garfield/wpscan
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

spec/ rubocopied

Browse Source
This commit is contained in:
erwanlr
2013-01-24 22:00:17 +01:00
parent 3094d31633
commit b919c12d2f
39 changed files with 1789 additions and 1675 deletions
Download Patch File Download Diff File Expand all files Collapse all files

225
spec/lib/browser_spec.rb
View File

@@ -1,3 +1,4 @@
# encoding: UTF-8
#--
# WPScan - WordPress Security Scanner
# Copyright (C) 2012-2013
@@ -30,7 +31,7 @@ describe Browser do
end
before :each do
@browser = Browser.instance(:config_file => CONFIG_FILE_WITHOUT_PROXY)
@browser = Browser.instance(config_file: CONFIG_FILE_WITHOUT_PROXY)
end
def check_instance_variables(browser, json_expected_vars)
@@ -41,7 +42,7 @@ describe Browser do
end
end
describe "#user_agent_mode setter / getter" do
describe '#user_agent_mode setter / getter' do
# Testing all valid modes
Browser::USER_AGENT_MODES.each do |user_agent_mode|
it "should set / return #{user_agent_mode}" do
@@ -52,27 +53,27 @@ describe Browser do
it "shoud set the mode to 'static' if nil is given" do
@browser.user_agent_mode = nil
@browser.user_agent_mode.should === "static"
@browser.user_agent_mode.should === 'static'
end
it "should raise an error if the mode in not valid" do
expect { @browser.user_agent_mode = "invalid-mode" }.to raise_error
it 'should raise an error if the mode in not valid' do
expect { @browser.user_agent_mode = 'invalid-mode' }.to raise_error
end
end
describe "#max_threads=" do
it "should set max_threads to 1 if nil is given" do
describe '#max_threads=' do
it 'should set max_threads to 1 if nil is given' do
@browser.max_threads = nil
@browser.max_threads.should === 1
end
it "should set max_threads to 1 if 0 is given" do
it 'should set max_threads to 1 if 0 is given' do
@browser.max_threads = 0
@browser.max_threads.should === 1
end
end
describe "#proxy_auth=" do
describe '#proxy_auth=' do
after :each do
if @raise_error
expect { @browser.proxy_auth = @proxy_auth }.to raise_error
@@ -82,51 +83,51 @@ describe Browser do
end
end
it "should raise an error if the format is not correct" do
@proxy_auth = "invaludauthformat"
it 'should raise an error if the format is not correct' do
@proxy_auth = 'invaludauthformat'
@raise_error = true
end
it "should raise an error if the hash does not contain :proxy_username and :proxy_password" do
@proxy_auth = { :proxy_password => "hello" }
it 'should raise an error if the hash does not contain :proxy_username and :proxy_password' do
@proxy_auth = { proxy_password: 'hello' }
@raise_error = true
end
it "should raise an error if the auth if not a string or a hash" do
it 'should raise an error if the auth if not a string or a hash' do
@proxy_auth = 10
@raise_error = true
end
it "should set the correct credentials" do
@proxy_auth = {:proxy_username => "user", :proxy_password => "pass" }
it 'should set the correct credentials' do
@proxy_auth = { proxy_username: 'user', proxy_password: 'pass' }
@expected = @proxy_auth
end
it "should set the correct credentials" do
@proxy_auth = "username:passwd"
@expected = {:proxy_username => "username", :proxy_password => "passwd" }
it 'should set the correct credentials' do
@proxy_auth = 'username:passwd'
@expected = { proxy_username: 'username', proxy_password: 'passwd' }
end
end
describe "#user_agent" do
describe '#user_agent' do
available_user_agents = %w{ ua-1 ua-2 ua-3 ua-4 ua-6 ua-7 ua-8 ua-9 ua-10 ua-11 ua-12 ua-13 ua-14 ua-15 ua-16 ua-17 }
it "should always return the same user agent in static mode" do
@browser.user_agent = "fake UA"
@browser.user_agent_mode = "static"
it 'should always return the same user agent in static mode' do
@browser.user_agent = 'fake UA'
@browser.user_agent_mode = 'static'
(1..3).each do
@browser.user_agent.should === "fake UA"
@browser.user_agent.should === 'fake UA'
end
end
it "should choose a random user_agent in the available_user_agents array an always return it" do
it 'should choose a random user_agent in the available_user_agents array an always return it' do
@browser.available_user_agents = available_user_agents
@browser.user_agent = "Firefox 11.0"
@browser.user_agent_mode = "semi-static"
@browser.user_agent = 'Firefox 11.0'
@browser.user_agent_mode = 'semi-static'
user_agent = @browser.user_agent
user_agent.should_not === "Firefox 11.0"
user_agent.should_not === 'Firefox 11.0'
available_user_agents.include?(user_agent).should be_true
(1..3).each do
@@ -134,9 +135,9 @@ describe Browser do
end
end
it "should return a random user agent each time" do
it 'should return a random user agent each time' do
@browser.available_user_agents = available_user_agents
@browser.user_agent_mode = "random"
@browser.user_agent_mode = 'random'
ua_1 = @browser.user_agent
ua_2 = @browser.user_agent
@@ -146,51 +147,51 @@ describe Browser do
end
end
describe "Singleton" do
it "should not allow #new" do
describe 'Singleton' do
it 'should not allow #new' do
expect { Browser.new }.to raise_error
end
end
describe "#instance with :config_file = #{CONFIG_FILE_WITHOUT_PROXY}" do
it "will check the instance vars" do
it 'will check the instance vars' do
Browser.reset
check_instance_variables(
Browser.instance(:config_file => CONFIG_FILE_WITHOUT_PROXY),
Browser.instance(config_file: CONFIG_FILE_WITHOUT_PROXY),
@json_config_without_proxy
)
end
end
describe "#instance with :config_file = #{CONFIG_FILE_WITH_PROXY}" do
it "will check the instance vars" do
it 'will check the instance vars' do
Browser.reset
check_instance_variables(
Browser.instance(:config_file => CONFIG_FILE_WITH_PROXY),
Browser.instance(config_file: CONFIG_FILE_WITH_PROXY),
@json_config_with_proxy
)
end
end
# TODO Write something to test all possible overriding
describe "override option : user_agent & threads" do
it "will check the instance vars, with an overriden one" do
describe 'override option : user_agent & threads' do
it 'will check the instance vars, with an overriden one' do
Browser.reset
check_instance_variables(
Browser.instance(
:config_file => CONFIG_FILE_WITHOUT_PROXY,
:user_agent => "fake IE"
config_file: CONFIG_FILE_WITHOUT_PROXY,
user_agent: 'fake IE'
),
@json_config_without_proxy.merge("user_agent" => "fake IE")
@json_config_without_proxy.merge('user_agent' => 'fake IE')
)
end
it "should not override the max_threads if max_threads = nil" do
it 'should not override the max_threads if max_threads = nil' do
Browser.reset
check_instance_variables(
Browser.instance(
:config_file => CONFIG_FILE_WITHOUT_PROXY,
:max_threads => nil
config_file: CONFIG_FILE_WITHOUT_PROXY,
max_threads: nil
),
@json_config_without_proxy
)
@@ -198,95 +199,95 @@ describe Browser do
end
# TODO
describe "#load_config" do
describe '#load_config' do
end
describe "#merge_request_params without proxy" do
it "should return the default params" do
describe '#merge_request_params without proxy' do
it 'should return the default params' do
expected_params = {
:disable_ssl_host_verification => true,
:disable_ssl_peer_verification => true,
:headers => {'user-agent' => @browser.user_agent},
:cache_timeout => @json_config_without_proxy['cache_timeout']
disable_ssl_host_verification: true,
disable_ssl_peer_verification: true,
headers: { 'user-agent' => @browser.user_agent },
cache_timeout: @json_config_without_proxy['cache_timeout']
}
@browser.merge_request_params().should == expected_params
end
it "should return the default params with some values overriden" do
it 'should return the default params with some values overriden' do
expected_params = {
:disable_ssl_host_verification => false,
:disable_ssl_peer_verification => true,
:headers => {'user-agent' => 'Fake IE'},
:cache_timeout => 0
disable_ssl_host_verification: false,
disable_ssl_peer_verification: true,
headers: { 'user-agent' => 'Fake IE' },
cache_timeout: 0
}
@browser.merge_request_params(
:disable_ssl_host_verification => false,
:headers => {'user-agent' => 'Fake IE'},
:cache_timeout => 0
disable_ssl_host_verification: false,
headers: { 'user-agent' => 'Fake IE' },
cache_timeout: 0
).should == expected_params
end
it "should return the defaul params with :headers:accept = 'text/html' (should not override :headers:user-agent)" do
it 'should return the defaul params with :headers:accept = \'text/html\' (should not override :headers:user-agent)' do
expected_params = {
:disable_ssl_host_verification => true,
:disable_ssl_peer_verification => true,
:headers => {'user-agent' => @browser.user_agent, 'accept' => 'text/html'},
:cache_timeout => @json_config_without_proxy['cache_timeout']
disable_ssl_host_verification: true,
disable_ssl_peer_verification: true,
headers: { 'user-agent' => @browser.user_agent, 'accept' => 'text/html' },
cache_timeout: @json_config_without_proxy['cache_timeout']
}
@browser.merge_request_params(:headers => {'accept' => 'text/html'}).should == expected_params
@browser.merge_request_params(headers: { 'accept' => 'text/html' }).should == expected_params
end
it "should merge the basic-auth" do
@browser.basic_auth = "Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ=="
it 'should merge the basic-auth' do
@browser.basic_auth = 'Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ=='
expected_params = {
:disable_ssl_host_verification => true,
:disable_ssl_peer_verification => true,
:headers => {
"Authorization" => "Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==",
"user-agent" => @browser.user_agent
},
:cache_timeout => @json_config_without_proxy['cache_timeout']
disable_ssl_host_verification: true,
disable_ssl_peer_verification: true,
cache_timeout: @json_config_without_proxy['cache_timeout'],
headers: {
'Authorization' => 'Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==',
'user-agent' => @browser.user_agent
}
}
@browser.merge_request_params().should == expected_params
expected_params[:headers].merge!("user-agent" => "Fake FF")
@browser.merge_request_params(:headers => {"user-agent" => "Fake FF"}).should == expected_params
expected_params[:headers].merge!('user-agent' => 'Fake FF')
@browser.merge_request_params(headers: { 'user-agent' => 'Fake FF' }).should == expected_params
end
end
describe "#merge_request_params with proxy" do
it "should return the default params" do
describe '#merge_request_params with proxy' do
it 'should return the default params' do
Browser.reset
browser = Browser.instance(:config_file => CONFIG_FILE_WITH_PROXY)
browser = Browser.instance(config_file: CONFIG_FILE_WITH_PROXY)
expected_params = {
:proxy => @json_config_with_proxy['proxy'],
:disable_ssl_host_verification => true,
:disable_ssl_peer_verification => true,
:headers => {'user-agent' => @json_config_with_proxy['user_agent']},
:cache_timeout => @json_config_with_proxy['cache_timeout']
proxy: @json_config_with_proxy['proxy'],
disable_ssl_host_verification: true,
disable_ssl_peer_verification: true,
headers: { 'user-agent' => @json_config_with_proxy['user_agent'] },
cache_timeout: @json_config_with_proxy['cache_timeout']
}
browser.merge_request_params().should == expected_params
end
it "should return the default params (proxy_auth set)" do
it 'should return the default params (proxy_auth set)' do
Browser.reset
browser = Browser.instance(:config_file => CONFIG_FILE_WITH_PROXY_AND_AUTH)
browser = Browser.instance(config_file: CONFIG_FILE_WITH_PROXY_AND_AUTH)
expected_params = {
:proxy => @json_config_with_proxy['proxy'],
:proxy_username => "user",
:proxy_password => "pass",
:disable_ssl_host_verification => true,
:disable_ssl_peer_verification => true,
:headers => {'user-agent' => @json_config_with_proxy['user_agent']},
:cache_timeout => @json_config_with_proxy['cache_timeout']
proxy: @json_config_with_proxy['proxy'],
proxy_username: 'user',
proxy_password: 'pass',
disable_ssl_host_verification: true,
disable_ssl_peer_verification: true,
headers: { 'user-agent' => @json_config_with_proxy['user_agent'] },
cache_timeout: @json_config_with_proxy['cache_timeout']
}
browser.merge_request_params().should == expected_params
@@ -294,21 +295,21 @@ describe Browser do
end
# TODO
describe "#forge_request" do
describe '#forge_request' do
end
describe "#post" do
it "should return a Typhoeus::Response wth body = 'Welcome Master' if login=master&password=it's me !" do
describe '#post' do
it 'should return a Typhoeus::Response wth body = "Welcome Master" if login=master&password=it\'s me !' do
url = 'http://example.com/'
stub_request(:post, url).
with(:body => "login=master&password=it's me !").
to_return(:status => 200, :body => "Welcome Master")
with(body: "login=master&password=it's me !").
to_return(status: 200, body: 'Welcome Master')
response = @browser.post(
url,
:params => {:login => "master", :password => "it's me !"}
params: { login: 'master', password: 'it\'s me !' }
)
response.should be_a Typhoeus::Response
@@ -316,12 +317,12 @@ describe Browser do
end
end
describe "#get" do
describe '#get' do
it "should return a Typhoeus::Response with body = 'Hello World !'" do
url = 'http://example.com/'
stub_request(:get, url).
to_return(:status => 200, :body => "Hello World !")
to_return(status: 200, body: 'Hello World !')
response = @browser.get(url)
@@ -330,8 +331,8 @@ describe Browser do
end
end
describe "#Browser.generate_cache_key_from_request" do
it "2 requests with the same url, without params must have the same cache_key" do
describe '#Browser.generate_cache_key_from_request' do
it '2 requests with the same url, without params must have the same cache_key' do
url = 'http://example.com'
key1 = Browser.generate_cache_key_from_request(@browser.forge_request(url))
@@ -340,23 +341,23 @@ describe Browser do
key1.should === key2
end
it "2 requests with the same url, but with different params should have a different cache_key" do
it '2 requests with the same url, but with different params should have a different cache_key' do
url = 'http://example.com'
key1 = Browser.generate_cache_key_from_request(@browser.forge_request(url, :params => {:login => "master", :password => "it's me !"}))
key1 = Browser.generate_cache_key_from_request(@browser.forge_request(url, params: { login: 'master', password: 'it\'s me !' }))
key2 = Browser.generate_cache_key_from_request(@browser.forge_request(url))
key1.should_not == key2
end
end
describe "testing caching" do
it "should only do 1 request, and retrieve the other one from the cache" do
describe 'testing caching' do
it 'should only do 1 request, and retrieve the other one from the cache' do
url = 'http://example.localhost'
stub_request(:get, url).
to_return(:status => 200, :body => "Hello World !")
to_return(status: 200, body: 'Hello World !')
response1 = @browser.get(url)
response2 = @browser.get(url)
@@ -366,10 +367,10 @@ describe Browser do
end
end
describe "testing UTF8" do
it "should not throw an encoding exception" do
url = SPEC_FIXTURES_DIR + "/utf8.html"
stub_request(:get, url).to_return(:status => 200, :body => File.read(url))
describe 'testing UTF8' do
it 'should not throw an encoding exception' do
url = SPEC_FIXTURES_DIR + '/utf8.html'
stub_request(:get, url).to_return(status: 200, body: File.read(url))
response1 = @browser.get(url)
expect { response1.body }.to_not raise_error
end

29
spec/lib/cache_file_store_spec.rb
View File

@@ -1,3 +1,4 @@
# encoding: UTF-8
#--
# WPScan - WordPress Security Scanner
# Copyright (C) 2012-2013
@@ -34,20 +35,20 @@ describe CacheFileStore do
@cache.clean
end
describe "#storage_path" do
it "returns the storage path given in the #new" do
describe '#storage_path' do
it 'returns the storage path given in the #new' do
@cache.storage_path.should == @cache_dir
end
end
describe "#serializer" do
it "should return the default serializer : Marshal" do
describe '#serializer' do
it 'should return the default serializer : Marshal' do
@cache.serializer.should == Marshal
@cache.serializer.should_not == YAML
end
end
describe "#clean" do
describe '#clean' do
it "should remove all files from the cache dir (#{@cache_dir}" do
# let's create some files into the directory first
(0..5).each do |i|
@@ -60,30 +61,30 @@ describe CacheFileStore do
end
end
describe "#read_entry (nonexistent entry)" do
it "should return nil" do
describe '#read_entry (nonexistent entry)' do
it 'should return nil' do
@cache.read_entry(Digest::SHA1.hexdigest('hello world')).should be_nil
end
end
describe "#write_entry, #read_entry" do
describe '#write_entry, #read_entry' do
after :each do
@cache.write_entry(@key, @data, @timeout)
@cache.read_entry(@key).should === @expected
end
it "should get the correct entry (string)" do
it 'should get the correct entry (string)' do
@timeout = 10
@key = "some_key"
@data = "Hello World !"
@key = 'some_key'
@data = 'Hello World !'
@expected = @data
end
it "should not write the entry" do
it 'should not write the entry' do
@timeout = 0
@key = "another_key"
@data = "Another Hello World !"
@key = 'another_key'
@data = 'Another Hello World !'
@expected = nil
end

122
spec/lib/common/custom_option_parser_spec.rb
View File

@@ -1,14 +1,16 @@
require "spec_helper"
# encoding: UTF-8
require 'spec_helper'
describe CustomOptionParser do
let(:parser) { CustomOptionParser.new }
describe "#new" do
describe '#new' do
end
describe "::option_to_symbol" do
describe '::option_to_symbol' do
after :each do
if @exception
expect { CustomOptionParser::option_to_symbol(@option) }.to raise_error(@exception)
@@ -17,135 +19,135 @@ describe CustomOptionParser do
end
end
context "without REQUIRED or OPTIONAL arguments" do
context "with short option" do
it "should return :test" do
@option = ["-t", "--test", "Testing"]
context 'without REQUIRED or OPTIONAL arguments' do
context 'with short option' do
it 'should return :test' do
@option = ['-t', '--test', 'Testing']
@expected = :test
end
it "should :its_a_long_option" do
@option = ["-l", "--its-a-long-option", "Testing '-' replacement"]
it 'should :its_a_long_option' do
@option = ['-l', '--its-a-long-option', "Testing '-' replacement"]
@expected = :its_a_long_option
end
end
context "without short option" do
it "should return :long" do
@option = ["--long", "The method should find the option name ('long')"]
context 'without short option' do
it 'should return :long' do
@option = ['--long', "The method should find the option name ('long')"]
@expected = :long
end
it "should return :long_option" do
@option = ["--long-option", "No short !"]
it 'should return :long_option' do
@option = ['--long-option', 'No short !']
@expected = :long_option
end
end
context "without long option" do
it "should raise an arror" do
@option = ["-v", "The long option is missing there"]
@exception = "Could not find the option name for [\"-v\", \"The long option is missing there\"]"
context 'without long option' do
it 'should raise an arror' do
@option = ['-v', 'The long option is missing there']
@exception = 'Could not find the option name for ["-v", "The long option is missing there"]'
end
it "should raise an error" do
@option = ["The long option is missing there"]
@exception = "Could not find the option name for [\"The long option is missing there\"]"
it 'should raise an error' do
@option = ['The long option is missing there']
@exception = 'Could not find the option name for ["The long option is missing there"]'
end
end
context "with multiple long option names (like alias)" do
it "should return :check_long and not :cl" do
@option = ["--check-long", "--cl"]
context 'with multiple long option names (like alias)' do
it 'should return :check_long and not :cl' do
@option = ['--check-long', '--cl']
@expected = :check_long
end
end
end
context "with REQUIRED or OPTIONAL arguments" do
it "should removed the OPTIONAL argument" do
@option = ["-p", "--page [PAGE_NUMBER]"]
context 'with REQUIRED or OPTIONAL arguments' do
it 'should removed the OPTIONAL argument' do
@option = ['-p', '--page [PAGE_NUMBER]']
@expected = :page
end
it "should removed the REQUIRED argument" do
@option = ["--url TARGET_URL"]
it 'should removed the REQUIRED argument' do
@option = ['--url TARGET_URL']
@expected = :url
end
end
end
describe "#add_option" do
context "exception throwing if" do
describe '#add_option' do
context 'exception throwing if' do
after :each do
expect { parser.add_option(@option) }.to raise_error(@exception)
end
it "argument passed is not an Array" do
@option = "a simple String"
it 'argument passed is not an Array' do
@option = 'a simple String'
@exception = "The option must be an array, String supplied : 'a simple String'"
end
it "option name is already used" do
@option = ["-v", "--verbose", "Verbose mode"]
it 'option name is already used' do
@option = ['-v', '--verbose', 'Verbose mode']
parser.add_option(@option)
@exception = "The option verbose is already used !"
@exception = 'The option verbose is already used !'
end
end
it "should have had 2 symbols (:verbose, :url) to @symbols_used" do
parser.add_option(["-v", "--verbose"])
parser.add_option(["--url TARGET_URL"])
it 'should have had 2 symbols (:verbose, :url) to @symbols_used' do
parser.add_option(['-v', '--verbose'])
parser.add_option(['--url TARGET_URL'])
parser.symbols_used.sort.should === [:url, :verbose]
end
context "parsing" do
context 'parsing' do
before :each do
parser.add_option(["-u", "--url TARGET_URL", "Set the target url"])
parser.add_option(['-u', '--url TARGET_URL', 'Set the target url'])
end
it "should raise an error if an unknown option is supplied" do
expect { parser.parse!(["--verbose"]) }.to raise_error(OptionParser::InvalidOption)
it 'should raise an error if an unknown option is supplied' do
expect { parser.parse!(['--verbose']) }.to raise_error(OptionParser::InvalidOption)
end
it "should raise an error if an option require an argument which is not supplied" do
expect { parser.parse!(["--url"]) }.to raise_error(OptionParser::MissingArgument)
it 'should raise an error if an option require an argument which is not supplied' do
expect { parser.parse!(['--url']) }.to raise_error(OptionParser::MissingArgument)
end
it "should retrieve the correct argument" do
parser.parse!(["-u", "iam_the_target"])
parser.results.should === { :url => "iam_the_target" }
it 'should retrieve the correct argument' do
parser.parse!(['-u', 'iam_the_target'])
parser.results.should === { url: 'iam_the_target' }
end
end
end
describe "#add" do
it "should raise an error if the argument is not an Array or Array(Array)" do
expect { parser.add("Hello") }.to raise_error("Options must be at least an Array, or an Array(Array). String supplied")
describe '#add' do
it 'should raise an error if the argument is not an Array or Array(Array)' do
expect { parser.add('Hello') }.to raise_error('Options must be at least an Array, or an Array(Array). String supplied')
end
before :each do
parser.add(["-u", "--url TARGET_URL"])
parser.add(['-u', '--url TARGET_URL'])
end
context "single option" do
it "should add the :url option, and retrieve the correct argument" do
context 'single option' do
it 'should add the :url option, and retrieve the correct argument' do
parser.symbols_used.should === [:url]
parser.results(["-u", "target.com"]).should === { :url => "target.com" }
parser.results(['-u', 'target.com']).should === { url: 'target.com' }
end
end
context "multiple options" do
it "should add 2 options, and retrieve the correct arguments" do
context 'multiple options' do
it 'should add 2 options, and retrieve the correct arguments' do
parser.add([
["-v", "--verbose"],
["--test [TEST_NUMBER]"]
['-v', '--verbose'],
['--test [TEST_NUMBER]']
])
parser.symbols_used.sort.should === [:test, :url, :verbose]
parser.results(["-u", "wp.com", "-v", "--test"]).should === { :test => nil, :url => "wp.com", :verbose => true }
parser.results(['-u', 'wp.com', '-v', '--test']).should === { test: nil, url: 'wp.com', verbose: true }
end
end
end

