Avoids merging CLI params when calling VulnAPI - Ref #1451

2020-02-11 09:13:31 +00:00
parent 1b68bdb36c
commit 6b241ce9b3
2 changed files with 18 additions and 10 deletions
--- a/lib/wpscan/db/vuln_api.rb
+++ b/lib/wpscan/db/vuln_api.rb
@@ -23,7 +23,8 @@ module WPScan
        return {} unless token
        return {} if path.end_with?('/latest') # Remove this when api/v4 is up

-        res = Browser.get(uri.join(path), params.merge(request_params))
+        # Typhoeus.get is used rather than Browser.get to avoid merging irrelevant params from the CLI
+        res = Typhoeus.get(uri.join(path), default_request_params.merge(params))

        return {} if res.code == 404 # This is for API inconsistencies when dots in path
        return JSON.parse(res.body) if NON_ERROR_CODES.include?(res.code)
@@ -65,12 +66,13 @@ module WPScan
      end

      # @return [ Hash ]
-      def self.request_params
-        {
+      # Those params can not be overriden by CLI options, except for the cache_ttl
+      def self.default_request_params
+        @default_request_params ||= {
+          timeout: 30,
+          connecttimeout: 15,
+          cache_ttl: Browser.instance.cache_ttl,
          headers: {
-            'Host' => uri.host, # Reset in case user provided a --vhost for the target
-            'Referer' => nil, # Removes referer set by the cmsscanner to the target url
-            'CF-Connecting-IP' => nil, # Removes in case user provided one for the target
            'User-Agent' => Browser.instance.default_user_agent,
            'Authorization' => "Token token=#{token}"
          }
--- a/spec/lib/db/vuln_api_spec.rb
+++ b/spec/lib/db/vuln_api_spec.rb
@@ -5,10 +5,6 @@ describe WPScan::DB::VulnApi do

  let(:request_headers) do
    {
-      'Host' => api.uri.host,
-      'Expect' => nil,
-      'Referer' => nil,
-      'CF-Connecting-IP' => nil,
      'User-Agent' => WPScan::Browser.instance.default_user_agent,
      'Authorization' => 'Token token=s3cRet'
    }
@@ -48,6 +44,16 @@ describe WPScan::DB::VulnApi do

      let(:path) { 'path' }

+      context 'when params used' do
+        it 'ensures they override the defaults' do
+          expect(Typhoeus).to receive(:get)
+            .with(api.uri.join(path), hash_including(cache_ttl: 0))
+            .and_return(Typhoeus::Response.new(code: 404))
+
+          api.get(path, cache_ttl: 0)
+        end
+      end
+
      context 'when no timeouts' do
        before do
          stub_request(:get, api.uri.join(path))