Fixes #1406

2019-10-07 07:03:06 +01:00
parent a53f88b626
commit a6855345d7
3 changed files with 19 additions and 3 deletions
--- a/app/finders/users/oembed_api.rb
+++ b/app/finders/users/oembed_api.rb
@@ -34,6 +34,8 @@ module WPScan
        def user_details_from_oembed_data(oembed_data)
          return unless oembed_data

+          oembed_data = oembed_data.first if oembed_data.is_a?(Array)
+
          if oembed_data['author_url'] =~ %r{/author/([^/]+)/?\z}
            details = [Regexp.last_match[1], 'Author URL', 90]
          elsif oembed_data['author_name'] && !oembed_data['author_name'].empty?
--- a/spec/app/finders/users/oembed_api_spec.rb
+++ b/spec/app/finders/users/oembed_api_spec.rb
@@ -19,15 +19,17 @@ describe WPScan::Finders::Users::OembedApi do
    end

    context 'when a JSON response' do
+      let(:body) { File.read(fixture) }
+
      context 'when 404' do
-        let(:body) { File.read(fixtures.join('404.json')) }
+        let(:fixture) { fixtures.join('404.json') }

        its(:aggressive) { should eql([]) }
      end

      context 'when 200' do
        context 'when author_url present' do
-          let(:body) { File.read(fixtures.join('200_author_url.json')) }
+          let(:fixture) { fixtures.join('200_author_url.json') }

          it 'returns the expected array of users' do
            users = finder.aggressive
@@ -44,7 +46,7 @@ describe WPScan::Finders::Users::OembedApi do
        end

        context 'when author_url not present but author_name' do
-          let(:body) { File.read(fixtures.join('200_author_name.json')) }
+          let(:fixture) { fixtures.join('200_author_name.json') }

          it 'returns the expected array of users' do
            users = finder.aggressive
@@ -59,6 +61,12 @@ describe WPScan::Finders::Users::OembedApi do
            expect(user.interesting_entries).to eql ['http://wp.lab/wp-json/oembed/1.0/embed?url=http://wp.lab/&format=json']
          end
        end
+
+        context 'when body is an array' do
+          let(:fixture) { fixtures.join('array.json') }
+
+          its(:aggressive) { should eql([]) }
+        end
      end
    end
  end
--- a/spec/fixtures/finders/users/oembed_api/array.json
+++ b/spec/fixtures/finders/users/oembed_api/array.json
@@ -0,0 +1,6 @@
+[
+  {
+    "code":"json_no_route",
+    "message":"No route was found matching the URL and request method"
+  }
+]