34
spec/lib/common/plugins/plugin_spec.rb
View File

@@ -1,24 +1,26 @@
# encoding: UTF-8
require 'spec_helper'
describe Plugin do
subject(:plugin) { Plugin.new }
describe "#new" do
context "with some infos" do
describe '#new' do
context 'with some infos' do
subject(:plugin) { Plugin.new(infos) }
let(:infos) { {:author => "John"} }
let(:infos) { { author: 'John' } }
its(:author) { should === infos[:author] }
end
end
describe "#run" do
it "should raise a NotImplementedError" do
describe '#run' do
it 'should raise a NotImplementedError' do
expect { plugin.run }.to raise_error(NotImplementedError)
end
end
describe "#register_options" do
describe '#register_options' do
after :each do
if @exception
expect { plugin.register_options(*@options) }.to raise_error(@exception)
@@ -28,16 +30,22 @@ describe Plugin do
end
end
context "when an option is not an Array" do
it "should raise an error" do
@options = [["-v", "--verbose", "It's a valid option"], "Not a valid one"]
@exception = "Each option must be an array, String supplied"
context 'when an option is not an Array' do
it 'should raise an error' do
@options = [
['-v', '--verbose', 'It\'s a valid option'],
'Not a valid one'
]
@exception = 'Each option must be an array, String supplied'
end
end
context "when options are Arrays" do
it "should register the options" do
@options = [["-v", "--verbose", "Verbose mode"], ["-u", "--url TARGET_URL"]]
context 'when options are Arrays' do
it 'should register the options' do
@options = [
['-v', '--verbose', 'Verbose mode'],
['-u', '--url TARGET_URL']
]
@expected = *@options
end
end

42
spec/lib/common/plugins/plugins_spec.rb
View File

@@ -1,14 +1,16 @@
require "spec_helper"
# encoding: UTF-8
require 'spec_helper'
class TestPlugin < Plugin
def initialize
register_options(["-u", "--url"])
register_options(['-u', '--url'])
end
end
class AnotherPlugin < Plugin
def initialize
super(:author => "John")
super(author: 'John')
# No Options
end
end
@@ -19,28 +21,28 @@ describe Plugins do
let(:test_plugin) { TestPlugin.new }
let(:another_plugin) { AnotherPlugin.new }
describe "#new" do
context "without argument" do
describe '#new' do
context 'without argument' do
its(:option_parser) { should be_a CustomOptionParser }
it "should be an Array" do
it 'should be an Array' do
plugins.should be_an Array
end
end
context "with an option_parser argument" do
subject(:plugin) { Plugins.new(CustomOptionParser.new("the banner")) }
context 'with an option_parser argument' do
subject(:plugin) { Plugins.new(CustomOptionParser.new('the banner')) }
its(:option_parser) { should be_a CustomOptionParser }
its("option_parser.banner") { should === "the banner" }
its('option_parser.banner') { should === 'the banner' }
it "should raise an eror if the parser is not an instance of CustomOptionParser" do
expect { Plugins.new(OptionParser.new) }.to raise_error("The parser must be an instance of CustomOptionParser, OptionParser supplied")
it 'should raise an eror if the parser is not an instance of CustomOptionParser' do
expect { Plugins.new(OptionParser.new) }.to raise_error('The parser must be an instance of CustomOptionParser, OptionParser supplied')
end
end
end
describe "#register_plugin" do
describe '#register_plugin' do
after :each do
if @exception
expect { plugins.register_plugin(@plugin) }.to raise_error(@exception)
@@ -51,19 +53,19 @@ describe Plugins do
end
end
context "when the argument supplied is not an instance of Plugin" do
it "should raise an error" do
context 'when the argument supplied is not an instance of Plugin' do
it 'should raise an error' do
@plugin = "I'am a String"
@exception = "The argument must be an instance of Plugin, String supplied"
@exception = 'The argument must be an instance of Plugin, String supplied'
end
end
it "should register the plugin" do
it 'should register the plugin' do
@plugin = TestPlugin.new
@expected = [@plugin]
end
it "should register 2 plugins (the order is important)" do
it 'should register 2 plugins (the order is important)' do
plugins.register_plugin(test_plugin)
@plugin = another_plugin
@@ -71,7 +73,7 @@ describe Plugins do
end
end
describe "#register" do
describe '#register' do
after :each do
plugins.register(*@plugins_to_register)
@@ -83,11 +85,11 @@ describe Plugins do
plugins.should === @plugins_to_register
end
it "should register 1 plugin" do
it 'should register 1 plugin' do
@plugins_to_register = [test_plugin]
end
it "should register 2 plugins" do
it 'should register 2 plugins' do
@plugins_to_register = [another_plugin, test_plugin]
end
end

60
spec/lib/common_helper_spec.rb
View File

@@ -1,3 +1,4 @@
# encoding: UTF-8
#--
# WPScan - WordPress Security Scanner
# Copyright (C) 2012-2013
@@ -18,57 +19,58 @@
require File.expand_path(File.dirname(__FILE__) + '../../../lib/wpscan/wpscan_helper')
describe "common_helper" do
describe "#get_equal_string" do
describe 'common_helper' do
describe '#get_equal_string' do
after :each do
output = get_equal_string_end(@input)
output.should == @expected
end
it "sould return an empty string" do
@input = [""]
@expected = ""
it 'sould return an empty string' do
@input = ['']
@expected = ''
end
it "sould return an empty string" do
it 'sould return an empty string' do
@input = []
@expected = ""
@expected = ''
end
it "sould return asdf" do
@input = ["kjh asdf", "oijr asdf"]
@expected = " asdf"
it 'sould return asdf' do
@input = ['kjh asdf', 'oijr asdf']
@expected = ' asdf'
end
it "sould return &laquo; BlogName" do
@input = ["user1 &laquo; BlogName",
"user2 &laquo; BlogName",
"user3 &laquo; BlogName",
"user4 &laquo; BlogName"]
@expected = " &laquo; BlogName"
it 'sould return &laquo; BlogName' do
@input = ['user1 &laquo; BlogName',
'user2 &laquo; BlogName',
'user3 &laquo; BlogName',
'user4 &laquo; BlogName']
@expected = ' &laquo; BlogName'
end
it "sould return an empty string" do
it 'sould return an empty string' do
@input = %w{user1 user2 user3 user4}
@expected = ""
@expected = ''
end
it "sould return an empty string" do
@input = ["user1 &laquo; BlogName",
"user2 &laquo; BlogName",
"user3 &laquo; BlogName",
"user4 &laquo; BlogNamea"]
@expected = ""
it 'sould return an empty string' do
@input = ['user1 &laquo; BlogName',
'user2 &laquo; BlogName',
'user3 &laquo; BlogName',
'user4 &laquo; BlogNamea']
@expected = ''
end
it "sould return an empty string" do
it 'sould return an empty string' do
@input = %w{ user1 }
@expected = ""
@expected = ''
end
it "sould return | test" do
@input = ["admin | test", "test | test"]
@expected = " | test"
it 'sould return | test' do
@input = ['admin | test', 'test | test']
@expected = ' | test'
end
end
end

40
spec/lib/updater/git_updater_spec.rb
View File

@@ -1,3 +1,5 @@
# encoding: UTF-8
require 'spec_helper'
describe GitUpdater do
@@ -6,65 +8,65 @@ describe GitUpdater do
@git_updater = GitUpdater.new
end
describe "#is_installed?" do
describe '#is_installed?' do
after :each do
stub_system_command(@git_updater, /^git .* status/, @stub_value)
@git_updater.is_installed?.should === @expected
end
it "should return false if the command is not found" do
@stub_value = "git: command not found"
it 'should return false if the command is not found' do
@stub_value = 'git: command not found'
@expected = false
end
it "should return true if the repo is a git one" do
it 'should return true if the repo is a git one' do
@stub_value = "# On branch master\n# Changed but not updated:"
@expected = true
end
end
describe "#local_revision_number" do
describe '#local_revision_number' do
after :each do
stub_system_command(@git_updater, /^git .* log/, @stub_value)
@git_updater.local_revision_number.should === @expected
end
it "should return 79c01f3" do
@stub_value = "
it 'should return 79c01f3' do
@stub_value = '
commit 79c01f3ed535a8e33876ea091d8217cae7df4028
Author: Moi <tadimm>
Date: Wed Jul 11 23:22:16 2012 +0100"
@expected = "79c01f3"
Date: Wed Jul 11 23:22:16 2012 +0100'
@expected = '79c01f3'
end
end
describe "#update" do
it "should do nothing xD" do
stub_system_command(@git_updater, /^git .* pull/, "Already up-to-date.")
@git_updater.update().should === "Already up-to-date."
describe '#update' do
it 'should do nothing xD' do
stub_system_command(@git_updater, /^git .* pull/, 'Already up-to-date.')
@git_updater.update().should === 'Already up-to-date.'
end
end
describe "#has_local_changes?" do
describe '#has_local_changes?' do
after :each do
stub_system_command(@git_updater, /^git .* diff --exit-code 2>&1/, @stub_value)
@git_updater.has_local_changes?.should === @expected
end
it "should return true if there are local changes" do
it 'should return true if there are local changes' do
@stub_value = 'diff'
@expected = true
end
it "should return false if there are no local changes" do
it 'should return false if there are no local changes' do
@stub_value = ''
@expected = false
end
end
describe "#reset_head" do
it "should reset the local repo" do
stub_system_command(@git_updater, /^git .* reset --hard HEAD/, "HEAD is now at")
describe '#reset_head' do
it 'should reset the local repo' do
stub_system_command(@git_updater, /^git .* reset --hard HEAD/, 'HEAD is now at')
@git_updater.reset_head.should match(/^HEAD is now at/)
end
end

26
spec/lib/updater/svn_updater_spec.rb
View File

@@ -1,3 +1,5 @@
# encoding: UTF-8
require 'spec_helper'
describe SvnUpdater do
@@ -6,23 +8,23 @@ describe SvnUpdater do
@svn_updater = SvnUpdater.new
end
describe "#is_installed?" do
describe '#is_installed?' do
after :each do
stub_system_command(@svn_updater, /^svn info/, @stub_value)
@svn_updater.is_installed?.should === @expected
end
it "should return false if the svn command is not found" do
@stub_value = "svn: command not found"
it 'should return false if the svn command is not found' do
@stub_value = 'svn: command not found'
@expected = false
end
it "should return false if the repository is not manage by svn" do
it 'should return false if the repository is not manage by svn' do
@stub_value = "svn: '.' is not a working copy"
@expected = false
end
it "should return true" do
it 'should return true' do
@stub_value = '<?xml version="1.0"?>
<info>
<entry kind="dir" path="." revision="362">
@@ -45,13 +47,13 @@ describe SvnUpdater do
end
end
describe "#local_revision_number" do
describe '#local_revision_number' do
after :each do
stub_system_command(@svn_updater, /^svn info/, @stub_value)
@svn_updater.local_revision_number.should === @expected
end
it "should return 399" do
it 'should return 399' do
@stub_value = '<?xml version="1.0"?>
<info>
<entry kind="dir" path="." revision="362">
@@ -70,14 +72,14 @@ describe SvnUpdater do
</commit>
</entry>
</info>'
@expected = "362"
@expected = '362'
end
end
describe "#update" do
it "should do nothing xD" do
stub_system_command(@svn_updater, /^svn up/, "At revision 425.")
@svn_updater.update().should === "At revision 425."
describe '#update' do
it 'should do nothing xD' do
stub_system_command(@svn_updater, /^svn up/, 'At revision 425.')
@svn_updater.update().should === 'At revision 425.'
end
end

10
spec/lib/updater/updater_factory_spec.rb
View File

@@ -1,17 +1,19 @@
# encoding: UTF-8
require 'spec_helper'
describe UpdaterFactory do
describe "#available_updaters_classes" do
describe '#available_updaters_classes' do
after :each do
UpdaterFactory.available_updaters_classes.sort.should === @expected.sort
end
it "should return [:GitUpdater, :SvnUpdater]" do
it 'should return [:GitUpdater, :SvnUpdater]' do
@expected = [:GitUpdater, :SvnUpdater]
end
it "should return [:TestUpdater, :GitUpdater, :SvnUpdater]" do
it 'should return [:TestUpdater, :GitUpdater, :SvnUpdater]' do
class TestUpdater < Updater
end
@@ -20,7 +22,7 @@ describe UpdaterFactory do
end
# TODO : Find a way to test that
describe "#get_updater" do
describe '#get_updater' do
end

6
spec/lib/updater/updater_spec.rb
View File

@@ -1,3 +1,5 @@
# encoding: UTF-8
require 'spec_helper'
describe Updater do
@@ -11,8 +13,8 @@ describe Updater do
Object.send(:remove_const, :TestUpdater)
end
describe "non implementation of #is_installed?, #has_update? and #update" do
it "should raise errors" do
describe 'non implementation of #is_installed?, #has_update? and #update' do
it 'should raise errors' do
test_updater = TestUpdater.new
methods_to_call = [:is_installed?, :update, :local_revision_number]

43
spec/lib/wpscan/modules/brute_force_spec.rb
View File

@@ -1,3 +1,4 @@
# encoding: UTF-8
#--
# WPScan - WordPress Security Scanner
# Copyright (C) 2012-2013
@@ -16,56 +17,56 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#++
shared_examples_for "BruteForce" do
shared_examples_for 'BruteForce' do
before :each do
@module = WpScanModuleSpec.new("http://example.localhost")
@module = WpScanModuleSpec.new('http://example.localhost')
@target_url = @module.uri.to_s
@fixtures_dir = SPEC_FIXTURES_WPSCAN_MODULES_DIR + "/bruteforce"
@wordlist = @fixtures_dir + "/wordlist.txt"
@username = "admin"
@fixtures_dir = SPEC_FIXTURES_WPSCAN_MODULES_DIR + '/bruteforce'
@wordlist = @fixtures_dir + '/wordlist.txt'
@username = 'admin'
@module.extend(BruteForce)
Browser.instance.max_threads = 1
end
describe "#lines_in_file" do
it "should return 6" do
describe '#lines_in_file' do
it 'should return 6' do
lines = BruteForce.lines_in_file(@wordlist)
lines.should == 6
end
end
describe "#brute_force" do
describe '#brute_force' do
before :each do
end
it "should get the correct password" do
it 'should get the correct password' do
passwords = []
File.open(@wordlist, "r").each do |password|
File.open(@wordlist, 'r').each do |password|
# ignore comments
passwords << password.strip unless password.strip[0,1] == "#"
passwords << password.strip unless password.strip[0, 1] == '#'
end
# Last status must be 302 to get full code coverage
passwords.each do ||
passwords.each do |_|
stub_request(:any, @module.login_url).to_return(
{ :status => 200, :body => "login_error" },
{ :status => 0, :body => "no reponse" },
{ :status => 50, :body => "server error" },
{ :status => 999, :body => "invalid" },
{ :status => 302, :body => "FOUND!" }
{ status: 200, body: 'login_error' },
{ status: 0, body: 'no reponse' },
{ status: 50, body: 'server error' },
{ status: 999, body: 'invalid' },
{ status: 302, body: 'FOUND!' }
)
end
user = WpUser.new("admin", 1, nil)
user = WpUser.new('admin', 1, nil)
result = @module.brute_force([user], @wordlist)
result.length.should == 1
result.should === [{ :name => "admin", :password => "root" }]
result.should === [{ name: 'admin', password: 'root' }]
end
it "should cover the timeout branch and return an empty array" do
it 'should cover the timeout branch and return an empty array' do
stub_request(:any, @module.login_url).to_timeout
user = WpUser.new("admin", 1, nil)
user = WpUser.new('admin', 1, nil)
result = @module.brute_force([user], @wordlist)
result.should == []
end

35
spec/lib/wpscan/modules/malwares_spec.rb
View File

@@ -1,3 +1,4 @@
# encoding: UTF-8
#--
# WPScan - WordPress Security Scanner
# Copyright (C) 2012-2013
@@ -16,7 +17,7 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#++
shared_examples_for "Malwares" do
shared_examples_for 'Malwares' do
before :each do
@module = WpScanModuleSpec.new('http://example.localhost')
@@ -27,16 +28,16 @@ shared_examples_for "Malwares" do
@module.extend(Malwares)
end
describe "#malwares_file" do
describe '#malwares_file' do
it "should return #{SPEC_FIXTURES_WPSCAN_MODULES_DIR}/wp_malwares.txt" do
Malwares.malwares_file(@malwares_file_path).should === @malwares_file_path
end
end
describe "#malwares & #has_malwares" do
describe '#malwares & #has_malwares' do
after :each do
if @fixture
stub_request_to_fixture(:url => @target_url, :fixture => File.new(@fixture))
stub_request_to_fixture(url: @target_url, fixture: File.new(@fixture))
end
malwares = @module.malwares(@malwares_file_path)
@@ -44,30 +45,30 @@ shared_examples_for "Malwares" do
malwares.sort.should === @expected_malwares.sort
@module.has_malwares?.should === (@expected_malwares.empty? ? false : true)
end
it "should return an empty array on a 404" do
stub_request(:get, @target_url).to_return(:status => 404)
it 'should return an empty array on a 404' do
stub_request(:get, @target_url).to_return(status: 404)
@expected_malwares = []
end
it "should return an array empty array if no infection found" do
@fixture = @fixtures_dir + "/clean.html"
it 'should return an array empty array if no infection found' do
@fixture = @fixtures_dir + '/clean.html'
@expected_malwares = []
end
it "should return an array with 1 malware url (.rr.nu check)" do
@fixture = @fixtures_dir + "/single-infection.html"
@expected_malwares = ["http://irstde24clined.rr.nu/mm.php?d=1"]
it 'should return an array with 1 malware url (.rr.nu check)' do
@fixture = @fixtures_dir + '/single-infection.html'
@expected_malwares = ['http://irstde24clined.rr.nu/mm.php?d=1']
end
it "should return an array with 1 malware url (iframe check)" do
@fixture = @fixtures_dir + "/single-iframe-infection.html"
@expected_malwares = ["http://www.thesea.org/media.php"]
it 'should return an array with 1 malware url (iframe check)' do
@fixture = @fixtures_dir + '/single-iframe-infection.html'
@expected_malwares = ['http://www.thesea.org/media.php']
end
it "should return an array with 3 malwares url" do
@fixture = @fixtures_dir + "/multiple-infections.html"
@expected_malwares = ["http://irstde24clined.rr.nu/mm.php?d=1", "http://atio79srem.rr.nu/pmg.php?dr=1", "http://www.thesea.org/media.php"]
it 'should return an array with 3 malwares url' do
@fixture = @fixtures_dir + '/multiple-infections.html'
@expected_malwares = ['http://irstde24clined.rr.nu/mm.php?d=1', 'http://atio79srem.rr.nu/pmg.php?dr=1', 'http://www.thesea.org/media.php']
end
end

