Fixes #1529

spec/app/finders/users/author_sitemap_spec.rb

@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+
+describe WPScan::Finders::Users::AuthorSitemap do
+  subject(:finder) { described_class.new(target) }
+  let(:target)     { WPScan::Target.new(url) }
+  let(:url)        { 'http://wp.lab/' }
+  let(:fixtures)   { FINDERS_FIXTURES.join('users', 'author_sitemap') }
+
+  describe '#aggressive' do
+    before do
+      allow(target).to receive(:sub_dir).and_return(false)
+
+      stub_request(:get, finder.sitemap_url).to_return(body: body)
+    end
+
+    context 'when not an XML response' do
+      let(:body) { '' }
+
+      its(:aggressive) { should eql([]) }
+    end
+
+    context 'when an XML response' do
+      context 'when no usernames disclosed' do
+        let(:body) { File.read(fixtures.join('no_usernames.xml')) }
+
+        its(:aggressive) { should eql([]) }
+      end
+
+      context 'when usernames disclosed' do
+        let(:body) { File.read(fixtures.join('usernames.xml')) }
+
+        it 'returns the expected array of users' do
+          users = finder.aggressive
+
+          expect(users.size).to eql 2
+
+          expect(users.first.username).to eql 'admin'
+          expect(users.first.confidence).to eql 100
+          expect(users.first.interesting_entries).to eql ['http://wp.lab/wp-sitemap-users-1.xml']
+
+          expect(users.last.username).to eql 'author'
+          expect(users.last.confidence).to eql 100
+          expect(users.last.interesting_entries).to eql ['http://wp.lab/wp-sitemap-users-1.xml']
+        end
+      end
+    end
+  end
+end

spec/app/finders/users_spec.rb

@@ -8,7 +8,7 @@ describe WPScan::Finders::Users::Base do
   describe '#finders' do
     it 'contains the expected finders' do
       expect(user.finders.map { |f| f.class.to_s.demodulize })
-        .to eq %w[AuthorPosts WpJsonApi OembedApi RSSGenerator YoastSeoAuthorSitemap
+        .to eq %w[AuthorPosts WpJsonApi OembedApi RSSGenerator AuthorSitemap YoastSeoAuthorSitemap
                   AuthorIdBruteForcing LoginErrorMessages]
     end
   end

spec/fixtures/finders/users/author_sitemap/no_usernames.xml

@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<?xml-stylesheet type="text/xsl" href="http://wp.lab/wp-sitemap.xsl" ?>
+<urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">
+</urlset>

spec/fixtures/finders/users/author_sitemap/usernames.xml

@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<?xml-stylesheet type="text/xsl" href="http://wp.lab/wp-sitemap.xsl" ?>
+<urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">
+  <url><loc>http://wp.lab/author/admin/</loc></url>
+  <url><loc>http://wp.lab//author/author/</loc></url>
+</urlset>