'