129
spec/lib/wpscan/modules/web_site_spec.rb
View File

@@ -1,3 +1,4 @@
# encoding: UTF-8
#--
# WPScan - WordPress Security Scanner
# Copyright (C) 2012-2013
@@ -16,165 +17,165 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#++
shared_examples_for "WebSite" do
let(:fixtures_dir) { SPEC_FIXTURES_WPSCAN_MODULES_DIR + "/web_site" }
subject(:web_site) { WpScanModuleSpec.new("http://example.localhost/").extend(WebSite) }
shared_examples_for 'WebSite' do
let(:fixtures_dir) { SPEC_FIXTURES_WPSCAN_MODULES_DIR + '/web_site' }
subject(:web_site) { WpScanModuleSpec.new('http://example.localhost/').extend(WebSite) }
describe "#online?" do
it "should not be considered online if the status code is 0" do
stub_request(:get, web_site.url).to_return(:status => 0)
describe '#online?' do
it 'should not be considered online if the status code is 0' do
stub_request(:get, web_site.url).to_return(status: 0)
web_site.should_not be_online
end
it "should be considered online if the status code is != 0" do
stub_request(:get, web_site.url).to_return(:status => 200)
it 'should be considered online if the status code is != 0' do
stub_request(:get, web_site.url).to_return(status: 200)
web_site.should be_online
end
end
describe "#has_basic_auth?" do
it "should detect that the wpsite is basic auth protected" do
stub_request(:get, web_site.url).to_return(:status => 401)
describe '#has_basic_auth?' do
it 'should detect that the wpsite is basic auth protected' do
stub_request(:get, web_site.url).to_return(status: 401)
web_site.should have_basic_auth
end
it "should not have a basic auth for a 200" do
stub_request(:get, web_site.url).to_return(:status => 200)
it 'should not have a basic auth for a 200' do
stub_request(:get, web_site.url).to_return(status: 200)
web_site.should_not have_basic_auth
end
end
describe "#xml_rpc_url" do
it "should return the correct url : http://example.localhost/xmlrpc.php" do
xmlrpc = "http://example.localhost/xmlrpc.php"
describe '#xml_rpc_url' do
it 'should return the correct url : http://example.localhost/xmlrpc.php' do
xmlrpc = 'http://example.localhost/xmlrpc.php'
stub_request(:get, web_site.url).
to_return(:status => 200, :body => "", :headers => { "X-Pingback" => xmlrpc})
to_return(status: 200, body: '', headers: { 'X-Pingback' => xmlrpc})
web_site.xml_rpc_url.should === xmlrpc
end
it "should return nil" do
stub_request(:get, web_site.url).to_return(:status => 200)
it 'should return nil' do
stub_request(:get, web_site.url).to_return(status: 200)
web_site.xml_rpc_url.should be_nil
end
end
describe "#has_xml_rpc?" do
it "should return true" do
describe '#has_xml_rpc?' do
it 'should return true' do
stub_request(:get, web_site.url).
to_return(:status => 200, :body => "", :headers => { "X-Pingback" => "xmlrpc"})
to_return(status: 200, body: '', headers: { 'X-Pingback' => 'xmlrpc'})
web_site.should have_xml_rpc
end
it "should return false" do
stub_request(:get, web_site.url).to_return(:status => 200)
it 'should return false' do
stub_request(:get, web_site.url).to_return(status: 200)
web_site.should_not have_xml_rpc
end
end
describe "#wordpress?" do
describe '#wordpress?' do
# each url (wp-login and xmlrpc) pointed to a 404
before :each do
stub_request(:get, web_site.url).
to_return(:status => 200, :body => "", :headers => { "X-Pingback" => web_site.uri.merge("xmlrpc.php")})
to_return(status: 200, body: '', headers: { 'X-Pingback' => web_site.uri.merge('xmlrpc.php')})
[web_site.login_url, web_site.xml_rpc_url].each do |url|
stub_request(:get, url).to_return(:status => 404, :body => "")
stub_request(:get, url).to_return(status: 404, body: '')
end
end
it "should return false if both files are not found (404)" do
it 'should return false if both files are not found (404)' do
web_site.should_not be_wordpress
end
it "should return true if the wp-login is found and is a valid wordpress one" do
it 'should return true if the wp-login is found and is a valid wordpress one' do
stub_request(:get, web_site.login_url).
to_return(:status => 200, :body => File.new(fixtures_dir + "/wp-login.php"))
to_return(status: 200, body: File.new(fixtures_dir + '/wp-login.php'))
web_site.should be_wordpress
end
it "should return true if the xmlrpc is found" do
it 'should return true if the xmlrpc is found' do
stub_request(:get, web_site.xml_rpc_url).
to_return(:status => 200, :body => File.new(fixtures_dir + "/xmlrpc.php"))
to_return(status: 200, body: File.new(fixtures_dir + '/xmlrpc.php'))
web_site.should be_wordpress
end
end
describe "#redirection" do
it "should return nil if no redirection detected" do
stub_request(:get, web_site.url).to_return(:status => 200, :body => "")
describe '#redirection' do
it 'should return nil if no redirection detected' do
stub_request(:get, web_site.url).to_return(status: 200, body: '')
web_site.redirection.should be_nil
end
[301, 302].each do |status_code|
it "should return http://new-location.com if the status code is #{status_code}" do
new_location = "http://new-location.com"
new_location = 'http://new-location.com'
stub_request(:get, web_site.url).
to_return(:status => status_code, :headers => { :location => new_location })
to_return(status: status_code, headers: { location: new_location })
stub_request(:get, new_location).to_return(:status => 200)
stub_request(:get, new_location).to_return(status: 200)
web_site.redirection.should === "http://new-location.com"
web_site.redirection.should === 'http://new-location.com'
end
end
context "when multiple redirections" do
it "should return the last redirection" do
first_redirection = "www.redirection.com"
last_redirection = "redirection.com"
context 'when multiple redirections' do
it 'should return the last redirection' do
first_redirection = 'www.redirection.com'
last_redirection = 'redirection.com'
stub_request(:get, web_site.url).to_return(:status => 301, :headers => { :location => first_redirection })
stub_request(:get, first_redirection).to_return(:status => 302, :headers => { :location => last_redirection })
stub_request(:get, last_redirection).to_return(:status => 200)
stub_request(:get, web_site.url).to_return(status: 301, headers: { location: first_redirection })
stub_request(:get, first_redirection).to_return(status: 302, headers: { location: last_redirection })
stub_request(:get, last_redirection).to_return(status: 200)
web_site.redirection.should === last_redirection
end
end
end
describe "#page_hash" do
it "should return the MD5 hash of the page" do
url = "http://e.localhost/somepage.php"
body = "Hello World !"
describe '#page_hash' do
it 'should return the MD5 hash of the page' do
url = 'http://e.localhost/somepage.php'
body = 'Hello World !'
stub_request(:get, url).to_return(:body => body)
stub_request(:get, url).to_return(body: body)
WebSite.page_hash(url).should === Digest::MD5.hexdigest(body)
end
end
describe "#homepage_hash" do
it "should return the MD5 hash of the homepage" do
body = "Hello World"
describe '#homepage_hash' do
it 'should return the MD5 hash of the homepage' do
body = 'Hello World'
stub_request(:get, web_site.url).to_return(:body => body)
stub_request(:get, web_site.url).to_return(body: body)
web_site.homepage_hash.should === Digest::MD5.hexdigest(body)
end
end
describe "#error_404_hash" do
it "should return the md5sum of the 404 page" do
describe '#error_404_hash' do
it 'should return the md5sum of the 404 page' do
stub_request(:any, /.*/).
to_return(:status => 404, :body => "404 page !")
to_return(status: 404, body: '404 page !')
web_site.error_404_hash.should === Digest::MD5.hexdigest("404 page !")
web_site.error_404_hash.should === Digest::MD5.hexdigest('404 page !')
end
end
describe "#rss_url" do
it "should return nil if the url is not found" do
stub_request(:get, web_site.url).to_return(:body => "No RSS link in this body !")
describe '#rss_url' do
it 'should return nil if the url is not found' do
stub_request(:get, web_site.url).to_return(body: 'No RSS link in this body !')
web_site.rss_url.should be_nil
end
it "should return 'http://lamp-wp/wordpress-3.5/?feed=rss2'" do
stub_request_to_fixture(:url => web_site.url, :fixture => fixtures_dir + "/rss_url/wordpress-3.5.htm")
web_site.rss_url.should === "http://lamp-wp/wordpress-3.5/?feed=rss2"
stub_request_to_fixture(url: web_site.url, fixture: fixtures_dir + '/rss_url/wordpress-3.5.htm')
web_site.rss_url.should === 'http://lamp-wp/wordpress-3.5/?feed=rss2'
end
end
end

21
spec/lib/wpscan/modules/wp_config_backup_spec.rb
View File

@@ -1,3 +1,4 @@
# encoding: UTF-8
#--
# WPScan - WordPress Security Scanner
# Copyright (C) 2012-2013
@@ -16,7 +17,7 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#++
shared_examples_for "WpConfigBackup" do
shared_examples_for 'WpConfigBackup' do
before :all do
@module = WpScanModuleSpec.new('http://example.localhost')
@@ -26,7 +27,7 @@ shared_examples_for "WpConfigBackup" do
@module.extend(WpConfigBackup)
end
describe "#config_backup" do
describe '#config_backup' do
# set all @config_backup_files to point to a 404
before :each do
@@ -34,15 +35,15 @@ shared_examples_for "WpConfigBackup" do
file_url = @module.uri.merge(URI.escape(backup_file)).to_s
stub_request(:get, file_url).
to_return(:status => 404, :body => "")
to_return(status: 404, body: '')
end
end
it "shoud return an empty array if no config backup is present" do
it 'shoud return an empty array if no config backup is present' do
@module.config_backup.should be_empty
end
it "should return an array with 1 backup file" do
it 'should return an array with 1 backup file' do
expected = []
@config_backup_files.sample(1).each do |backup_file|
@@ -50,7 +51,7 @@ shared_examples_for "WpConfigBackup" do
expected << file_url
stub_request(:get, file_url).
to_return(:status => 200, :body => File.new(@fixtures_dir + '/wp-config.php'))
to_return(status: 200, body: File.new(@fixtures_dir + '/wp-config.php'))
end
wp_config_backup = @module.config_backup
@@ -59,7 +60,7 @@ shared_examples_for "WpConfigBackup" do
end
# Is there a way to factorise that one with the previous test ?
it "should return an array with 2 backup file" do
it 'should return an array with 2 backup file' do
expected = []
@config_backup_files.sample(2).each do |backup_file|
@@ -67,7 +68,7 @@ shared_examples_for "WpConfigBackup" do
expected << file_url
stub_request(:get, file_url).
to_return(:status => 200, :body => File.new(@fixtures_dir + '/wp-config.php'))
to_return(status: 200, body: File.new(@fixtures_dir + '/wp-config.php'))
end
wp_config_backup = @module.config_backup
@@ -76,8 +77,8 @@ shared_examples_for "WpConfigBackup" do
end
end
describe "#config_backup_files" do
it "should not contain duplicates" do
describe '#config_backup_files' do
it 'should not contain duplicates' do
WpConfigBackup.config_backup_files.flatten.uniq.length.should == WpConfigBackup.config_backup_files.length
end
end

23
spec/lib/wpscan/modules/wp_full_path_disclosure_spec.rb
View File

@@ -1,3 +1,4 @@
# encoding: UTF-8
#--
# WPScan - WordPress Security Scanner
# Copyright (C) 2012-2013
@@ -16,7 +17,7 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#++
shared_examples_for "WpFullPathDisclosure" do
shared_examples_for 'WpFullPathDisclosure' do
before :all do
@module = WpScanModuleSpec.new('http://example.localhost')
@@ -25,31 +26,31 @@ shared_examples_for "WpFullPathDisclosure" do
@fixtures_dir = SPEC_FIXTURES_WPSCAN_MODULES_DIR + '/wp_full_path_disclosure'
end
describe "#full_path_disclosure_url" do
it "should return http://example.localhost/wp-includes/rss-functions.php" do
@module.full_path_disclosure_url.should === "http://example.localhost/wp-includes/rss-functions.php"
describe '#full_path_disclosure_url' do
it 'should return http://example.localhost/wp-includes/rss-functions.php' do
@module.full_path_disclosure_url.should === 'http://example.localhost/wp-includes/rss-functions.php'
end
end
describe "#has_full_path_disclosure?" do
describe '#has_full_path_disclosure?' do
it "should return false on a 404" do
it 'should return false on a 404' do
stub_request(:get, @module.full_path_disclosure_url).
to_return(:status => 404)
to_return(status: 404)
@module.has_full_path_disclosure?.should be_false
end
it "should return false if no fpd found (blank page for example)" do
it 'should return false if no fpd found (blank page for example)' do
stub_request(:get, @module.full_path_disclosure_url).
to_return(:status => 200, :body => "")
to_return(status: 200, body: '')
@module.has_full_path_disclosure?.should be_false
end
it "should return true" do
it 'should return true' do
stub_request(:get, @module.full_path_disclosure_url).
to_return(:status => 200, :body => File.new(@fixtures_dir + '/rss-functions-disclosure.php'))
to_return(status: 200, body: File.new(@fixtures_dir + '/rss-functions-disclosure.php'))
@module.has_full_path_disclosure?.should be_true
end

55
spec/lib/wpscan/modules/wp_login_protection_spec.rb
View File

@@ -1,3 +1,4 @@
# encoding: UTF-8
#--
# WPScan - WordPress Security Scanner
# Copyright (C) 2012-2013
@@ -16,7 +17,7 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#++
shared_examples_for "WpLoginProtection" do
shared_examples_for 'WpLoginProtection' do
before :each do
@module = WpScanModuleSpec.new('http://example.localhost')
@@ -25,15 +26,15 @@ shared_examples_for "WpLoginProtection" do
@fixtures_dir = SPEC_FIXTURES_WPSCAN_MODULES_DIR + '/wp_login_protection'
end
describe "#login_url" do
it "should return the login page url : http://example.localhost/wp-login.php" do
@module.login_url.should === "http://example.localhost/wp-login.php"
describe '#login_url' do
it 'should return the login page url : http://example.localhost/wp-login.php' do
@module.login_url.should === 'http://example.localhost/wp-login.php'
end
end
# It will test all protected methods has_.*_protection with each fixtures to be sure that
# there is not false positive : for example the login-lock must not be detected as login-lockdown
describe "#has_.*_protection?" do
describe '#has_.*_protection?' do
pattern = WpLoginProtection::LOGIN_PROTECTION_METHOD_PATTERN
fixtures =
@@ -47,7 +48,7 @@ shared_examples_for "WpLoginProtection" do
special_plugins = %w{better_wp_security simple_login_lockdown login_security_solution limit_login_attempts bluetrait_event_viewer}
after :each do
stub_request_to_fixture(:url => @module.login_url, :fixture => @fixture)
stub_request_to_fixture(url: @module.login_url, fixture: @fixture)
# Stub all special plugins urls to a 404 except if it's the one we want
special_plugins.each do |special_plugin|
@@ -55,7 +56,7 @@ shared_examples_for "WpLoginProtection" do
special_plugin_call_url_symbol = :"#{special_plugin}_url"
status_code = (@symbol_to_call === special_plugin_call_detection_symbol and @expected === true) ? 200 : 404
stub_request(:get, @module.send(special_plugin_call_url_symbol).to_s).to_return(:status => status_code)
stub_request(:get, @module.send(special_plugin_call_url_symbol).to_s).to_return(status: status_code)
end
@module.send(@symbol_to_call).should === @expected
@@ -79,39 +80,41 @@ shared_examples_for "WpLoginProtection" do
end
# Factorise this with the code above ? :D
describe "#login_protection_plugin" do
describe '#login_protection_plugin' do
after :each do
stub_request_to_fixture(:url => @module.login_url, :fixture => @fixture)
stub_request(:get, @module.send(:better_wp_security_url).to_s).to_return(:status => 404)
stub_request(:get, @module.send(:simple_login_lockdown_url).to_s).to_return(:status => 404)
stub_request(:get, @module.send(:login_security_solution_url).to_s).to_return(:status => 404)
stub_request(:get, @module.send(:limit_login_attempts_url).to_s).to_return(:status => 404)
stub_request(:get, @module.send(:bluetrait_event_viewer_url).to_s).to_return(:status => 404)
stub_request_to_fixture(url: @module.login_url, fixture: @fixture)
stub_request(:get, @module.send(:better_wp_security_url).to_s).to_return(status: 404)
stub_request(:get, @module.send(:simple_login_lockdown_url).to_s).to_return(status: 404)
stub_request(:get, @module.send(:login_security_solution_url).to_s).to_return(status: 404)
stub_request(:get, @module.send(:limit_login_attempts_url).to_s).to_return(status: 404)
stub_request(:get, @module.send(:bluetrait_event_viewer_url).to_s).to_return(status: 404)
@module.login_protection_plugin().should === @plugin_expected
@module.has_login_protection?.should === @has_protection_expected
end
it "should return nil if no protection is present" do
@fixture = @fixtures_dir + "/wp-login-clean.php"
it 'should return nil if no protection is present' do
@fixture = @fixtures_dir + '/wp-login-clean.php'
@plugin_expected = nil
@has_protection_expected = false
end
it "should return a login-lockdown WpPlugin object" do
@fixture = @fixtures_dir + "/wp-login-login_lockdown.php"
@plugin_expected = WpPlugin.new(:base_url => @module.url,
:path => "/plugins/login-lockdown/",
:name => "login-lockdown"
it 'should return a login-lockdown WpPlugin object' do
@fixture = @fixtures_dir + '/wp-login-login_lockdown.php'
@plugin_expected = WpPlugin.new(
base_url: @module.url,
path: '/plugins/login-lockdown/',
name: 'login-lockdown'
)
@has_protection_expected = true
end
it "should return a login-lock WpPlugin object" do
@fixture = @fixtures_dir + "/wp-login-login_lock.php"
@plugin_expected = WpPlugin.new(:base_url => @module.url,
:path => "/plugins/login-lock/",
:name => "login-lock"
it 'should return a login-lock WpPlugin object' do
@fixture = @fixtures_dir + '/wp-login-login_lock.php'
@plugin_expected = WpPlugin.new(
base_url: @module.url,
path: '/plugins/login-lock/',
name: 'login-lock'
)
@has_protection_expected = true
end

