garfield/wpscan
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Avoids merging CLI params when calling VulnAPI - Ref #1451

Browse Source
This commit is contained in:
erwanlr
2020-02-11 09:13:31 +00:00
parent 1b68bdb36c
commit 6b241ce9b3
2 changed files with 18 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
lib/wpscan/db/vuln_api.rb
View File

@@ -23,7 +23,8 @@ module WPScan
return {} unless token return {} unless token
return {} if path.end_with?('/latest') # Remove this when api/v4 is up return {} if path.end_with?('/latest') # Remove this when api/v4 is up
res = Browser.get(uri.join(path), params.merge(request_params)) # Typhoeus.get is used rather than Browser.get to avoid merging irrelevant params from the CLI
res = Typhoeus.get(uri.join(path), default_request_params.merge(params))
return {} if res.code == 404 # This is for API inconsistencies when dots in path return {} if res.code == 404 # This is for API inconsistencies when dots in path
return JSON.parse(res.body) if NON_ERROR_CODES.include?(res.code) return JSON.parse(res.body) if NON_ERROR_CODES.include?(res.code)
@@ -65,12 +66,13 @@ module WPScan
end end
# @return [ Hash ] # @return [ Hash ]
def self.request_params # Those params can not be overriden by CLI options, except for the cache_ttl
{ def self.default_request_params
@default_request_params ||= {
timeout: 30,
connecttimeout: 15,
cache_ttl: Browser.instance.cache_ttl,
headers: { headers: {
'Host' => uri.host, # Reset in case user provided a --vhost for the target
'Referer' => nil, # Removes referer set by the cmsscanner to the target url
'CF-Connecting-IP' => nil, # Removes in case user provided one for the target
'User-Agent' => Browser.instance.default_user_agent, 'User-Agent' => Browser.instance.default_user_agent,
'Authorization' => "Token token=#{token}" 'Authorization' => "Token token=#{token}"
} }

14
spec/lib/db/vuln_api_spec.rb
View File

@@ -5,10 +5,6 @@ describe WPScan::DB::VulnApi do
let(:request_headers) do let(:request_headers) do
{ {
'Host' => api.uri.host,
'Expect' => nil,
'Referer' => nil,
'CF-Connecting-IP' => nil,
'User-Agent' => WPScan::Browser.instance.default_user_agent, 'User-Agent' => WPScan::Browser.instance.default_user_agent,
'Authorization' => 'Token token=s3cRet' 'Authorization' => 'Token token=s3cRet'
} }
@@ -48,6 +44,16 @@ describe WPScan::DB::VulnApi do
let(:path) { 'path' } let(:path) { 'path' }
context 'when params used' do
it 'ensures they override the defaults' do
expect(Typhoeus).to receive(:get)
.with(api.uri.join(path), hash_including(cache_ttl: 0))
.and_return(Typhoeus::Response.new(code: 404))
api.get(path, cache_ttl: 0)
end
end
context 'when no timeouts' do context 'when no timeouts' do
before do before do
stub_request(:get, api.uri.join(path)) stub_request(:get, api.uri.join(path))