Checks for wp-content directly (depends on detection-mode) when not identified passively

2019-04-12 13:55:40 +01:00
parent 86eb5d2d57
commit ae343b8cb0
5 changed files with 71 additions and 5 deletions
--- a/spec/app/controllers/custom_directories_spec.rb
+++ b/spec/app/controllers/custom_directories_spec.rb
@@ -19,8 +19,8 @@ describe WPScan::Controller::CustomDirectories do
  end

  describe '#before_scan' do
-    context 'when the content_dir is not found and not supply' do
-      before { expect(controller.target).to receive(:content_dir) }
+    context 'when the content_dir is not found and not supplied' do
+      before { expect(controller.target).to receive(:content_dir).with(:mixed) }

      it 'raises an exception' do
        expect { controller.before_scan }.to raise_error(WPScan::Error::WpContentDirNotDetected)
--- a/spec/shared_examples/target/platform/wordpress/custom_directories.rb
+++ b/spec/shared_examples/target/platform/wordpress/custom_directories.rb
@@ -15,6 +15,61 @@ shared_examples 'WordPress::CustomDirectories' do
        expect(target.content_dir).to eql expected
      end
    end
+
+    context 'when not found via the homepage' do
+      before { stub_request(:get, target.url).to_return(body: '') }
+
+      context 'when detection mode is passive' do
+        it 'returns nil' do
+          expect(target).not_to receive(:default_content_dir_exist?)
+
+          expect(target.content_dir(:passive)).to eql nil
+        end
+      end
+
+      context 'when detection mode is mixed or aggressive' do
+        before { expect(target).to receive(:default_content_dir_exists?).and_return(dir_exist) }
+
+        %i[mixed aggressive].each do |mode|
+          context 'when default content dir exists' do
+            let(:dir_exist) { true }
+
+            it 'returns wp-content' do
+              expect(target.content_dir(mode)).to eql 'wp-content'
+            end
+          end
+
+          context 'when default content dir does not exist' do
+            let(:dir_exist) { false }
+
+            it 'returns nil' do
+              expect(target.content_dir(mode)).to eql nil
+            end
+          end
+        end
+      end
+    end
+  end
+
+  describe 'default_content_dir_exists?' do
+    before do
+      expect(target).to receive(:head_or_get_params).and_return(method: :head)
+      stub_request(:head, target.uri.join('wp-content/').to_s).to_return(status: status)
+    end
+
+    context 'when 404' do
+      let(:status) { 404 }
+
+      its(:default_content_dir_exists?) { should be false }
+    end
+
+    context 'when 200, 401 or 403' do
+      [200, 401, 403].each do |code|
+        let(:status) { code }
+
+        its(:default_content_dir_exists?) { should be true }
+      end
+    end
  end

  describe '#content_dir=, #plugins_dir=' do