139
spec/lib/wpscan/modules/wp_plugins_spec.rb
View File

@@ -1,3 +1,4 @@
# encoding: UTF-8
#--
# WPScan - WordPress Security Scanner
# Copyright (C) 2012-2013
@@ -16,96 +17,96 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#++
shared_examples_for "WpPlugins" do
shared_examples_for 'WpPlugins' do
before :all do
@fixtures_dir = SPEC_FIXTURES_WPSCAN_MODULES_DIR + '/wp_plugins'
@plugins_file = @fixtures_dir + "/plugins.txt"
@plugin_vulns_file = @fixtures_dir + "/plugin_vulns.xml"
@plugins_file = @fixtures_dir + '/plugins.txt'
@plugin_vulns_file = @fixtures_dir + '/plugin_vulns.xml'
@wp_url = "http://example.localhost/"
@wp_url = 'http://example.localhost/'
end
before :each do
@module = WpScanModuleSpec.new(@wp_url)
@module.error_404_hash = Digest::MD5.hexdigest("Error 404!")
@module.homepage_hash = Digest::MD5.hexdigest("Homepage!")
@module.error_404_hash = Digest::MD5.hexdigest('Error 404!')
@module.homepage_hash = Digest::MD5.hexdigest('Homepage!')
@module.extend(WpPlugins)
@options = {
:base_url => @wp_url,
:only_vulnerable_ones => false,
:show_progression => false,
:error_404_hash => @module.error_404_hash,
:homepage_hash => @module.homepage_hash,
:vulns_file => @plugin_vulns_file,
:file => @plugins_file,
:type => "plugins",
:wp_content_dir => "wp-content",
:vulns_xpath_2 => "//plugin"
base_url: @wp_url,
only_vulnerable_ones: false,
show_progression: false,
error_404_hash: @module.error_404_hash,
homepage_hash: @module.homepage_hash,
vulns_file: @plugin_vulns_file,
file: @plugins_file,
type: 'plugins',
wp_content_dir: 'wp-content',
vulns_xpath_2: '//plugin'
}
File.exist?(@plugin_vulns_file).should == true
File.exist?(@plugins_file).should == true
# These targets are listed in @fixtures_dir + "/plugins.txt"
# These targets are listed in @fixtures_dir + '/plugins.txt'
# TODO : load them directly from the fixture file
@targets = [
WpPlugin.new(
{
:base_url => "http://example.localhost/",
:path => "exclude-pages/exclude_pages.php",
:wp_content_dir => "wp-content",
:name => "exclude-pages"
base_url: 'http://example.localhost/',
path: 'exclude-pages/exclude_pages.php',
wp_content_dir: 'wp-content',
name: 'exclude-pages'
}),
WpPlugin.new(
{
:base_url => "http://example.localhost/",
:path => "display-widgets/display-widgets.php",
:wp_content_dir => "wp-content",
:name => "display-widgets"
base_url: 'http://example.localhost/',
path: 'display-widgets/display-widgets.php',
wp_content_dir: 'wp-content',
name: 'display-widgets'
}),
WpPlugin.new(
{
:base_url => "http://example.localhost/",
:path => "media-library",
:wp_content_dir => "wp-content",
:name => "media-library"
base_url: 'http://example.localhost/',
path: 'media-library',
wp_content_dir: 'wp-content',
name: 'media-library'
}),
WpPlugin.new(
{
:base_url => "http://example.localhost/",
:path => "deans",
:wp_content_dir => "wp-content",
:name => "deans"
base_url: 'http://example.localhost/',
path: 'deans',
wp_content_dir: 'wp-content',
name: 'deans'
}),
WpPlugin.new(
{
:base_url => "http://example.localhost/",
:path => "formidable/formidable.php",
:wp_content_dir => "wp-content",
:name => "formidable"
base_url: 'http://example.localhost/',
path: 'formidable/formidable.php',
wp_content_dir: 'wp-content',
name: 'formidable'
}),
WpPlugin.new(
{
:base_url => "http://example.localhost/",
:path => "regenerate-thumbnails/readme.txt",
:wp_content_dir => "wp-content",
:name => "regenerate-thumbnails"
base_url: 'http://example.localhost/',
path: 'regenerate-thumbnails/readme.txt',
wp_content_dir: 'wp-content',
name: 'regenerate-thumbnails'
})
]
end
describe "#plugins_from_passive_detection" do
describe '#plugins_from_passive_detection' do
let(:passive_detection_fixtures) { @fixtures_dir + '/passive_detection' }
it "should return an empty array" do
stub_request_to_fixture(:url => @module.url, :fixture => File.new(passive_detection_fixtures + '/no_plugins.htm'))
plugins = @module.plugins_from_passive_detection(:base_url => @module.url, :wp_content_dir => "wp-content")
it 'should return an empty array' do
stub_request_to_fixture(url: @module.url, fixture: File.new(passive_detection_fixtures + '/no_plugins.htm'))
plugins = @module.plugins_from_passive_detection(base_url: @module.url, wp_content_dir: 'wp-content')
plugins.should be_empty
end
it "should return the expected plugins" do
stub_request_to_fixture(:url => @module.url, :fixture => File.new(passive_detection_fixtures + '/various_plugins.htm'))
it 'should return the expected plugins' do
stub_request_to_fixture(url: @module.url, fixture: File.new(passive_detection_fixtures + '/various_plugins.htm'))
expected_plugin_names = %w{
wp-minify
@@ -119,55 +120,55 @@ shared_examples_for "WpPlugins" do
expected_plugins = []
expected_plugin_names.each do |plugin_name|
expected_plugins << WpPlugin.new(
:base_url => @module.url,
:path => "/plugins/#{plugin_name}/",
:name => plugin_name
base_url: @module.url,
path: "/plugins/#{plugin_name}/",
name: plugin_name
)
end
plugins = @module.plugins_from_passive_detection(:base_url => @module.url, :wp_content_dir => "wp-content")
plugins = @module.plugins_from_passive_detection(base_url: @module.url, wp_content_dir: 'wp-content')
plugins.should_not be_empty
plugins.length.should == expected_plugins.length
plugins.sort.should == expected_plugins.sort
end
end
describe "#plugins_from_aggressive_detection" do
describe '#plugins_from_aggressive_detection' do
before :each do
stub_request(:get, @module.uri.to_s).to_return(:status => 200)
stub_request(:get, @module.uri.to_s).to_return(status: 200)
# Point all targets to a 404
@targets.each do |target|
stub_request(:get, target.get_full_url.to_s).to_return(:status => 404)
stub_request(:get, target.get_full_url.to_s).to_return(status: 404)
# to_s calls readme_url
stub_request(:get, target.readme_url.to_s).to_return(:status => 404)
stub_request(:get, target.readme_url.to_s).to_return(status: 404)
end
end
after :each do
@passive_detection_fixture = SPEC_FIXTURES_DIR + "/empty-file" unless @passive_detection_fixture
stub_request_to_fixture(:url => "#{@module.uri}/".sub(/\/\/$/, "/"), :fixture => @passive_detection_fixture)
@passive_detection_fixture = SPEC_FIXTURES_DIR + '/empty-file' unless @passive_detection_fixture
stub_request_to_fixture(url: "#{@module.uri}/".sub(/\/\/$/, '/'), fixture: @passive_detection_fixture)
detected = @module.plugins_from_aggressive_detection(@options)
detected.length.should == @expected_plugins.length
detected.sort.should == @expected_plugins.sort
end
it "should return an empty array" do
it 'should return an empty array' do
@expected_plugins = []
end
it "should return an array with 3 WpPlugin (1 detected from passive method)" do
@passive_detection_fixture = @fixtures_dir + "/passive_detection/one_plugin.htm"
it 'should return an array with 3 WpPlugin (1 detected from passive method)' do
@passive_detection_fixture = @fixtures_dir + '/passive_detection/one_plugin.htm'
@expected_plugins = @targets.sample(2)
@expected_plugins.each do |p|
stub_request(:get, p.get_full_url.to_s).to_return(:status => 200)
stub_request(:get, p.get_full_url.to_s).to_return(status: 200)
end
new_plugin = WpPlugin.new(
:base_url => "http://example.localhost/",
:path => "/plugins/comment-info-tip/",
:name => "comment-info-tip"
base_url: 'http://example.localhost/',
path: '/plugins/comment-info-tip/',
name: 'comment-info-tip'
)
stub_request(:get, new_plugin.readme_url.to_s).to_return(:status => 200)
stub_request(:get, new_plugin.readme_url.to_s).to_return(status: 200)
@expected_plugins << new_plugin
end
@@ -179,15 +180,15 @@ shared_examples_for "WpPlugins" do
plugin_url.should_not be_nil
plugin_url.length.should == 1
@expected_plugins = plugin_url
stub_request(:get, plugin_url[0].get_full_url.to_s).to_return(:status => valid_response_code)
stub_request(:get, plugin_url[0].get_full_url.to_s).to_return(status: valid_response_code)
end
end
it "should not detect the plugin if there is a redirection to the homepage" do
it 'should not detect the plugin if there is a redirection to the homepage' do
# Let's pick up 2 plugins (The first one will redirect to the homepage)
plugins = @targets.sample(2)
stub_request(:get, plugins[0].get_full_url.to_s).to_return(:status => 200, :body => "Homepage!")
stub_request(:get, plugins[1].get_full_url.to_s).to_return(:status => 200)
stub_request(:get, plugins[0].get_full_url.to_s).to_return(status: 200, body: 'Homepage!')
stub_request(:get, plugins[1].get_full_url.to_s).to_return(status: 200)
@expected_plugins = [plugins[1]]
end

21
spec/lib/wpscan/modules/wp_readme_spec.rb
View File

@@ -1,3 +1,4 @@
# encoding: UTF-8
#--
# WPScan - WordPress Security Scanner
# Copyright (C) 2012-2013
@@ -16,7 +17,7 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#++
shared_examples_for "WpReadme" do
shared_examples_for 'WpReadme' do
before :all do
@module = WpScanModuleSpec.new('http://example.localhost')
@@ -25,32 +26,32 @@ shared_examples_for "WpReadme" do
@module.extend(WpReadme)
end
describe "#readme_url" do
it "should return http://example.localhost/readme.html" do
describe '#readme_url' do
it 'should return http://example.localhost/readme.html' do
@module.readme_url.should === "#{@module.uri}/readme.html"
end
end
describe "#has_readme?" do
describe '#has_readme?' do
it "should return false on a 404" do
it 'should return false on a 404' do
stub_request(:get, @module.readme_url).
to_return(:status => 404)
to_return(status: 404)
@module.has_readme?.should be_false
end
it "should return true if it exists" do
it 'should return true if it exists' do
stub_request(:get, @module.readme_url).
to_return(:status => 200, :body => File.new(@fixtures_dir + '/readme-3.2.1.html'))
to_return(status: 200, body: File.new(@fixtures_dir + '/readme-3.2.1.html'))
@module.has_readme?.should be_true
end
# http://code.google.com/p/wpscan/issues/detail?id=108
it "should return true even if the readme.html is not in english" do
it 'should return true even if the readme.html is not in english' do
stub_request(:get, @module.readme_url).
to_return(:status => 200, :body => File.new(@fixtures_dir + '/readme-3.3.2-fr.html'))
to_return(status: 200, body: File.new(@fixtures_dir + '/readme-3.3.2-fr.html'))
@module.has_readme?.should be_true
end

215
spec/lib/wpscan/modules/wp_themes_spec.rb
View File

@@ -1,3 +1,4 @@
# encoding: UTF-8
#--
# WPScan - WordPress Security Scanner
# Copyright (C) 2012-2013
@@ -16,149 +17,181 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#++
shared_examples_for "WpThemes" do
shared_examples_for 'WpThemes' do
before :all do
@fixtures_dir = SPEC_FIXTURES_WPSCAN_MODULES_DIR + '/wp_themes'
@themes_file = @fixtures_dir + "/themes.txt"
@theme_vulns_file = @fixtures_dir + "/theme_vulns.xml"
@themes_file = @fixtures_dir + '/themes.txt'
@theme_vulns_file = @fixtures_dir + '/theme_vulns.xml'
@wp_url = "http://example.localhost/"
@wp_url = 'http://example.localhost/'
end
before :each do
@module = WpScanModuleSpec.new(@wp_url)
@module.error_404_hash = Digest::MD5.hexdigest("Error 404!")
@module.error_404_hash = Digest::MD5.hexdigest('Error 404!')
@module.extend(WpThemes)
@options = {
:base_url => @wp_url,
:only_vulnerable_ones => false,
:show_progression => false,
:error_404_hash => Digest::MD5.hexdigest("Error 404!"),
:vulns_file => @theme_vulns_file,
:file => @themes_file,
:type => "themes",
:wp_content_dir => "wp-content",
:vulns_xpath_2 => "//theme"
base_url: @wp_url,
only_vulnerable_ones: false,
show_progression: false,
error_404_hash: Digest::MD5.hexdigest('Error 404!'),
vulns_file: @theme_vulns_file,
file: @themes_file,
type: 'themes',
wp_content_dir: 'wp-content',
vulns_xpath_2: '//theme'
}
File.exist?(@theme_vulns_file).should == true
File.exist?(@themes_file).should == true
@targets = [WpTheme.new({:base_url => "http://example.localhost/",
:path => "zenpro/404.php",
:wp_content_dir => "wp-content",
:name => "zenpro"}),
WpTheme.new({:base_url => "http://example.localhost/",
:path => "zeta-zip/404.php",
:wp_content_dir => "wp-content",
:name => "zeta-zip"}),
WpTheme.new({:base_url => "http://example.localhost/",
:path => "zfirst/404.php",
:wp_content_dir => "wp-content",
:name => "zfirst"}),
WpTheme.new({:base_url => "http://example.localhost/",
:path => "zgrey/404.php",
:wp_content_dir => "wp-content",
:name => "zgrey"}),
WpTheme.new({:base_url => "http://example.localhost/",
:path => "zindi-ii/404.php",
:wp_content_dir => "wp-content",
:name => "zindi-ii"}),
WpTheme.new({:base_url => "http://example.localhost/",
:path => "zindi/404.php",
:wp_content_dir => "wp-content",
:name => "zindi"}),
WpTheme.new({:base_url => "http://example.localhost/",
:path => "zombie-apocalypse/404.php",
:wp_content_dir => "wp-content",
:name => "zombie-apocalypse"}),
WpTheme.new({:base_url => "http://example.localhost/",
:path => "zsofa/404.php",
:wp_content_dir => "wp-content",
:name => "zsofa"}),
WpTheme.new({:base_url => "http://example.localhost/",
:path => "zwei-seiten/404.php",
:wp_content_dir => "wp-content",
:name => "zwei-seiten"}),
WpTheme.new({:base_url => "http://example.localhost/",
:path => "twentyten/404.php",
:wp_content_dir => "wp-content",
:name => "twentyten"}),
WpTheme.new({:base_url => "http://example.localhost/",
:path => "shopperpress",
:wp_content_dir => "wp-content",
:name => "shopperpress"}),
WpTheme.new({:base_url => "http://example.localhost/",
:path => "wise",
:wp_content_dir => "wp-content",
:name => "wise"}),
WpTheme.new({:base_url => "http://example.localhost/",
:path => "webfolio",
:wp_content_dir => "wp-content",
:name => "webfolio"})]
@targets = [
WpTheme.new({
base_url: 'http://example.localhost/',
path: 'zenpro/404.php',
wp_content_dir: 'wp-content',
name: 'zenpro'
}),
WpTheme.new({
base_url: 'http://example.localhost/',
path: 'zeta-zip/404.php',
wp_content_dir: 'wp-content',
name: 'zeta-zip'
}),
WpTheme.new({
base_url: 'http://example.localhost/',
path: 'zfirst/404.php',
wp_content_dir: 'wp-content',
name: 'zfirst'
}),
WpTheme.new({
base_url: 'http://example.localhost/',
path: 'zgrey/404.php',
wp_content_dir: 'wp-content',
name: 'zgrey'
}),
WpTheme.new({
base_url: 'http://example.localhost/',
path: 'zindi-ii/404.php',
wp_content_dir: 'wp-content',
name: 'zindi-ii'
}),
WpTheme.new({
base_url: 'http://example.localhost/',
path: 'zindi/404.php',
wp_content_dir: 'wp-content',
name: 'zindi'
}),
WpTheme.new({
base_url: 'http://example.localhost/',
path: 'zombie-apocalypse/404.php',
wp_content_dir: 'wp-content',
name: 'zombie-apocalypse'
}),
WpTheme.new({
base_url: 'http://example.localhost/',
path: 'zsofa/404.php',
wp_content_dir: 'wp-content',
name: 'zsofa'
}),
WpTheme.new({
base_url: 'http://example.localhost/',
path: 'zwei-seiten/404.php',
wp_content_dir: 'wp-content',
name: 'zwei-seiten'
}),
WpTheme.new({
base_url: 'http://example.localhost/',
path: 'twentyten/404.php',
wp_content_dir: 'wp-content',
name: 'twentyten'
}),
WpTheme.new({
base_url: 'http://example.localhost/',
path: 'shopperpress',
wp_content_dir: 'wp-content',
name: 'shopperpress'
}),
WpTheme.new({
base_url: 'http://example.localhost/',
path: 'wise',
wp_content_dir: 'wp-content',
name: 'wise'
}),
WpTheme.new({
base_url: 'http://example.localhost/',
path: 'webfolio',
wp_content_dir: 'wp-content',
name: 'webfolio'
})
]
end
describe "#themes_from_passive_detection" do
describe '#themes_from_passive_detection' do
let(:passive_detection_fixtures) { @fixtures_dir + '/passive_detection' }
it "should return an empty array" do
stub_request_to_fixture(:url => @module.url, :fixture => File.new(passive_detection_fixtures + '/no_theme.htm'))
themes = @module.themes_from_passive_detection(:base_url => @module.url, :wp_content_dir => "wp-content")
it 'should return an empty array' do
stub_request_to_fixture(url: @module.url, fixture: File.new(passive_detection_fixtures + '/no_theme.htm'))
themes = @module.themes_from_passive_detection(base_url: @module.url, wp_content_dir: 'wp-content')
themes.should be_empty
end
it "should return the expected themes" do
stub_request_to_fixture(:url => @module.url, :fixture => File.new(passive_detection_fixtures + '/various_themes.htm'))
it 'should return the expected themes' do
stub_request_to_fixture(url: @module.url, fixture: File.new(passive_detection_fixtures + '/various_themes.htm'))
expected_theme_names = %w{ theme1 theme2 theme3 }
expected_themes = []
expected_theme_names.each do |theme_name|
expected_themes << WpTheme.new(:base_url => @module.url,
:path => "/themes/#{theme_name}/",
:name => theme_name)
expected_themes << WpTheme.new(
base_url: @module.url,
path: "/themes/#{theme_name}/",
name: theme_name
)
end
themes = @module.themes_from_passive_detection(:base_url => @module.url, :wp_content_dir => "wp-content")
themes = @module.themes_from_passive_detection(base_url: @module.url, wp_content_dir: 'wp-content')
themes.should_not be_empty
themes.length.should == expected_themes.length
themes.sort.should == expected_themes.sort
end
end
describe "#themes_from_aggressive_detection" do
describe '#themes_from_aggressive_detection' do
before :each do
stub_request(:get, @module.uri.to_s).to_return(:status => 200)
stub_request(:get, @module.uri.to_s).to_return(status: 200)
# Point all targets to a 404
@targets.each do |target|
stub_request(:get, target.get_full_url.to_s).to_return(:status => 404)
stub_request(:get, target.get_full_url.to_s).to_return(status: 404)
# to_s calls readme_url
stub_request(:get, target.readme_url.to_s).to_return(:status => 404)
stub_request(:get, target.readme_url.to_s).to_return(status: 404)
end
end
after :each do
@passive_detection_fixture = SPEC_FIXTURES_DIR + "/empty-file" unless @passive_detection_fixture
stub_request_to_fixture(:url => "#{@module.uri}/".sub(/\/\/$/, "/"), :fixture => @passive_detection_fixture)
@passive_detection_fixture = SPEC_FIXTURES_DIR + '/empty-file' unless @passive_detection_fixture
stub_request_to_fixture(url: "#{@module.uri}/".sub(/\/\/$/, '/'), fixture: @passive_detection_fixture)
detected = @module.themes_from_aggressive_detection(@options)
detected.length.should == @expected_themes.length
detected.sort.should == @expected_themes.sort
end
it "should return an empty array" do
it 'should return an empty array' do
@expected_themes = []
end
it "should return an array with 3 WpTheme (1 detected from passive method)" do
@passive_detection_fixture = @fixtures_dir + "/passive_detection/one_theme.htm"
it 'should return an array with 3 WpTheme (1 detected from passive method)' do
@passive_detection_fixture = @fixtures_dir + '/passive_detection/one_theme.htm'
@expected_themes = @targets.sample(2)
@expected_themes.each do |p|
stub_request(:get, p.get_full_url.to_s).to_return(:status => 200)
stub_request(:get, p.get_full_url.to_s).to_return(status: 200)
end
new_theme = WpTheme.new(:base_url => "http://example.localhost/",
:path => "/themes/custom-twentyten/",
:name => "custom-twentyten")
stub_request(:get, new_theme.readme_url.to_s).to_return(:status => 200)
new_theme = WpTheme.new(
base_url: 'http://example.localhost/',
path: '/themes/custom-twentyten/',
name: 'custom-twentyten'
)
stub_request(:get, new_theme.readme_url.to_s).to_return(status: 200)
@expected_themes << new_theme
end
@@ -170,7 +203,7 @@ shared_examples_for "WpThemes" do
theme_url.should_not be_nil
theme_url.length.should == 1
@expected_themes = theme_url
stub_request(:get, theme_url[0].get_full_url.to_s).to_return(:status => valid_response_code)
stub_request(:get, theme_url[0].get_full_url.to_s).to_return(status: valid_response_code)
end
end
end

