From 5c842e192b055bd8de36a7b3a8ff92c4e107b224 Mon Sep 17 00:00:00 2001 From: erwanlr Date: Wed, 24 Apr 2019 12:42:18 +0100 Subject: [PATCH] Updates deps --- app/finders/interesting_findings/mu_plugins.rb | 4 ++-- app/finders/main_theme/css_style.rb | 6 +++--- app/finders/users/author_id_brute_forcing.rb | 4 ++-- app/finders/users/author_posts.rb | 4 +--- app/finders/users/wp_json_api.rb | 4 +--- app/finders/wp_items/urls_in_homepage.rb | 4 ++-- app/models/wp_item.rb | 2 +- .../dynamic_finder/version/query_parameter.rb | 6 ++---- lib/wpscan/target/platform/wordpress.rb | 12 ++++++------ .../target/platform/wordpress/custom_directories.rb | 8 ++++---- wpscan.gemspec | 4 ++-- 11 files changed, 26 insertions(+), 32 deletions(-) diff --git a/app/finders/interesting_findings/mu_plugins.rb b/app/finders/interesting_findings/mu_plugins.rb index 2a316b7e..d6efa790 100644 --- a/app/finders/interesting_findings/mu_plugins.rb +++ b/app/finders/interesting_findings/mu_plugins.rb @@ -9,8 +9,8 @@ module WPScan def passive(_opts = {}) pattern = %r{#{target.content_dir}/mu\-plugins/}i - target.in_scope_urls(target.homepage_res) do |url| - next unless Addressable::URI.parse(url).path =~ pattern + target.in_scope_uris(target.homepage_res) do |uri| + next unless uri.path =~ pattern url = target.url('wp-content/mu-plugins/') diff --git a/app/finders/main_theme/css_style.rb b/app/finders/main_theme/css_style.rb index dbf50a0e..4b978311 100644 --- a/app/finders/main_theme/css_style.rb +++ b/app/finders/main_theme/css_style.rb @@ -20,10 +20,10 @@ module WPScan end def passive_from_css_href(res, opts) - target.in_scope_urls(res, '//style/@src|//link/@href') do |url| - next unless Addressable::URI.parse(url).path =~ %r{/themes/([^\/]+)/style.css\z}i + target.in_scope_uris(res, '//style/@src|//link/@href') do |uri| + next unless uri.path =~ %r{/themes/([^\/]+)/style.css\z}i - return create_theme(Regexp.last_match[1], url, opts) + return create_theme(Regexp.last_match[1], uri.to_s, opts) end nil end diff --git a/app/finders/users/author_id_brute_forcing.rb b/app/finders/users/author_id_brute_forcing.rb index 45741ae3..9bbd0c4f 100644 --- a/app/finders/users/author_id_brute_forcing.rb +++ b/app/finders/users/author_id_brute_forcing.rb @@ -83,8 +83,8 @@ module WPScan # @return [ String, nil ] The username found def username_from_response(res) # Permalink enabled - target.in_scope_urls(res, '//link/@href|//a/@href') do |url| - username = username_from_author_url(url) + target.in_scope_uris(res, '//link/@href|//a/@href') do |uri| + username = username_from_author_url(uri.to_s) return username if username end diff --git a/app/finders/users/author_posts.rb b/app/finders/users/author_posts.rb index b873dd45..71cb4c0f 100644 --- a/app/finders/users/author_posts.rb +++ b/app/finders/users/author_posts.rb @@ -45,9 +45,7 @@ module WPScan def potential_usernames(res) usernames = [] - target.in_scope_urls(res, '//a/@href') do |url, node| - uri = Addressable::URI.parse(url) - + target.in_scope_uris(res, '//a/@href') do |uri, node| if uri.path =~ %r{/author/([^/\b]+)/?\z}i usernames << [Regexp.last_match[1], 'Author Pattern', 100] elsif /author=[0-9]+/.match?(uri.query) diff --git a/app/finders/users/wp_json_api.rb b/app/finders/users/wp_json_api.rb index aa6af0b7..20904e95 100644 --- a/app/finders/users/wp_json_api.rb +++ b/app/finders/users/wp_json_api.rb @@ -57,9 +57,7 @@ module WPScan def api_url return @api_url if @api_url - target.in_scope_urls(target.homepage_res, "//link[@rel='https://api.w.org/']/@href").each do |url, _tag| - uri = Addressable::URI.parse(url.strip) - + target.in_scope_uris(target.homepage_res, "//link[@rel='https://api.w.org/']/@href").each do |uri| return @api_url = uri.join('wp/v2/users/').to_s if uri.path.include?('wp-json') end diff --git a/app/finders/wp_items/urls_in_homepage.rb b/app/finders/wp_items/urls_in_homepage.rb index f69586d3..ddeb121b 100644 --- a/app/finders/wp_items/urls_in_homepage.rb +++ b/app/finders/wp_items/urls_in_homepage.rb @@ -12,8 +12,8 @@ module WPScan def items_from_links(type, uniq = true) found = [] - target.in_scope_urls(target.homepage_res) do |url| - next unless url =~ item_attribute_pattern(type) + target.in_scope_uris(target.homepage_res) do |uri| + next unless uri.to_s =~ item_attribute_pattern(type) found << Regexp.last_match[1] end diff --git a/app/models/wp_item.rb b/app/models/wp_item.rb index b214a56c..8287d95e 100644 --- a/app/models/wp_item.rb +++ b/app/models/wp_item.rb @@ -13,7 +13,7 @@ module WPScan attr_reader :uri, :slug, :detection_opts, :version_detection_opts, :blog, :path_from_blog, :db_data - delegate :homepage_res, :xpath_pattern_from_page, :in_scope_urls, :head_or_get_params, to: :blog + delegate :homepage_res, :xpath_pattern_from_page, :in_scope_uris, :head_or_get_params, to: :blog # @param [ String ] slug The plugin/theme slug # @param [ Target ] blog The targeted blog diff --git a/lib/wpscan/finders/dynamic_finder/version/query_parameter.rb b/lib/wpscan/finders/dynamic_finder/version/query_parameter.rb index ba783edb..f559b2be 100644 --- a/lib/wpscan/finders/dynamic_finder/version/query_parameter.rb +++ b/lib/wpscan/finders/dynamic_finder/version/query_parameter.rb @@ -35,15 +35,13 @@ module WPScan def scan_response(response) found = {} - target.in_scope_urls(response, xpath) do |url, _tag| - uri = Addressable::URI.parse(url) - + target.in_scope_uris(response, xpath) do |uri| next unless uri.path =~ path_pattern && uri.query&.match(self.class::PATTERN) version = Regexp.last_match[:v].to_s found[version] ||= [] - found[version] << url + found[version] << uri.to_s end found diff --git a/lib/wpscan/target/platform/wordpress.rb b/lib/wpscan/target/platform/wordpress.rb index 97d5f834..20c81389 100644 --- a/lib/wpscan/target/platform/wordpress.rb +++ b/lib/wpscan/target/platform/wordpress.rb @@ -24,8 +24,8 @@ module WPScan # # @return [ Boolean ] def wordpress?(detection_mode) - in_scope_urls(homepage_res) do |url| - return true if Addressable::URI.parse(url).path.match(WORDPRESS_PATTERN) + in_scope_uris(homepage_res) do |uri| + return true if uri.path.match(WORDPRESS_PATTERN) end homepage_res.html.css('meta[name="generator"]').each do |node| @@ -36,8 +36,8 @@ module WPScan if %i[mixed aggressive].include?(detection_mode) %w[wp-admin/install.php wp-login.php].each do |path| - in_scope_urls(Browser.get_and_follow_location(url(path))).each do |url| - return true if Addressable::URI.parse(url).path.match(WORDPRESS_PATTERN) + in_scope_uris(Browser.get_and_follow_location(url(path))).each do |uri| + return true if uri.path.match(WORDPRESS_PATTERN) end end end @@ -85,8 +85,8 @@ module WPScan unless content_dir(:passive) pattern = %r{https?://s\d\.wp\.com#{WORDPRESS_PATTERN}}i.freeze - urls_from_page(homepage_res) do |url| - return true if url.match?(pattern) + uris_from_page(homepage_res) do |uri| + return true if uri.to_s.match?(pattern) end end diff --git a/lib/wpscan/target/platform/wordpress/custom_directories.rb b/lib/wpscan/target/platform/wordpress/custom_directories.rb index 2ff7942c..7ea330ed 100644 --- a/lib/wpscan/target/platform/wordpress/custom_directories.rb +++ b/lib/wpscan/target/platform/wordpress/custom_directories.rb @@ -20,8 +20,8 @@ module WPScan # scope_url_pattern is from CMSScanner::Target pattern = %r{#{scope_url_pattern}([\w\s\-/]+)\\?/(?:themes|plugins|uploads|cache)\\?/}i - in_scope_urls(homepage_res) do |url| - return @content_dir = Regexp.last_match[1] if url.match(pattern) + in_scope_uris(homepage_res) do |uri| + return @content_dir = Regexp.last_match[1] if uri.to_s.match(pattern) end # Checks for the pattern in raw JS code, as well as @content attributes of meta tags @@ -105,8 +105,8 @@ module WPScan # url_pattern is from CMSScanner::Target pattern = %r{#{url_pattern}(.+?)/(?:xmlrpc\.php|wp\-includes/)}i - in_scope_urls(homepage_res) do |url| - return @sub_dir = Regexp.last_match[1] if url.match(pattern) + in_scope_uris(homepage_res) do |uri| + return @sub_dir = Regexp.last_match[1] if uri.to_s.match(pattern) end @sub_dir = false diff --git a/wpscan.gemspec b/wpscan.gemspec index 04f6cd85..ded908c9 100644 --- a/wpscan.gemspec +++ b/wpscan.gemspec @@ -21,7 +21,7 @@ Gem::Specification.new do |s| s.executables = ['wpscan'] s.require_paths = ['lib'] - s.add_dependency 'cms_scanner', '~> 0.0.44.3' + s.add_dependency 'cms_scanner', '~> 0.5.0' s.add_development_dependency 'bundler', '>= 1.6' s.add_development_dependency 'coveralls', '~> 0.8.0' @@ -29,7 +29,7 @@ Gem::Specification.new do |s| s.add_development_dependency 'rake', '~> 12.3' s.add_development_dependency 'rspec', '~> 3.8.0' s.add_development_dependency 'rspec-its', '~> 1.3.0' - s.add_development_dependency 'rubocop', '~> 0.67.1' + s.add_development_dependency 'rubocop', '~> 0.67.2' s.add_development_dependency 'simplecov', '~> 0.16.1' s.add_development_dependency 'stackprof', '~> 0.2.12' s.add_development_dependency 'webmock', '~> 3.5.1'