55
spec/lib/wpscan/modules/wp_timthumbs_spec.rb
View File

@@ -1,3 +1,4 @@
# encoding: UTF-8
#--
# WPScan - WordPress Security Scanner
# Copyright (C) 2012-2013
@@ -16,43 +17,43 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#++
shared_examples_for "WpTimthumbs" do
shared_examples_for 'WpTimthumbs' do
before :each do
@options = {}
@url = "http://example.localhost/"
@theme_name = "bueno"
@url = 'http://example.localhost/'
@theme_name = 'bueno'
@options[:base_url] = @url
@options[:wp_content_dir] = "wp-content"
@options[:wp_content_dir] = 'wp-content'
@options[:name] = @theme_name
@options[:error_404_hash] = "xx"
@options[:error_404_hash] = 'xx'
@options[:show_progression] = false
@options[:only_vulnerable_ones] = false
@options[:vulns_file] = "xx"
@options[:type] = "timthumbs"
@options[:vulns_file] = 'xx'
@options[:type] = 'timthumbs'
@module = WpScanModuleSpec.new(@url)
@fixtures_dir = SPEC_FIXTURES_WPSCAN_MODULES_DIR + "/wp_timthumbs"
@timthumbs_file = @fixtures_dir + "/timthumbs.txt"
@fixtures_dir = SPEC_FIXTURES_WPSCAN_MODULES_DIR + '/wp_timthumbs'
@timthumbs_file = @fixtures_dir + '/timthumbs.txt'
@targets_from_file = %w{
http://example.localhost/wp-content/plugins/fotoslide/timthumb.php
http://example.localhost/wp-content/plugins/feature-slideshow/timthumb.php
}
@targets_from_theme =
[
"http://example.localhost/wp-content/themes/" + @theme_name + "/timthumb.php",
"http://example.localhost/wp-content/themes/" + @theme_name + "/lib/timthumb.php",
"http://example.localhost/wp-content/themes/" + @theme_name + "/inc/timthumb.php",
"http://example.localhost/wp-content/themes/" + @theme_name + "/includes/timthumb.php",
"http://example.localhost/wp-content/themes/" + @theme_name + "/scripts/timthumb.php",
"http://example.localhost/wp-content/themes/" + @theme_name + "/tools/timthumb.php",
"http://example.localhost/wp-content/themes/" + @theme_name + "/functions/timthumb.php"
'http://example.localhost/wp-content/themes/' + @theme_name + '/timthumb.php',
'http://example.localhost/wp-content/themes/' + @theme_name + '/lib/timthumb.php',
'http://example.localhost/wp-content/themes/' + @theme_name + '/inc/timthumb.php',
'http://example.localhost/wp-content/themes/' + @theme_name + '/includes/timthumb.php',
'http://example.localhost/wp-content/themes/' + @theme_name + '/scripts/timthumb.php',
'http://example.localhost/wp-content/themes/' + @theme_name + '/tools/timthumb.php',
'http://example.localhost/wp-content/themes/' + @theme_name + '/functions/timthumb.php'
]
@module.extend(WpTimthumbs)
end
describe "#targets_url_from_theme" do
it "should return the targets for the theme" do
describe '#targets_url_from_theme' do
it 'should return the targets for the theme' do
targets = @module.send(:targets_url_from_theme, @theme_name, @options)
targets.should_not be_empty
@@ -65,39 +66,39 @@ shared_examples_for "WpTimthumbs" do
end
end
describe "#timthumbs and #has_timthumbs?" do
describe '#timthumbs and #has_timthumbs?' do
before :each do
@options[:file] = @timthumbs_file
@targets_from_file.each do |url|
stub_request(:get, url).to_return(:status => 404)
stub_request(:get, url).to_return(status: 404)
end
end
it "should return an empty array" do
it 'should return an empty array' do
timthumbs = @module.timthumbs(nil, @options)
timthumbs.should be_empty
@module.has_timthumbs?(nil, @options).should be_false
end
it "should return an array with 7 elements (from passive detection)" do
stub_request(:get, %r{http://example\.localhost/wp-content/themes/my-theme/.*}).to_return(:status => 200)
timthumbs = @module.timthumbs("my-theme", @options)
it 'should return an array with 7 elements (from passive detection)' do
stub_request(:get, %r{http://example\.localhost/wp-content/themes/my-theme/.*}).to_return(status: 200)
timthumbs = @module.timthumbs('my-theme', @options)
timthumbs.length.should == 7
end
it "should return an array with 2 timthumbs url" do
it 'should return an array with 2 timthumbs url' do
expected = []
urls = []
urls_hash = WpEnumerator.generate_items(@options)
urls_hash.each do |u|
url = u.get_full_url.to_s
urls << url
stub_request(:get, url).to_return(:status => 404)
stub_request(:get, url).to_return(status: 404)
end
urls.sample(2).each do |target_url|
expected << target_url
stub_request(:get, target_url).
to_return(:status => 200, :body => File.new(@fixtures_dir + "/timthumb.php"))
to_return(status: 200, body: File.new(@fixtures_dir + '/timthumb.php'))
end
timthumbs = @module.timthumbs(nil, @options)

173
spec/lib/wpscan/modules/wp_usernames_spec.rb
View File

@@ -1,3 +1,4 @@
# encoding: UTF-8
#--
# WPScan - WordPress Security Scanner
# Copyright (C) 2012-2013
@@ -16,7 +17,7 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#++
shared_examples_for "WpUsernames" do
shared_examples_for 'WpUsernames' do
before :each do
@target_url = 'http://example.localhost/'
@@ -26,230 +27,230 @@ shared_examples_for "WpUsernames" do
@module.extend(WpUsernames)
end
describe "#author_url" do
it "should return the auhor url according to his id" do
describe '#author_url' do
it 'should return the auhor url according to his id' do
@module.author_url(1).should === "#@target_url?author=1"
end
end
describe "#usernames" do
describe '#usernames' do
before :each do
(1..10).each do |index|
stub_request(:get, @module.author_url(index)).to_return(:status => 404)
stub_request(:get, @module.author_url(index)).to_return(status: 404)
end
end
it "should return an empty array" do
it 'should return an empty array' do
@module.usernames.should be_empty
end
it "should return an array with 1 username (from header location)" do
it 'should return an array with 1 username (from header location)' do
stub_request(:get, @module.author_url(3)).
to_return(:status => 301, :headers => {'location' => '/author/Youhou'})
to_return(status: 301, headers: {'location' => '/author/Youhou'})
usernames = @module.usernames
usernames.should_not be_empty
usernames.length.should == 1
usernames[0].id.should == 3
usernames[0].name.should == "Youhou"
usernames[0].nickname.should == "empty"
usernames[0].name.should == 'Youhou'
usernames[0].nickname.should == 'empty'
end
it "should return an array with 1 username (from in the body response)" do
it 'should return an array with 1 username (from in the body response)' do
stub_request(:get, @module.author_url(2)).
to_return(:status => 200, :body => File.new(@fixtures_dir + '/admin.htm'))
to_return(status: 200, body: File.new(@fixtures_dir + '/admin.htm'))
usernames = @module.usernames(:range => (1..2))
usernames = @module.usernames(range: (1..2))
usernames.should_not be_empty
usernames.eql?([WpUser.new("admin", 2, "admin | Wordpress 3.3.2")]).should be_true
usernames.eql?([WpUser.new('admin', 2, 'admin | Wordpress 3.3.2')]).should be_true
end
it "should return an array with 2 usernames (one is a duplicate and should not be present twice)" do
it 'should return an array with 2 usernames (one is a duplicate and should not be present twice)' do
stub_request(:get, @module.author_url(4)).
to_return(:status => 301, :headers => {'location' => '/author/Youhou/'})
to_return(status: 301, headers: {'location' => '/author/Youhou/'})
stub_request(:get, @module.author_url(2)).
to_return(:status => 200, :body => File.new(@fixtures_dir + '/admin.htm'))
to_return(status: 200, body: File.new(@fixtures_dir + '/admin.htm'))
usernames = @module.usernames(:range => (1..5))
usernames = @module.usernames(range: (1..5))
usernames.should_not be_empty
expected = [
WpUser.new("admin", 2, "admin | Wordpress 3.3.2"),
WpUser.new("Youhou", 4, "empty")
WpUser.new('admin', 2, 'admin | Wordpress 3.3.2'),
WpUser.new('Youhou', 4, 'empty')
]
usernames.sort_by { |u| u.name }.eql?(expected.sort_by { |u| u.name }).should be_true
end
end
describe "#get_nickname_from_url" do
describe '#get_nickname_from_url' do
after :each do
url = "http://example.localhost/"
stub_request(:get, url).to_return(:status => @status, :body => @content)
url = 'http://example.localhost/'
stub_request(:get, url).to_return(status: @status, body: @content)
username = @module.get_nickname_from_url(url)
username.should === @expected
end
it "should return nil" do
it 'should return nil' do
@status = 200
@content = ""
@content = ''
@expected = nil
end
it "should return nil" do
it 'should return nil' do
@status = 400
@content = ""
@content = ''
@expected = nil
end
it "should return admin" do
it 'should return admin' do
@status = 200
@content = "<title>admin</title>"
@expected = "admin"
@content = '<title>admin</title>'
@expected = 'admin'
end
it "should return nil" do
it 'should return nil' do
@status = 201
@content = "<title>admin</title>"
@content = '<title>admin</title>'
@expected = nil
end
end
describe "#get_nickname_from_response" do
describe '#get_nickname_from_response' do
after :each do
url = "http://example.localhost/"
stub_request(:get, url).to_return(:status => @status, :body => @content)
url = 'http://example.localhost/'
stub_request(:get, url).to_return(status: @status, body: @content)
resp = Browser.instance.get(url)
username = @module.get_nickname_from_response(resp)
username.should === @expected
end
it "should return nil" do
it 'should return nil' do
@status = 200
@content = ""
@content = ''
@expected = nil
end
it "should return nil" do
it 'should return nil' do
@status = 400
@content = ""
@content = ''
@expected = nil
end
it "should return admin" do
it 'should return admin' do
@status = 200
@content = "<title>admin</title>"
@expected = "admin"
@content = '<title>admin</title>'
@expected = 'admin'
end
it "should return nil" do
it 'should return nil' do
@status = 201
@content = "<title>admin</title>"
@content = '<title>admin</title>'
@expected = nil
end
end
describe "#extract_nickname_from_body" do
describe '#extract_nickname_from_body' do
after :each do
result = @module.extract_nickname_from_body(@body)
result.should === @expected
end
it "should return admin" do
@body = "<title>admin</title>"
@expected = "admin"
it 'should return admin' do
@body = '<title>admin</title>'
@expected = 'admin'
end
it "should return nil" do
@body = "<title>adm<in</title>"
it 'should return nil' do
@body = '<title>adm<in</title>'
@expected = nil
end
it "should return nil" do
@body = "<titler>admin</titler>"
it 'should return nil' do
@body = '<titler>admin</titler>'
@expected = nil
end
it "should return admin | " do
@body = "<title>admin | </title>"
@expected = "admin | "
it 'should return admin | ' do
@body = '<title>admin | </title>'
@expected = 'admin | '
end
it "should return an empty string" do
@body = "<title></title>"
@expected = ""
it 'should return an empty string' do
@body = '<title></title>'
@expected = ''
end
end
describe "#remove_junk_from_nickname" do
it "should throw an exception" do
describe '#remove_junk_from_nickname' do
it 'should throw an exception' do
@input = nil
expect { @module.remove_junk_from_nickname(@input) }.to raise_error(RuntimeError, "Need an array as input")
expect { @module.remove_junk_from_nickname(@input) }.to raise_error(RuntimeError, 'Need an array as input')
end
it "should not throw an exception" do
it 'should not throw an exception' do
@input = []
expect { @module.remove_junk_from_nickname(@input) }.to_not raise_error
end
it "should throw an exception" do
it 'should throw an exception' do
@input = [WpOptions.new]
expect { @module.remove_junk_from_nickname(@input) }.to raise_error(RuntimeError, "Items must be of type WpUser")
expect { @module.remove_junk_from_nickname(@input) }.to raise_error(RuntimeError, 'Items must be of type WpUser')
end
end
describe "#remove_junk_from_nickname" do
describe '#remove_junk_from_nickname' do
after :each do
result = @module.remove_junk_from_nickname(@input)
result.eql?(@expected).should === true
end
it "should return an empty array" do
it 'should return an empty array' do
@input = []
@expected = @input
end
it "should return input object" do
it 'should return input object' do
@input = [WpUser.new(nil, nil, nil)]
@expected = @input
end
it "should return input object" do
@input = [WpUser.new("", "", "")]
it 'should return input object' do
@input = [WpUser.new('', '', '')]
@expected = @input
end
it "should remove asdf" do
@input = [WpUser.new(nil, nil, "lkjh asdf"), WpUser.new(nil, nil, "ijrjd asdf")]
@expected = [WpUser.new(nil, nil, "lkjh"), WpUser.new(nil, nil, "ijrjd")]
it 'should remove asdf' do
@input = [WpUser.new(nil, nil, 'lkjh asdf'), WpUser.new(nil, nil, 'ijrjd asdf')]
@expected = [WpUser.new(nil, nil, 'lkjh'), WpUser.new(nil, nil, 'ijrjd')]
end
it "should return unmodified input object" do
@input = [WpUser.new(nil, nil, "lkjh asdfa"), WpUser.new(nil, nil, "ijrjd asdf")]
it 'should return unmodified input object' do
@input = [WpUser.new(nil, nil, 'lkjh asdfa'), WpUser.new(nil, nil, 'ijrjd asdf')]
@expected = @input
end
it "should return input object" do
@input = [WpUser.new(nil, nil, "lkjh asdf")]
it 'should return input object' do
@input = [WpUser.new(nil, nil, 'lkjh asdf')]
@expected = @input
end
it "should return lkhj asdf" do
@input = [WpUser.new(nil, nil, "lkhj asdf"), WpUser.new(nil, nil, "lkhj asdf")]
@expected = [WpUser.new(nil, nil, ""), WpUser.new(nil, nil, "")]
it 'should return lkhj asdf' do
@input = [WpUser.new(nil, nil, 'lkhj asdf'), WpUser.new(nil, nil, 'lkhj asdf')]
@expected = [WpUser.new(nil, nil, ''), WpUser.new(nil, nil, '')]
end
end
# Issue 66
describe "#remove_junk_from_nickname" do
it "should contain the string empty" do
input = [WpUser.new("admin", 1, "admin | Wordpress 3.4.2"), WpUser.new("", 2, "Wordpress 3.4.2")]
describe '#remove_junk_from_nickname' do
it 'should contain the string empty' do
input = [WpUser.new('admin', 1, 'admin | Wordpress 3.4.2'), WpUser.new('', 2, 'Wordpress 3.4.2')]
result = @module.remove_junk_from_nickname(input)
result[0].nickname.should === "admin | "
result[0].name.should === "admin"
result[0].nickname.should === 'admin | '
result[0].name.should === 'admin'
result[0].id.should === 1
result[1].nickname.should === "empty"
result[1].name.should === "empty"
result[1].nickname.should === 'empty'
result[1].name.should === 'empty'
result[1].id.should === 2
end
end

1
spec/lib/wpscan/wp_detector_spec.rb
View File

@@ -1,3 +1,4 @@
# encoding: UTF-8
#--
# WPScan - WordPress Security Scanner
# Copyright (C) 2012-2013

1
spec/lib/wpscan/wp_enumerator_spec.rb
View File

@@ -1,3 +1,4 @@
# encoding: UTF-8
#--
# WPScan - WordPress Security Scanner
# Copyright (C) 2012-2013

556
spec/lib/wpscan/wp_item_spec.rb
View File

@@ -1,3 +1,4 @@
# encoding: UTF-8
#--
# WPScan - WordPress Security Scanner
# Copyright (C) 2012-2013
@@ -19,278 +20,279 @@
require File.expand_path(File.dirname(__FILE__) + '/wpscan_helper')
describe WpPlugin do
describe "#initialize" do
it "should create a correct instance" do
describe '#initialize' do
it 'should create a correct instance' do
instance = WpItem.new(
:base_url => "http://sub.example.com/path/to/wordpress/",
:path => "test/asdf.php",
:vulns_file => "XXX.xml",
:name => "test",
:vulns_xpath => "XX",
:type => "plugins"
base_url: 'http://sub.example.com/path/to/wordpress/',
path: 'test/asdf.php',
vulns_file: 'XXX.xml',
name: 'test',
vulns_xpath: 'XX',
type: 'plugins'
)
instance.wp_content_dir.should == "wp-content"
instance.base_url.should == "http://sub.example.com/path/to/wordpress/"
instance.path.should == "test/asdf.php"
instance.wp_content_dir.should == 'wp-content'
instance.base_url.should == 'http://sub.example.com/path/to/wordpress/'
instance.path.should == 'test/asdf.php'
end
end
describe "#get_full_url" do
describe '#get_full_url' do
after :each do
arguments = {
:base_url => "http://sub.example.com/path/to/wordpress/",
:path => "test/asdf.php",
:vulns_file => "XXX.xml",
:name => "test",
:vulns_xpath => "XX",
:type => "plugins",
:wp_content_dir => @wp_content_dir
base_url: 'http://sub.example.com/path/to/wordpress/',
path: 'test/asdf.php',
vulns_file: 'XXX.xml',
name: 'test',
vulns_xpath: 'XX',
type: 'plugins',
wp_content_dir: @wp_content_dir
}
instance = WpItem.new(arguments)
instance.get_full_url.to_s.should === @expected
end
it "should return the correct url" do
@expected = "http://sub.example.com/path/to/wordpress/wp-content/plugins/test/asdf.php"
it 'should return the correct url' do
@expected = 'http://sub.example.com/path/to/wordpress/wp-content/plugins/test/asdf.php'
end
it "should return the correct url (custom wp_content_dir)" do
@wp_content_dir = "custom"
@expected = "http://sub.example.com/path/to/wordpress/custom/plugins/test/asdf.php"
it 'should return the correct url (custom wp_content_dir)' do
@wp_content_dir = 'custom'
@expected = 'http://sub.example.com/path/to/wordpress/custom/plugins/test/asdf.php'
end
it "should trim / and add missing / before concatenating url" do
@wp_content_dir = "/custom/"
@expected = "http://sub.example.com/path/to/wordpress/custom/plugins/test/asdf.php"
it 'should trim / and add missing / before concatenating url' do
@wp_content_dir = '/custom/'
@expected = 'http://sub.example.com/path/to/wordpress/custom/plugins/test/asdf.php'
end
end
describe "#get_url_without_filename" do
describe '#get_url_without_filename' do
after :each do
arguments = {
:base_url => @base_url || "http://sub.example.com/path/to/wordpress/",
:path => @path || "test/asdf.php",
:vulns_file => "XXX.xml",
:name => "test",
:vulns_xpath => "XX",
:type => "plugins",
:wp_content_dir => @wp_content_dir
base_url: @base_url || 'http://sub.example.com/path/to/wordpress/',
path: @path || 'test/asdf.php',
vulns_file: 'XXX.xml',
name: 'test',
vulns_xpath: 'XX',
type: 'plugins',
wp_content_dir: @wp_content_dir
}
instance = WpItem.new(arguments)
instance.get_url_without_filename.to_s.should === @expected
end
it "should return the correct url" do
@expected = "http://sub.example.com/path/to/wordpress/wp-content/plugins/test/"
it 'should return the correct url' do
@expected = 'http://sub.example.com/path/to/wordpress/wp-content/plugins/test/'
end
it "should return the correct url (custom wp_content_dir)" do
@wp_content_dir = "custom"
@expected = "http://sub.example.com/path/to/wordpress/custom/plugins/test/"
it 'should return the correct url (custom wp_content_dir)' do
@wp_content_dir = 'custom'
@expected = 'http://sub.example.com/path/to/wordpress/custom/plugins/test/'
end
it "should trim / and add missing / before concatenating url" do
@wp_content_dir = "/custom/"
@expected = "http://sub.example.com/path/to/wordpress/custom/plugins/test/"
it 'should trim / and add missing / before concatenating url' do
@wp_content_dir = '/custom/'
@expected = 'http://sub.example.com/path/to/wordpress/custom/plugins/test/'
end
it "should not remove the last foldername" do
@path = "test/"
@expected = "http://sub.example.com/path/to/wordpress/wp-content/plugins/test/"
it 'should not remove the last foldername' do
@path = 'test/'
@expected = 'http://sub.example.com/path/to/wordpress/wp-content/plugins/test/'
end
it "should return the correct url (https)" do
@base_url = "https://sub.example.com/path/to/wordpress/"
@expected = "https://sub.example.com/path/to/wordpress/wp-content/plugins/test/"
it 'should return the correct url (https)' do
@base_url = 'https://sub.example.com/path/to/wordpress/'
@expected = 'https://sub.example.com/path/to/wordpress/wp-content/plugins/test/'
end
it "should add the last slash if it's not present" do
@path = "test-one"
@expected = "http://sub.example.com/path/to/wordpress/wp-content/plugins/test-one/"
@path = 'test-one'
@expected = 'http://sub.example.com/path/to/wordpress/wp-content/plugins/test-one/'
end
end
describe "#version" do
describe '#version' do
let(:fixtures_dir) { SPEC_FIXTURES_WPSCAN_WP_PLUGIN_DIR + '/version' }
before :each do
@instance = WpItem.new(
:base_url => "http://sub.example.com/path/to/wordpress/",
:path => "test/asdf.php",
:vulns_file => "XXX.xml",
:name => "test",
:vulns_xpath => "XX",
:type => "plugins"
base_url: 'http://sub.example.com/path/to/wordpress/',
path: 'test/asdf.php',
vulns_file: 'XXX.xml',
name: 'test',
vulns_xpath: 'XX',
type: 'plugins'
)
end
it "should return a version number" do
stub_request(:get, @instance.readme_url.to_s).to_return(:status => 200, :body => "Stable tag: 1.2.4.3.2.1")
@instance.version.should == "1.2.4.3.2.1"
it 'should return a version number' do
stub_request(:get, @instance.readme_url.to_s).to_return(status: 200, body: 'Stable tag: 1.2.4.3.2.1')
@instance.version.should == '1.2.4.3.2.1'
end
it "should not return a version number" do
stub_request(:get, @instance.readme_url.to_s).to_return(:status => 200, :body => "Stable tag: trunk")
it 'should not return a version number' do
stub_request(:get, @instance.readme_url.to_s).to_return(status: 200, body: 'Stable tag: trunk')
@instance.version.should be nil
end
it "should return nil if the version is invalid (IE : trunk etc)" do
stub_request_to_fixture(:url => @instance.readme_url.to_s, :fixture => fixtures_dir + '/trunk-version.txt')
it 'should return nil if the version is invalid (IE : trunk etc)' do
stub_request_to_fixture(url: @instance.readme_url.to_s, fixture: fixtures_dir + '/trunk-version.txt')
@instance.version.should be_nil
end
it "should return the version 0.4" do
stub_request_to_fixture(:url => @instance.readme_url.to_s, :fixture => fixtures_dir + '/simple-login-lockdown-0.4.txt')
@instance.version.should === "0.4"
it 'should return the version 0.4' do
stub_request_to_fixture(url: @instance.readme_url.to_s, fixture: fixtures_dir + '/simple-login-lockdown-0.4.txt')
@instance.version.should === '0.4'
end
end
describe "#directory_listing?" do
describe '#directory_listing?' do
before :each do
@instance = WpItem.new(
:base_url => "http://sub.example.com/path/to/wordpress/",
:path => "test/asdf.php",
:vulns_file => "XXX.xml",
:name => "test",
:vulns_xpath => "XX",
:type => "plugins"
base_url: 'http://sub.example.com/path/to/wordpress/',
path: 'test/asdf.php',
vulns_file: 'XXX.xml',
name: 'test',
vulns_xpath: 'XX',
type: 'plugins'
)
end
it "should return true" do
it 'should return true' do
stub_request(:get, @instance.get_url_without_filename.to_s)
.to_return(:status => 200, :body => "<html><head><title>Index of asdf</title></head></html>")
.to_return(status: 200, body: '<html><head><title>Index of asdf</title></head></html>')
@instance.directory_listing?.should == true
end
it "should return false" do
it 'should return false' do
stub_request(:get, @instance.get_url_without_filename.to_s)
.to_return(:status => 200, :body => "<html><head><title>My Wordpress Site</title></head></html>")
.to_return(status: 200, body: '<html><head><title>My Wordpress Site</title></head></html>')
@instance.directory_listing?.should == false
end
it "should return false on a 404" do
stub_request(:get, @instance.get_url_without_filename.to_s.to_s).to_return(:status => 404)
it 'should return false on a 404' do
stub_request(:get, @instance.get_url_without_filename.to_s.to_s).to_return(status: 404)
@instance.directory_listing?.should be_false
end
end
describe "#extract_name_from_url" do
describe '#extract_name_from_url' do
after :each do
arguments = {
:base_url => "http://sub.example.com/path/to/wordpress/",
:path => @path || "test/asdf.php",
:vulns_file => "XXX.xml",
:name => "test",
:vulns_xpath => "XX",
:type => @type || "plugins",
:wp_content_dir => @wp_content_dir
base_url: 'http://sub.example.com/path/to/wordpress/',
path: @path || 'test/asdf.php',
vulns_file: 'XXX.xml',
name: 'test',
vulns_xpath: 'XX',
type: @type || 'plugins',
wp_content_dir: @wp_content_dir
}
instance = WpItem.new(arguments)
instance.extract_name_from_url.should === @expected
end
it "should extract the correct name" do
@expected = "test"
it 'should extract the correct name' do
@expected = 'test'
end
it "should extract the correct name (custom wp_content_dir)" do
@wp_content_dir = "custom"
@expected = "test"
it 'should extract the correct name (custom wp_content_dir)' do
@wp_content_dir = 'custom'
@expected = 'test'
end
it "should extract the correct name" do
@path = "test2/asdf.php"
@wp_content_dir = "/custom/"
@expected = "test2"
it 'should extract the correct name' do
@path = 'test2/asdf.php'
@wp_content_dir = '/custom/'
@expected = 'test2'
end
it "should extract the correct plugin name" do
@path = "testplugin/"
@expected = "testplugin"
it 'should extract the correct plugin name' do
@path = 'testplugin/'
@expected = 'testplugin'
end
it "should extract the correct theme name" do
@path = "testtheme/"
@type = "themes"
@expected = "testtheme"
it 'should extract the correct theme name' do
@path = 'testtheme/'
@type = 'themes'
@expected = 'testtheme'
end
end
describe "#to_s" do
describe '#to_s' do
before :each do
@instance = WpItem.new(
:base_url => "http://sub.example.com/path/to/wordpress/",
:path => "test/asdf.php",
:vulns_file => "XXX.xml",
:name => "test",
:vulns_xpath => "XX",
:type => "plugins"
base_url: 'http://sub.example.com/path/to/wordpress/',
path: 'test/asdf.php',
vulns_file: 'XXX.xml',
name: 'test',
vulns_xpath: 'XX',
type: 'plugins'
)
end
it "should return the name including a version number" do
stub_request(:get, @instance.readme_url.to_s).to_return(:status => 200, :body => "Stable tag: 1.2.4.3.2.1")
@instance.to_s.should == "test v1.2.4.3.2.1"
it 'should return the name including a version number' do
stub_request(:get, @instance.readme_url.to_s).to_return(status: 200, body: 'Stable tag: 1.2.4.3.2.1')
@instance.to_s.should == 'test v1.2.4.3.2.1'
end
it "should not return the name without a version number" do
stub_request(:get, @instance.readme_url.to_s).to_return(:status => 200, :body => "Stable tag: trunk")
@instance.to_s.should == "test"
it 'should not return the name without a version number' do
stub_request(:get, @instance.readme_url.to_s).to_return(status: 200, body: 'Stable tag: trunk')
@instance.to_s.should == 'test'
end
end
describe "#==" do
describe '#==' do
before :each do
@instance = WpItem.new(
:base_url => "http://sub.example.com/path/to/wordpress/",
:path => "test/asdf.php",
:vulns_file => "XXX.xml",
:name => "test",
:vulns_xpath => "XX",
:type => "plugins"
base_url: 'http://sub.example.com/path/to/wordpress/',
path: 'test/asdf.php',
vulns_file: 'XXX.xml',
name: 'test',
vulns_xpath: 'XX',
type: 'plugins'
)
end
it "should return false" do
it 'should return false' do
instance2 = WpItem.new(
:base_url => "http://sub.example.com/path/to/wordpress/",
:path => "newname/asdf.php",
:type => "plugins",
:vulns_file => "XXX.xml",
:vulns_xpath => "XX"
base_url: 'http://sub.example.com/path/to/wordpress/',
path: 'newname/asdf.php',
type: 'plugins',
vulns_file: 'XXX.xml',
vulns_xpath: 'XX'
)
(@instance == instance2).should == false
end
it "should return true" do
it 'should return true' do
instance2 = WpItem.new(
:base_url => "http://sub.example.com/path/to/wordpress/",
:path => "test/asdf.php",
:type => "plugins",
:vulns_file => "XXX.xml",
:vulns_xpath => "XX"
base_url: 'http://sub.example.com/path/to/wordpress/',
path: 'test/asdf.php',
type: 'plugins',
vulns_file: 'XXX.xml',
vulns_xpath: 'XX'
)
(@instance == instance2).should == true
end
end
describe "#get_sub_folder" do
describe '#get_sub_folder' do
after :each do
arguments = {
:base_url => "http://sub.example.com/path/to/wordpress/",
:path => "test/asdf.php",
:vulns_file => "XXX.xml",
:wp_content_dir => "wp-content",
:wp_plugins_dir => "wp-content/plugins",
:name => "test",
:vulns_xpath => "XX",
:type => @type || "themes"
base_url: 'http://sub.example.com/path/to/wordpress/',
path: 'test/asdf.php',
vulns_file: 'XXX.xml',
wp_content_dir: 'wp-content',
wp_plugins_dir: 'wp-content/plugins',
name: 'test',
vulns_xpath: 'XX',
type: @type || 'themes'
}
instance = WpItem.new(arguments)
@@ -302,238 +304,238 @@ describe WpPlugin do
end
end
it "should return themes" do
@expected = "themes"
it 'should return themes' do
@expected = 'themes'
end
it "should return nil" do
@type = "timthumbs"
it 'should return nil' do
@type = 'timthumbs'
@expected = nil
end
it "should raise an exception" do
@type = "type"
@raise_error = raise_error(RuntimeError, "unknown type type")
it 'should raise an exception' do
@type = 'type'
@raise_error = raise_error(RuntimeError, 'unknown type type')
end
end
describe "#readme_url" do
describe '#readme_url' do
after :each do
arguments = {
:base_url => "http://sub.example.com/path/to/wordpress/",
:path => "test/asdf.php",
:vulns_file => "XXX.xml",
:name => "test",
:vulns_xpath => "XX",
:type => @type || "plugins",
:wp_content_dir => @wp_content_dir
base_url: 'http://sub.example.com/path/to/wordpress/',
path: 'test/asdf.php',
vulns_file: 'XXX.xml',
name: 'test',
vulns_xpath: 'XX',
type: @type || 'plugins',
wp_content_dir: @wp_content_dir
}
instance = WpItem.new(arguments)
instance.readme_url.to_s.should === @expected
end
it "should return the corrent plugin readme url" do
@expected = "http://sub.example.com/path/to/wordpress/wp-content/plugins/test/readme.txt"
it 'should return the corrent plugin readme url' do
@expected = 'http://sub.example.com/path/to/wordpress/wp-content/plugins/test/readme.txt'
end
it "should return the corrent plugin readme url (custom wp_content)" do
@wp_content_dir = "custom"
@expected = "http://sub.example.com/path/to/wordpress/custom/plugins/test/readme.txt"
it 'should return the corrent plugin readme url (custom wp_content)' do
@wp_content_dir = 'custom'
@expected = 'http://sub.example.com/path/to/wordpress/custom/plugins/test/readme.txt'
end
it "should return the corrent theme readme url" do
@type = "themes"
@expected = "http://sub.example.com/path/to/wordpress/wp-content/themes/test/readme.txt"
it 'should return the corrent theme readme url' do
@type = 'themes'
@expected = 'http://sub.example.com/path/to/wordpress/wp-content/themes/test/readme.txt'
end
it "should return the corrent theme readme url (custom wp_content)" do
@type = "themes"
@wp_content_dir = "custom"
@expected = "http://sub.example.com/path/to/wordpress/custom/themes/test/readme.txt"
it 'should return the corrent theme readme url (custom wp_content)' do
@type = 'themes'
@wp_content_dir = 'custom'
@expected = 'http://sub.example.com/path/to/wordpress/custom/themes/test/readme.txt'
end
end
describe "#changelog_url" do
describe '#changelog_url' do
after :each do
arguments = {
:base_url => "http://sub.example.com/path/to/wordpress/",
:path => "test/asdf.php",
:vulns_file => "XXX.xml",
:name => "test",
:vulns_xpath => "XX",
:type => @type || "plugins",
:wp_content_dir => @wp_content_dir
base_url: 'http://sub.example.com/path/to/wordpress/',
path: 'test/asdf.php',
vulns_file: 'XXX.xml',
name: 'test',
vulns_xpath: 'XX',
type: @type || 'plugins',
wp_content_dir: @wp_content_dir
}
instance = WpItem.new(arguments)
instance.changelog_url.to_s.should === @expected
end
it "should return the corrent plugin changelog url" do
@expected = "http://sub.example.com/path/to/wordpress/wp-content/plugins/test/changelog.txt"
it 'should return the corrent plugin changelog url' do
@expected = 'http://sub.example.com/path/to/wordpress/wp-content/plugins/test/changelog.txt'
end
it "should return the corrent plugin changelog url (custom wp_content)" do
@wp_content_dir = "custom"
@expected = "http://sub.example.com/path/to/wordpress/custom/plugins/test/changelog.txt"
it 'should return the corrent plugin changelog url (custom wp_content)' do
@wp_content_dir = 'custom'
@expected = 'http://sub.example.com/path/to/wordpress/custom/plugins/test/changelog.txt'
end
it "should return the corrent theme changelog url" do
@type = "themes"
@expected = "http://sub.example.com/path/to/wordpress/wp-content/themes/test/changelog.txt"
it 'should return the corrent theme changelog url' do
@type = 'themes'
@expected = 'http://sub.example.com/path/to/wordpress/wp-content/themes/test/changelog.txt'
end
it "should return the corrent theme changelog url (custom wp_content)" do
@type = "themes"
@wp_content_dir = "custom"
@expected = "http://sub.example.com/path/to/wordpress/custom/themes/test/changelog.txt"
it 'should return the corrent theme changelog url (custom wp_content)' do
@type = 'themes'
@wp_content_dir = 'custom'
@expected = 'http://sub.example.com/path/to/wordpress/custom/themes/test/changelog.txt'
end
end
describe "#has_readme?" do
describe '#has_readme?' do
before :each do
@instance = WpItem.new(
:base_url => "http://sub.example.com/path/to/wordpress/",
:path => "test/asdf.php",
:vulns_file => "XXX.xml",
:name => "test",
:vulns_xpath => "XX",
:type => "plugins"
base_url: 'http://sub.example.com/path/to/wordpress/',
path: 'test/asdf.php',
vulns_file: 'XXX.xml',
name: 'test',
vulns_xpath: 'XX',
type: 'plugins'
)
end
it "should return true" do
stub_request(:get, @instance.readme_url.to_s).to_return(:status => 200)
it 'should return true' do
stub_request(:get, @instance.readme_url.to_s).to_return(status: 200)
@instance.has_readme?.should == true
end
it "should return false" do
stub_request(:get, @instance.readme_url.to_s).to_return(:status => 403)
it 'should return false' do
stub_request(:get, @instance.readme_url.to_s).to_return(status: 403)
@instance.has_readme?.should == false
end
end
describe "#has_changelog?" do
describe '#has_changelog?' do
before :each do
@instance = WpItem.new(
:base_url => "http://sub.example.com/path/to/wordpress/",
:path => "test/asdf.php",
:vulns_file => "XXX.xml",
:name => "test",
:vulns_xpath => "XX",
:type => "plugins"
base_url: 'http://sub.example.com/path/to/wordpress/',
path: 'test/asdf.php',
vulns_file: 'XXX.xml',
name: 'test',
vulns_xpath: 'XX',
type: 'plugins'
)
end
it "should return true" do
stub_request(:get, @instance.changelog_url.to_s).to_return(:status => 200)
it 'should return true' do
stub_request(:get, @instance.changelog_url.to_s).to_return(status: 200)
@instance.has_changelog?.should == true
end
it "should return false" do
stub_request(:get, @instance.changelog_url.to_s).to_return(:status => 403)
it 'should return false' do
stub_request(:get, @instance.changelog_url.to_s).to_return(status: 403)
@instance.has_changelog?.should == false
end
end
describe "#wp_org_url" do
it "sould return a themes url" do
describe '#wp_org_url' do
it 'sould return a themes url' do
instance = WpItem.new(
:base_url => "http://sub.example.com/path/to/wordpress/",
:path => "test/asdf.php",
:vulns_file => "XXX.xml",
:name => "test",
:vulns_xpath => "XX",
:type => "themes"
base_url: 'http://sub.example.com/path/to/wordpress/',
path: 'test/asdf.php',
vulns_file: 'XXX.xml',
name: 'test',
vulns_xpath: 'XX',
type: 'themes'
)
instance.wp_org_url.to_s.should == "http://wordpress.org/extend/themes/test/"
instance.wp_org_url.to_s.should == 'http://wordpress.org/extend/themes/test/'
end
it "sould return a plugins url" do
it 'sould return a plugins url' do
instance = WpItem.new(
:base_url => "http://sub.example.com/path/to/wordpress/",
:path => "test/asdf.php",
:vulns_file => "XXX.xml",
:name => "test",
:vulns_xpath => "XX",
:type => "plugins"
base_url: 'http://sub.example.com/path/to/wordpress/',
path: 'test/asdf.php',
vulns_file: 'XXX.xml',
name: 'test',
vulns_xpath: 'XX',
type: 'plugins'
)
instance.wp_org_url.to_s.should == "http://wordpress.org/extend/plugins/test/"
instance.wp_org_url.to_s.should == 'http://wordpress.org/extend/plugins/test/'
end
it "sould raise an exception" do
it 'sould raise an exception' do
instance = WpItem.new(
:base_url => "http://sub.example.com/path/to/wordpress/",
:path => "test/asdf.php",
:vulns_file => "XXX.xml",
:name => "test",
:vulns_xpath => "XX",
:type => "invalid"
base_url: 'http://sub.example.com/path/to/wordpress/',
path: 'test/asdf.php',
vulns_file: 'XXX.xml',
name: 'test',
vulns_xpath: 'XX',
type: 'invalid'
)
expect { instance.wp_org_url }.to raise_error(RuntimeError, "No Wordpress URL for invalid")
expect { instance.wp_org_url }.to raise_error(RuntimeError, 'No Wordpress URL for invalid')
end
end
describe "#wp_org_item?" do
it "sould return true" do
describe '#wp_org_item?' do
it 'sould return true' do
instance = WpItem.new(
:base_url => "http://sub.example.com/path/to/wordpress/",
:path => "test/asdf.php",
:vulns_file => "XXX.xml",
:name => "w3-total-cache",
:vulns_xpath => "XX",
:type => "plugins"
base_url: 'http://sub.example.com/path/to/wordpress/',
path: 'test/asdf.php',
vulns_file: 'XXX.xml',
name: 'w3-total-cache',
vulns_xpath: 'XX',
type: 'plugins'
)
instance.wp_org_item?.should be_true
end
it "sould return true" do
it 'sould return true' do
instance = WpItem.new(
:base_url => "http://sub.example.com/path/to/wordpress/",
:path => "test/asdf.php",
:vulns_file => "XXX.xml",
:name => "twentyten",
:vulns_xpath => "XX",
:type => "themes"
base_url: 'http://sub.example.com/path/to/wordpress/',
path: 'test/asdf.php',
vulns_file: 'XXX.xml',
name: 'twentyten',
vulns_xpath: 'XX',
type: 'themes'
)
instance.wp_org_item?.should be_true
end
it "sould return false" do
it 'sould return false' do
instance = WpItem.new(
:base_url => "http://sub.example.com/path/to/wordpress/",
:path => "test/asdf.php",
:vulns_file => "XXX.xml",
:name => "can_not_be_in_repository",
:vulns_xpath => "XX",
:type => "plugins"
base_url: 'http://sub.example.com/path/to/wordpress/',
path: 'test/asdf.php',
vulns_file: 'XXX.xml',
name: 'can_not_be_in_repository',
vulns_xpath: 'XX',
type: 'plugins'
)
instance.wp_org_item?.should be_false
end
it "sould return false" do
it 'sould return false' do
instance = WpItem.new(
:base_url => "http://sub.example.com/path/to/wordpress/",
:path => "test/asdf.php",
:vulns_file => "XXX.xml",
:name => "can_not_be_in_repository",
:vulns_xpath => "XX",
:type => "themes"
base_url: 'http://sub.example.com/path/to/wordpress/',
path: 'test/asdf.php',
vulns_file: 'XXX.xml',
name: 'can_not_be_in_repository',
vulns_xpath: 'XX',
type: 'themes'
)
instance.wp_org_item?.should be_false
end
it "sould raise an exception" do
it 'sould raise an exception' do
instance = WpItem.new(
:base_url => "http://sub.example.com/path/to/wordpress/",
:path => "test/asdf.php",
:vulns_file => "XXX.xml",
:name => "test",
:vulns_xpath => "XX",
:type => "invalid"
base_url: 'http://sub.example.com/path/to/wordpress/',
path: 'test/asdf.php',
vulns_file: 'XXX.xml',
name: 'test',
vulns_xpath: 'XX',
type: 'invalid'
)
expect { instance.wp_org_item? }.to raise_error(RuntimeError, "Unknown type invalid")
expect { instance.wp_org_item? }.to raise_error(RuntimeError, 'Unknown type invalid')
end
end

115
spec/lib/wpscan/wp_options_spec.rb
View File

@@ -1,3 +1,4 @@
# encoding: UTF-8
#--
# WPScan - WordPress Security Scanner
# Copyright (C) 2012-2013
@@ -19,120 +20,120 @@
require File.expand_path(File.dirname(__FILE__) + '/wpscan_helper')
describe WpOptions do
describe "#check_options" do
describe '#check_options' do
before :each do
@options = {}
@options[:base_url] = "url"
@options[:base_url] = 'url'
@options[:only_vulnerable_ones] = false
@options[:file] = "file"
@options[:vulns_file] = "vulns_file"
@options[:vulns_xpath] = "vulns_xpath"
@options[:vulns_xpath_2] = "vulns_xpath_2"
@options[:wp_content_dir] = "wp_content_dir"
@options[:file] = 'file'
@options[:vulns_file] = 'vulns_file'
@options[:vulns_xpath] = 'vulns_xpath'
@options[:vulns_xpath_2] = 'vulns_xpath_2'
@options[:wp_content_dir] = 'wp_content_dir'
@options[:show_progression] = true
@options[:error_404_hash] = "error_404_hash"
@options[:type] = "type"
@options[:error_404_hash] = 'error_404_hash'
@options[:type] = 'type'
@message = ""
@message = ''
end
after :each do
expect { WpOptions.check_options(@options) }.to raise_error(RuntimeError, @message)
end
it "should raise an exception (base_url empty)" do
@options[:base_url] = ""
@message = "base_url must be set"
it 'should raise an exception (base_url empty)' do
@options[:base_url] = ''
@message = 'base_url must be set'
end
it "should raise an exception (base_url nil)" do
it 'should raise an exception (base_url nil)' do
@options[:base_url] = nil
@message = "base_url must be set"
@message = 'base_url must be set'
end
it "should raise an exception (only_vulnerable_ones nil)" do
it 'should raise an exception (only_vulnerable_ones nil)' do
@options[:only_vulnerable_ones] = nil
@message = "only_vulnerable_ones must be set"
@message = 'only_vulnerable_ones must be set'
end
it "should raise an exception (file empty)" do
@options[:file] = ""
@message = "file must be set"
it 'should raise an exception (file empty)' do
@options[:file] = ''
@message = 'file must be set'
end
it "should raise an exception (file nil)" do
it 'should raise an exception (file nil)' do
@options[:file] = nil
@message = "file must be set"
@message = 'file must be set'
end
it "should raise an exception (vulns_file empty)" do
@options[:vulns_file] = ""
@message = "vulns_file must be set"
it 'should raise an exception (vulns_file empty)' do
@options[:vulns_file] = ''
@message = 'vulns_file must be set'
end
it "should raise an exception (vulns_file nil)" do
it 'should raise an exception (vulns_file nil)' do
@options[:vulns_file] = nil
@message = "vulns_file must be set"
@message = 'vulns_file must be set'
end
it "should raise an exception (vulns_xpath empty)" do
@options[:vulns_xpath] = ""
@message = "vulns_xpath must be set"
it 'should raise an exception (vulns_xpath empty)' do
@options[:vulns_xpath] = ''
@message = 'vulns_xpath must be set'
end
it "should raise an exception (vulns_xpath nil)" do
it 'should raise an exception (vulns_xpath nil)' do
@options[:vulns_xpath] = nil
@message = "vulns_xpath must be set"
@message = 'vulns_xpath must be set'
end
it "should raise an exception (vulns_xpath_2 empty)" do
@options[:vulns_xpath_2] = ""
@message = "vulns_xpath_2 must be set"
it 'should raise an exception (vulns_xpath_2 empty)' do
@options[:vulns_xpath_2] = ''
@message = 'vulns_xpath_2 must be set'
end
it "should raise an exception (vulns_xpath_2 nil)" do
it 'should raise an exception (vulns_xpath_2 nil)' do
@options[:vulns_xpath_2] = nil
@message = "vulns_xpath_2 must be set"
@message = 'vulns_xpath_2 must be set'
end
it "should raise an exception (wp_content_dir empty)" do
@options[:wp_content_dir] = ""
@message = "wp_content_dir must be set"
it 'should raise an exception (wp_content_dir empty)' do
@options[:wp_content_dir] = ''
@message = 'wp_content_dir must be set'
end
it "should raise an exception (wp_content_dir nil)" do
it 'should raise an exception (wp_content_dir nil)' do
@options[:wp_content_dir] = nil
@message = "wp_content_dir must be set"
@message = 'wp_content_dir must be set'
end
it "should raise an exception (show_progression nil)" do
it 'should raise an exception (show_progression nil)' do
@options[:show_progression] = nil
@message = "show_progression must be set"
@message = 'show_progression must be set'
end
it "should raise an exception (error_404_hash empty)" do
@options[:error_404_hash] = ""
@message = "error_404_hash must be set"
it 'should raise an exception (error_404_hash empty)' do
@options[:error_404_hash] = ''
@message = 'error_404_hash must be set'
end
it "should raise an exception (error_404_hash nil)" do
it 'should raise an exception (error_404_hash nil)' do
@options[:error_404_hash] = nil
@message = "error_404_hash must be set"
@message = 'error_404_hash must be set'
end
it "should raise an exception (type empty)" do
@options[:type] = ""
@message = "type must be set"
it 'should raise an exception (type empty)' do
@options[:type] = ''
@message = 'type must be set'
end
it "should raise an exception (type nil)" do
it 'should raise an exception (type nil)' do
@options[:type] = nil
@message = "type must be set"
@message = 'type must be set'
end
it "should raise an exception (type unknown)" do
@options[:type] = "unknown"
@message = "Unknown type unknown"
it 'should raise an exception (type unknown)' do
@options[:type] = 'unknown'
@message = 'Unknown type unknown'
end
end
end

60
spec/lib/wpscan/wp_plugin_spec.rb
View File

@@ -1,3 +1,4 @@
# encoding: UTF-8
#--
# WPScan - WordPress Security Scanner
# Copyright (C) 2012-2013
@@ -19,56 +20,61 @@
require File.expand_path(File.dirname(__FILE__) + '/wpscan_helper')
describe WpPlugin do
describe "#initialize" do
it "should not raise an exception" do
expect { WpPlugin.new(:base_url => "url", :path => "path", :wp_content_dir => "dir", :name => "name") }.to_not raise_error
describe '#initialize' do
it 'should not raise an exception' do
expect { WpPlugin.new(base_url: 'url', path: 'path', wp_content_dir: 'dir', name: 'name') }.to_not raise_error
end
it "should not raise an exception (wp_content_dir not set)" do
expect { WpPlugin.new(:base_url => "url", :path => "path", :name => "name") }.to_not raise_error
it 'should not raise an exception (wp_content_dir not set)' do
expect { WpPlugin.new(base_url: 'url', path: 'path', name: 'name') }.to_not raise_error
end
it "should raise an exception (base_url not set)" do
expect { WpPlugin.new(:path => "path", :wp_content_dir => "dir", :name => "name") }.to raise_error
it 'should raise an exception (base_url not set)' do
expect { WpPlugin.new(path: 'path', wp_content_dir: 'dir', name: 'name') }.to raise_error
end
it "should raise an exception (path not set)" do
expect { WpPlugin.new(:base_url => "url", :wp_content_dir => "dir", :name => "name") }.to raise_error
it 'should raise an exception (path not set)' do
expect { WpPlugin.new(base_url: 'url', wp_content_dir: 'dir', name: 'name') }.to raise_error
end
it "should raise an exception (name not set)" do
expect { WpPlugin.new(:base_url => "url", :path => "path", :wp_content_dir => "dir") }.to raise_error
it 'should raise an exception (name not set)' do
expect { WpPlugin.new(base_url: 'url', path: 'path', wp_content_dir: 'dir') }.to raise_error
end
end
describe "#error_log_url" do
it "should return a correct url" do
temp = WpPlugin.new(:base_url => "http://wordpress.com",
:path => "test/asdf.php")
temp.error_log_url.to_s.should == "http://wordpress.com/wp-content/plugins/test/error_log"
describe '#error_log_url' do
it 'should return a correct url' do
temp = WpPlugin.new(
base_url: 'http://wordpress.com',
path: 'test/asdf.php'
)
temp.error_log_url.to_s.should == 'http://wordpress.com/wp-content/plugins/test/error_log'
end
end
describe "#error_log?" do
describe '#error_log?' do
before :each do
@temp = WpPlugin.new(:base_url => "http://wordpress.com",
:path => "test/asdf.php")
@temp = WpPlugin.new(
base_url: 'http://wordpress.com',
path: 'test/asdf.php')
end
it "should return true" do
stub_request(:get, @temp.error_log_url.to_s).to_return(:status => 200, :body => "PHP Fatal error")
it 'should return true' do
stub_request(:get, @temp.error_log_url.to_s).to_return(status: 200, body: 'PHP Fatal error')
@temp.error_log?.should be true
end
it "should return false" do
stub_request(:get, @temp.error_log_url.to_s).to_return(:status => 500, :body => "Access denied")
it 'should return false' do
stub_request(:get, @temp.error_log_url.to_s).to_return(status: 500, body: 'Access denied')
@temp.error_log?.should be false
end
it "should return true" do
fixtures_dir = SPEC_FIXTURES_WPSCAN_WP_PLUGIN_DIR + "/error_log"
stub_request(:get, @temp.error_log_url.to_s).to_return(:status => 200,
:body => File.new(fixtures_dir + '/error_log'))
it 'should return true' do
fixtures_dir = SPEC_FIXTURES_WPSCAN_WP_PLUGIN_DIR + '/error_log'
stub_request(:get, @temp.error_log_url.to_s).to_return(
status: 200,
body: File.new(fixtures_dir + '/error_log')
)
@temp.error_log?.should be true
end

279
spec/lib/wpscan/wp_target_spec.rb
View File

@@ -1,3 +1,4 @@
# encoding: UTF-8
#--
# WPScan - WordPress Security Scanner
# Copyright (C) 2012-2013
@@ -24,304 +25,304 @@ describe WpTarget do
Browser.reset
@options =
{
:config_file => SPEC_FIXTURES_CONF_DIR + '/browser/browser.conf.json',
:cache_timeout => 0,
:wp_content_dir => "wp-content",
:wp_plugins_dir => "wp-content/plugins"
config_file: SPEC_FIXTURES_CONF_DIR + '/browser/browser.conf.json',
cache_timeout: 0,
wp_content_dir: 'wp-content',
wp_plugins_dir: 'wp-content/plugins'
}
@wp_target = WpTarget.new("http://example.localhost/", @options)
@wp_target = WpTarget.new('http://example.localhost/', @options)
end
it_should_behave_like "WebSite"
it_should_behave_like "WpReadme"
it_should_behave_like "WpConfigBackup"
it_should_behave_like "WpFullPathDisclosure"
it_should_behave_like "WpLoginProtection"
it_should_behave_like "Malwares"
it_should_behave_like "BruteForce"
it_should_behave_like "WpUsernames"
it_should_behave_like "WpTimthumbs"
it_should_behave_like "WpPlugins"
it_should_behave_like "WpThemes"
it_should_behave_like 'WebSite'
it_should_behave_like 'WpReadme'
it_should_behave_like 'WpConfigBackup'
it_should_behave_like 'WpFullPathDisclosure'
it_should_behave_like 'WpLoginProtection'
it_should_behave_like 'Malwares'
it_should_behave_like 'BruteForce'
it_should_behave_like 'WpUsernames'
it_should_behave_like 'WpTimthumbs'
it_should_behave_like 'WpPlugins'
it_should_behave_like 'WpThemes'
describe "#initialize" do
it "should raise an error if the target_url is nil or empty" do
describe '#initialize' do
it 'should raise an error if the target_url is nil or empty' do
expect { WpTarget.new(nil) }.to raise_error
expect { Wptarget.new('') }.to raise_error
end
it "should add the http protocol if missing" do
WpTarget.new("example.localhost/", @options).url.should === "http://example.localhost/"
it 'should add the http protocol if missing' do
WpTarget.new('example.localhost/', @options).url.should === 'http://example.localhost/'
end
it "should add the trailing slash to the url if missing" do
WpTarget.new("lamp/wordpress", @options).url.should === "http://lamp/wordpress/"
it 'should add the trailing slash to the url if missing' do
WpTarget.new('lamp/wordpress', @options).url.should === 'http://lamp/wordpress/'
end
end
describe "#url" do
it "should return the url of the target" do
describe '#url' do
it 'should return the url of the target' do
@wp_target.url.should === @wp_target.uri.to_s
end
end
describe "#login_url" do
let(:login_url) { @wp_target.uri.merge("wp-login.php").to_s }
describe '#login_url' do
let(:login_url) { @wp_target.uri.merge('wp-login.php').to_s }
it "should return the login url of the target" do
stub_request(:get, login_url).to_return(:status => 200, :body => '')
it 'should return the login url of the target' do
stub_request(:get, login_url).to_return(status: 200, body: '')
@wp_target.login_url.should === login_url
end
it "should return the redirection url if there is one (ie: for https)" do
https_login_url = login_url.gsub(/^http:/, "https:")
it 'should return the redirection url if there is one (ie: for https)' do
https_login_url = login_url.gsub(/^http:/, 'https:')
stub_request(:get, login_url).to_return(:status => 302, :headers => { :location => https_login_url })
stub_request(:get, https_login_url).to_return(:status => 200)
stub_request(:get, login_url).to_return(status: 302, headers: { location: https_login_url })
stub_request(:get, https_login_url).to_return(status: 200)
@wp_target.login_url.should === https_login_url
end
end
describe "#wp_content_dir" do
let(:fixtures_dir) { SPEC_FIXTURES_WPSCAN_WP_TARGET_DIR + "/wp_content_dir" }
describe '#wp_content_dir' do
let(:fixtures_dir) { SPEC_FIXTURES_WPSCAN_WP_TARGET_DIR + '/wp_content_dir' }
after :each do
@wp_target = WpTarget.new(@target_url) if @target_url
stub_request_to_fixture(:url => @wp_target.url, :fixture => @fixture) if @fixture
stub_request_to_fixture(url: @wp_target.url, fixture: @fixture) if @fixture
@wp_target.wp_content_dir.should === @expected
end
it "should return the string set in the initialize method" do
@wp_target = WpTarget.new("http://example.localhost/", @options.merge(:wp_content_dir => "hello-world"))
@expected = "hello-world"
it 'should return the string set in the initialize method' do
@wp_target = WpTarget.new('http://example.localhost/', @options.merge(wp_content_dir: 'hello-world'))
@expected = 'hello-world'
end
it "should return 'wp-content'" do
@target_url = "http://lamp/wordpress-3.4.1"
@fixture = fixtures_dir + "/wordpress-3.4.1.htm"
@expected = "wp-content"
@target_url = 'http://lamp/wordpress-3.4.1'
@fixture = fixtures_dir + '/wordpress-3.4.1.htm'
@expected = 'wp-content'
end
it "should return 'wp-content' if url has trailing slash" do
@target_url = "http://lamp/wordpress-3.4.1/"
@fixture = fixtures_dir + "/wordpress-3.4.1.htm"
@expected = "wp-content"
@target_url = 'http://lamp/wordpress-3.4.1/'
@fixture = fixtures_dir + '/wordpress-3.4.1.htm'
@expected = 'wp-content'
end
it "should find the default 'wp-content' dir even if the target_url is not the same (ie : the user supply an IP address and the url used in the code is a domain)" do
@target_url = "http://192.168.1.103/wordpress-3.4.1/"
@fixture = fixtures_dir + "/wordpress-3.4.1.htm"
@expected = "wp-content"
@target_url = 'http://192.168.1.103/wordpress-3.4.1/'
@fixture = fixtures_dir + '/wordpress-3.4.1.htm'
@expected = 'wp-content'
end
it "should return 'custom-content'" do
@target_url = "http://lamp/wordpress-3.4.1-custom"
@fixture = fixtures_dir + "/wordpress-3.4.1-custom.htm"
@expected = "custom-content"
@target_url = 'http://lamp/wordpress-3.4.1-custom'
@fixture = fixtures_dir + '/wordpress-3.4.1-custom.htm'
@expected = 'custom-content'
end
it "should return 'custom content spaces'" do
@target_url = "http://lamp/wordpress-3.4.1-custom"
@fixture = fixtures_dir + "/wordpress-3.4.1-custom-with-spaces.htm"
@expected = "custom content spaces"
@target_url = 'http://lamp/wordpress-3.4.1-custom'
@fixture = fixtures_dir + '/wordpress-3.4.1-custom-with-spaces.htm'
@expected = 'custom content spaces'
end
it "should return 'custom-dir/subdir/content'" do
@target_url = "http://lamp/wordpress-3.4.1-custom"
@fixture = fixtures_dir + "/wordpress-3.4.1-custom-subdirectories.htm"
@expected = "custom-dir/subdir/content"
@target_url = 'http://lamp/wordpress-3.4.1-custom'
@fixture = fixtures_dir + '/wordpress-3.4.1-custom-subdirectories.htm'
@expected = 'custom-dir/subdir/content'
end
it "should also check in src attributes" do
@target_url = "http://lamp/wordpress-3.4.1"
@fixture = fixtures_dir + "/wordpress-3.4.1-in-src.htm"
@expected = "wp-content"
it 'should also check in src attributes' do
@target_url = 'http://lamp/wordpress-3.4.1'
@fixture = fixtures_dir + '/wordpress-3.4.1-in-src.htm'
@expected = 'wp-content'
end
it "should find the location even if the src or href goes in the plugins dir" do
@target_url = "http://wordpress-3.4.1-in-plugins.htm"
@fixture = fixtures_dir + "/wordpress-3.4.1-in-plugins.htm"
@expected = "wp-content"
it 'should find the location even if the src or href goes in the plugins dir' do
@target_url = 'http://wordpress-3.4.1-in-plugins.htm'
@fixture = fixtures_dir + '/wordpress-3.4.1-in-plugins.htm'
@expected = 'wp-content'
end
it "should not detect facebook.com as a custom wp-content directory" do
@target_url = "http://lamp.localhost/"
@fixture = fixtures_dir + "/facebook-detection.htm"
it 'should not detect facebook.com as a custom wp-content directory' do
@target_url = 'http://lamp.localhost/'
@fixture = fixtures_dir + '/facebook-detection.htm'
@expected = nil
end
end
describe "#wp_plugins_dir" do
describe '#wp_plugins_dir' do
after :each do
@wp_target.stub(:wp_plugins_dir => @stub_value) if @stub_value
@wp_target.stub(wp_plugins_dir: @stub_value) if @stub_value
@wp_target.wp_plugins_dir.should === @expected
end
it "should return the string set in the initialize method" do
@wp_target = WpTarget.new("http://example.localhost/", @options.merge(:wp_content_dir => "asdf", :wp_plugins_dir => "custom-plugins"))
@expected = "custom-plugins"
it 'should return the string set in the initialize method' do
@wp_target = WpTarget.new('http://example.localhost/', @options.merge(wp_content_dir: 'asdf', wp_plugins_dir: 'custom-plugins'))
@expected = 'custom-plugins'
end
it "should return 'plugins'" do
@stub_value = "plugins"
@expected = "plugins"
@stub_value = 'plugins'
@expected = 'plugins'
end
it "should return 'wp-content/plugins'" do
@wp_target = WpTarget.new("http://example.localhost/", @options.merge(:wp_content_dir => "wp-content", :wp_plugins_dir => nil))
@expected = "wp-content/plugins"
@wp_target = WpTarget.new('http://example.localhost/', @options.merge(wp_content_dir: 'wp-content', wp_plugins_dir: nil))
@expected = 'wp-content/plugins'
end
end
describe "#wp_plugins_dir_exists?" do
it "should return true" do
target = WpTarget.new("http://example.localhost/", @options.merge(:wp_content_dir => "asdf", :wp_plugins_dir => "custom-plugins"))
describe '#wp_plugins_dir_exists?' do
it 'should return true' do
target = WpTarget.new('http://example.localhost/', @options.merge(wp_content_dir: 'asdf', wp_plugins_dir: 'custom-plugins'))
url = target.uri.merge(target.wp_plugins_dir).to_s
stub_request(:any, url).to_return(:status => 200)
stub_request(:any, url).to_return(status: 200)
target.wp_plugins_dir_exists?.should == true
end
it "should return false" do
target = WpTarget.new("http://example.localhost/", @options.merge(:wp_content_dir => "asdf", :wp_plugins_dir => "custom-plugins"))
it 'should return false' do
target = WpTarget.new('http://example.localhost/', @options.merge(wp_content_dir: 'asdf', wp_plugins_dir: 'custom-plugins'))
url = target.uri.merge(target.wp_plugins_dir).to_s
stub_request(:any, url).to_return(:status => 404)
stub_request(:any, url).to_return(status: 404)
target.wp_plugins_dir_exists?.should == false
end
end
describe "#debug_log_url" do
describe '#debug_log_url' do
it "should return 'http://example.localhost/wp-content/debug.log" do
@wp_target.stub(:wp_content_dir => "wp-content")
@wp_target.debug_log_url.should === "http://example.localhost/wp-content/debug.log"
@wp_target.stub(wp_content_dir: 'wp-content')
@wp_target.debug_log_url.should === 'http://example.localhost/wp-content/debug.log'
end
end
describe "#has_debug_log?" do
let(:fixtures_dir) { SPEC_FIXTURES_WPSCAN_WP_TARGET_DIR + "/debug_log" }
describe '#has_debug_log?' do
let(:fixtures_dir) { SPEC_FIXTURES_WPSCAN_WP_TARGET_DIR + '/debug_log' }
after :each do
@wp_target.stub(:wp_content_dir => "wp-content")
stub_request_to_fixture(:url => @wp_target.debug_log_url(), :fixture => @fixture)
@wp_target.stub(wp_content_dir: 'wp-content')
stub_request_to_fixture(url: @wp_target.debug_log_url(), fixture: @fixture)
@wp_target.has_debug_log?.should === @expected
end
it "should return false" do
@fixture = SPEC_FIXTURES_DIR + "/empty-file"
it 'should return false' do
@fixture = SPEC_FIXTURES_DIR + '/empty-file'
@expected = false
end
it "should return true" do
@fixture = fixtures_dir + "/debug.log"
it 'should return true' do
@fixture = fixtures_dir + '/debug.log'
@expected = true
end
it "should also detect it if there are PHP notice" do
@fixture = fixtures_dir + "/debug-notice.log"
it 'should also detect it if there are PHP notice' do
@fixture = fixtures_dir + '/debug-notice.log'
@expected = true
end
end
describe "#search_replace_db_2_url" do
it "should return the correct url" do
@wp_target.search_replace_db_2_url.should == "http://example.localhost/searchreplacedb2.php"
describe '#search_replace_db_2_url' do
it 'should return the correct url' do
@wp_target.search_replace_db_2_url.should == 'http://example.localhost/searchreplacedb2.php'
end
end
describe "#search_replace_db_2_exists?" do
it "should return true" do
stub_request(:any, @wp_target.search_replace_db_2_url).to_return(:status => 200, :body => "asdf by interconnect asdf")
describe '#search_replace_db_2_exists?' do
it 'should return true' do
stub_request(:any, @wp_target.search_replace_db_2_url).to_return(status: 200, body: 'asdf by interconnect asdf')
@wp_target.search_replace_db_2_exists?.should be_true
end
it "should return false" do
stub_request(:any, @wp_target.search_replace_db_2_url).to_return(:status => 500)
it 'should return false' do
stub_request(:any, @wp_target.search_replace_db_2_url).to_return(status: 500)
@wp_target.search_replace_db_2_exists?.should be_false
end
it "should return false" do
stub_request(:any, @wp_target.search_replace_db_2_url).to_return(:status => 500, :body => "asdf by interconnect asdf")
it 'should return false' do
stub_request(:any, @wp_target.search_replace_db_2_url).to_return(status: 500, body: 'asdf by interconnect asdf')
@wp_target.search_replace_db_2_exists?.should be_false
end
end
describe "#registration_url" do
it "should return the correct url (multisite)" do
describe '#registration_url' do
it 'should return the correct url (multisite)' do
# set to multi site
stub_request(:any, "http://example.localhost/wp-signup.php").to_return(:status => 200)
@wp_target.registration_url.to_s.should == "http://example.localhost/wp-signup.php"
stub_request(:any, 'http://example.localhost/wp-signup.php').to_return(status: 200)
@wp_target.registration_url.to_s.should == 'http://example.localhost/wp-signup.php'
end
it "should return the correct url (not multisite)" do
it 'should return the correct url (not multisite)' do
# set to single site
stub_request(:any, "http://example.localhost/wp-signup.php").to_return(:status => 302, :headers => { "Location" => "wp-login.php?action=register" })
@wp_target.registration_url.to_s.should == "http://example.localhost/wp-login.php?action=register"
stub_request(:any, 'http://example.localhost/wp-signup.php').to_return(status: 302, headers: { 'Location' => 'wp-login.php?action=register' })
@wp_target.registration_url.to_s.should == 'http://example.localhost/wp-login.php?action=register'
end
end
describe "#registration_enabled?" do
it "should return false (multisite)" do
describe '#registration_enabled?' do
it 'should return false (multisite)' do
# set to multi site
stub_request(:any, "http://example.localhost/wp-signup.php").to_return(:status => 200)
stub_request(:any, @wp_target.registration_url.to_s).to_return(:status => 302, :headers => { "Location" => "wp-login.php?registration=disabled" })
stub_request(:any, 'http://example.localhost/wp-signup.php').to_return(status: 200)
stub_request(:any, @wp_target.registration_url.to_s).to_return(status: 302, headers: { 'Location' => 'wp-login.php?registration=disabled' })
@wp_target.registration_enabled?.should be_false
end
it "should return true (multisite)" do
it 'should return true (multisite)' do
# set to multi site
stub_request(:any, "http://example.localhost/wp-signup.php").to_return(:status => 200)
stub_request(:any, @wp_target.registration_url.to_s).to_return(:status => 200, :body => %{<form id="setupform" method="post" action="wp-signup.php">})
stub_request(:any, 'http://example.localhost/wp-signup.php').to_return(status: 200)
stub_request(:any, @wp_target.registration_url.to_s).to_return(status: 200, body: %{<form id="setupform" method="post" action="wp-signup.php">})
@wp_target.registration_enabled?.should be_true
end
it "should return false (not multisite)" do
it 'should return false (not multisite)' do
# set to single site
stub_request(:any, "http://example.localhost/wp-signup.php").to_return(:status => 302, :headers => { "Location" => "wp-login.php?action=register" })
stub_request(:any, @wp_target.registration_url.to_s).to_return(:status => 302, :headers => { "Location" => "wp-login.php?registration=disabled" })
stub_request(:any, 'http://example.localhost/wp-signup.php').to_return(status: 302, headers: { 'Location' => 'wp-login.php?action=register' })
stub_request(:any, @wp_target.registration_url.to_s).to_return(status: 302, headers: { 'Location' => 'wp-login.php?registration=disabled' })
@wp_target.registration_enabled?.should be_false
end
it "should return true (not multisite)" do
it 'should return true (not multisite)' do
# set to single site
stub_request(:any, "http://example.localhost/wp-signup.php").to_return(:status => 302, :headers => { "Location" => "wp-login.php?action=register" })
stub_request(:any, @wp_target.registration_url.to_s).to_return(:status => 200, :body => %{<form name="registerform" id="registerform" action="wp-login.php"})
stub_request(:any, 'http://example.localhost/wp-signup.php').to_return(status: 302, headers: { 'Location' => 'wp-login.php?action=register' })
stub_request(:any, @wp_target.registration_url.to_s).to_return(status: 200, body: %{<form name="registerform" id="registerform" action="wp-login.php"})
@wp_target.registration_enabled?.should be_true
end
it "should return false" do
it 'should return false' do
# set to single site
stub_request(:any, "http://example.localhost/wp-signup.php").to_return(:status => 302, :headers => { "Location" => "wp-login.php?action=register" })
stub_request(:any, @wp_target.registration_url.to_s).to_return(:status => 500)
stub_request(:any, 'http://example.localhost/wp-signup.php').to_return(status: 302, headers: { 'Location' => 'wp-login.php?action=register' })
stub_request(:any, @wp_target.registration_url.to_s).to_return(status: 500)
@wp_target.registration_enabled?.should be_false
end
end
describe "#is_multisite?" do
describe '#is_multisite?' do
before :each do
@url = @wp_target.uri.merge("wp-signup.php").to_s
@url = @wp_target.uri.merge('wp-signup.php').to_s
end
it "should return false" do
stub_request(:any, @url).to_return(:status => 302, :headers => { "Location" => "wp-login.php?action=register" })
it 'should return false' do
stub_request(:any, @url).to_return(status: 302, headers: { 'Location' => 'wp-login.php?action=register' })
@wp_target.is_multisite?.should be_false
end
it "should return true" do
stub_request(:any, @url).to_return(:status => 302, :headers => { "Location" => "http://example.localhost/wp-signup.php" })
it 'should return true' do
stub_request(:any, @url).to_return(status: 302, headers: { 'Location' => 'http://example.localhost/wp-signup.php' })
@wp_target.is_multisite?.should be_true
end
it "should return true" do
stub_request(:any, @url).to_return(:status => 200)
it 'should return true' do
stub_request(:any, @url).to_return(status: 200)
@wp_target.is_multisite?.should be_true
end
it "should return false" do
stub_request(:any, @url).to_return(:status => 500)
it 'should return false' do
stub_request(:any, @url).to_return(status: 500)
@wp_target.is_multisite?.should be_false
end
end

203
spec/lib/wpscan/wp_theme_spec.rb
View File

@@ -1,3 +1,4 @@
# encoding: UTF-8
#--
# WPScan - WordPress Security Scanner
# Copyright (C) 2012-2013
@@ -16,46 +17,46 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#++
require File.expand_path(File.dirname(__FILE__) + "/wpscan_helper")
require File.expand_path(File.dirname(__FILE__) + '/wpscan_helper')
describe WpTheme do
before :all do
@target_uri = URI.parse("http://example.localhost/")
@target_uri = URI.parse('http://example.localhost/')
Browser.instance(
:config_file => SPEC_FIXTURES_CONF_DIR + "/browser/browser.conf.json",
:cache_timeout => 0
config_file: SPEC_FIXTURES_CONF_DIR + '/browser/browser.conf.json',
cache_timeout: 0
)
end
describe "#initialize" do
it "should not raise an exception" do
expect { WpTheme.new(:base_url => "url", :path => "path", :wp_content_dir => "dir", :name => "name") }.to_not raise_error
describe '#initialize' do
it 'should not raise an exception' do
expect { WpTheme.new(base_url: 'url', path: 'path', wp_content_dir: 'dir', name: 'name') }.to_not raise_error
end
it "should not raise an exception (wp_content_dir not set)" do
expect { WpTheme.new(:base_url => "url", :path => "path", :name => "name") }.to_not raise_error
it 'should not raise an exception (wp_content_dir not set)' do
expect { WpTheme.new(base_url: 'url', path: 'path', name: 'name') }.to_not raise_error
end
it "should raise an exception (base_url not set)" do
expect { WpTheme.new(:path => "path", :wp_content_dir => "dir", :name => "name") }.to raise_error
it 'should raise an exception (base_url not set)' do
expect { WpTheme.new(path: 'path', wp_content_dir: 'dir', name: 'name') }.to raise_error
end
it "should raise an exception (path not set)" do
expect { WpTheme.new(:base_url => "url", :wp_content_dir => "dir", :name => "name") }.to raise_error
it 'should raise an exception (path not set)' do
expect { WpTheme.new(base_url: 'url', wp_content_dir: 'dir', name: 'name') }.to raise_error
end
it "should raise an exception (name not set)" do
expect { WpTheme.new(:base_url => "url", :path => "path", :wp_content_dir => "dir") }.to raise_error
it 'should raise an exception (name not set)' do
expect { WpTheme.new(base_url: 'url', path: 'path', wp_content_dir: 'dir') }.to raise_error
end
end
describe "#find_from_css_link" do
let(:fixtures_dir) { SPEC_FIXTURES_WPSCAN_WP_THEME_DIR + "/find/css_link" }
describe '#find_from_css_link' do
let(:fixtures_dir) { SPEC_FIXTURES_WPSCAN_WP_THEME_DIR + '/find/css_link' }
after :each do
if @expected_name
stub_request_to_fixture(:url => @target_uri.to_s, :fixture => @fixture)
stub_request_to_fixture(url: @target_uri.to_s, fixture: @fixture)
wp_theme = WpTheme.find_from_css_link(@target_uri)
wp_theme.should be_a WpTheme
@@ -63,36 +64,36 @@ describe WpTheme do
end
end
it "should return nil if no theme is present" do
stub_request(:get, @target_uri.to_s).to_return(:status => 200, :body => "")
it 'should return nil if no theme is present' do
stub_request(:get, @target_uri.to_s).to_return(status: 200, body: '')
WpTheme.find_from_css_link(@target_uri).should be_nil
end
it "should return a WpTheme object with .name = twentyeleven" do
@fixture = fixtures_dir + "/wordpress-twentyeleven.htm"
@expected_name = "twentyeleven"
it 'should return a WpTheme object with .name = twentyeleven' do
@fixture = fixtures_dir + '/wordpress-twentyeleven.htm'
@expected_name = 'twentyeleven'
end
# http://code.google.com/p/wpscan/issues/detail?id=131
# Theme name with spaces raises bad URI(is not URI?)
it "should not raise an error if the theme name has spaces or special chars" do
@fixture = fixtures_dir + "/theme-name-with-spaces.html"
@expected_name = "Copia di simplefolio"
it 'should not raise an error if the theme name has spaces or special chars' do
@fixture = fixtures_dir + '/theme-name-with-spaces.html'
@expected_name = 'Copia di simplefolio'
end
# https://github.com/wpscanteam/wpscan/issues/18
it "should get the theme if the <link> is inline with some other tags" do
@fixture = fixtures_dir + "/inline_link_tag.html"
@expected_name = "inline"
it 'should get the theme if the <link> is inline with some other tags' do
@fixture = fixtures_dir + '/inline_link_tag.html'
@expected_name = 'inline'
end
end
describe "#find_from_wooframework" do
let(:fixtures_dir) { SPEC_FIXTURES_WPSCAN_WP_THEME_DIR + "/find/wooframework" }
describe '#find_from_wooframework' do
let(:fixtures_dir) { SPEC_FIXTURES_WPSCAN_WP_THEME_DIR + '/find/wooframework' }
after :each do
stub_request_to_fixture(:url => @target_uri.to_s, :fixture => @fixture)
stub_request_to_fixture(url: @target_uri.to_s, fixture: @fixture)
wp_theme = WpTheme.find_from_wooframework(@target_uri)
@@ -101,21 +102,21 @@ describe WpTheme do
end
it "should return a WpTheme object with .name 'Editorial' and .version '1.3.5'" do
@fixture = fixtures_dir + "/editorial-1.3.5.html"
@expected_theme = WpTheme.new(:name => "Editorial", :version => "1.3.5", :base_url => "", :path => "", :wp_content_dir => "")
@fixture = fixtures_dir + '/editorial-1.3.5.html'
@expected_theme = WpTheme.new(name: 'Editorial', version: '1.3.5', base_url: '', path: '', wp_content_dir: '')
end
it "should return a WpTheme object with .name 'Merchant'" do
@fixture = fixtures_dir + "/merchant-no-version.html"
@expected_theme = WpTheme.new(:name => "Merchant", :base_url => "", :path => "", :wp_content_dir => "")
@fixture = fixtures_dir + '/merchant-no-version.html'
@expected_theme = WpTheme.new(name: 'Merchant', base_url: '', path: '', wp_content_dir: '')
end
end
describe "#find" do
let(:fixtures_dir) { SPEC_FIXTURES_WPSCAN_WP_THEME_DIR + "/find" }
describe '#find' do
let(:fixtures_dir) { SPEC_FIXTURES_WPSCAN_WP_THEME_DIR + '/find' }
after :each do
stub_request_to_fixture(:url => @target_uri.to_s, :fixture => @fixture)
stub_request_to_fixture(url: @target_uri.to_s, fixture: @fixture)
wp_theme = WpTheme.find(@target_uri)
@@ -127,109 +128,117 @@ describe WpTheme do
end
end
it "should return nil if no theme is found" do
@fixture = SPEC_FIXTURES_DIR + "/empty-file"
it 'should return nil if no theme is found' do
@fixture = SPEC_FIXTURES_DIR + '/empty-file'
@expected_name = nil
end
it "should return a WpTheme object with .name 'twentyeleven'" do
@fixture = fixtures_dir + "/css_link/wordpress-twentyeleven.htm"
@expected_name = "twentyeleven"
@fixture = fixtures_dir + '/css_link/wordpress-twentyeleven.htm'
@expected_name = 'twentyeleven'
end
it "should a WpTheme object with .name 'Merchant'" do
@fixture = fixtures_dir + "/wooframework/merchant-no-version.html"
@expected_name = "Merchant"
@fixture = fixtures_dir + '/wooframework/merchant-no-version.html'
@expected_name = 'Merchant'
end
end
describe "#version" do
let(:fixtures_dir) { SPEC_FIXTURES_WPSCAN_WP_THEME_DIR + "/version" }
let(:theme_style_url) { @target_uri.merge("wp-content/themes/spec-theme/style.css").to_s }
describe '#version' do
let(:fixtures_dir) { SPEC_FIXTURES_WPSCAN_WP_THEME_DIR + '/version' }
let(:theme_style_url) { @target_uri.merge('wp-content/themes/spec-theme/style.css').to_s }
after :each do
if @fixture
stub_request_to_fixture(:url => theme_style_url, :fixture => @fixture)
stub_request_to_fixture(url: theme_style_url, fixture: @fixture)
wp_theme = WpTheme.new(:name => "spec-theme", :style_url => theme_style_url, :base_url => "", :path => "", :wp_content_dir => "")
wp_theme = WpTheme.new(name: 'spec-theme', style_url: theme_style_url, base_url: '', path: '', wp_content_dir: '')
wp_theme.version.should === @expected
end
end
it "should return nil if the version is not found" do
@fixture = fixtures_dir + "/twentyeleven-unknow.css"
it 'should return nil if the version is not found' do
@fixture = fixtures_dir + '/twentyeleven-unknow.css'
@expected = nil
end
it "should return nil if the style_url is nil" do
WpTheme.new(:name => "hello-world", :base_url => "", :path => "", :wp_content_dir => "").version.should be_nil
it 'should return nil if the style_url is nil' do
WpTheme.new(name: 'hello-world', base_url: '', path: '', wp_content_dir: '').version.should be_nil
end
it "should return 1.3" do
@fixture = fixtures_dir + "/twentyeleven-1.3.css"
@expected = "1.3"
it 'should return 1.3' do
@fixture = fixtures_dir + '/twentyeleven-1.3.css'
@expected = '1.3'
end
it "should return 1.5.1" do
@fixture = fixtures_dir + "/bueno-1.5.1.css"
@expected = "1.5.1"
it 'should return 1.5.1' do
@fixture = fixtures_dir + '/bueno-1.5.1.css'
@expected = '1.5.1'
end
end
describe "#===" do
it "should return false (name not equal)" do
instance = WpTheme.new(:base_url => "http://sub.example.com/path/to/wordpress/",
:path => "themes/name/asdf.php",
:vulns_file => "XXX.xml",
:version => "1.0"
describe '#===' do
it 'should return false (name not equal)' do
instance = WpTheme.new(
base_url: 'http://sub.example.com/path/to/wordpress/',
path: 'themes/name/asdf.php',
vulns_file: 'XXX.xml',
version: '1.0'
)
instance2 = WpTheme.new(:base_url => "http://sub.example.com/path/to/wordpress/",
:path => "themes/newname/asdf.php",
:vulns_file => "XXX.xml",
:version => "1.0"
instance2 = WpTheme.new(
base_url: 'http://sub.example.com/path/to/wordpress/',
path: 'themes/newname/asdf.php',
vulns_file: 'XXX.xml',
version: '1.0'
)
(instance === instance2).should == false
end
it "should return false (version not equal)" do
instance = WpTheme.new(:base_url => "http://sub.example.com/path/to/wordpress/",
:path => "themes/name/asdf.php",
:vulns_file => "XXX.xml",
:version => "1.0"
it 'should return false (version not equal)' do
instance = WpTheme.new(
base_url: 'http://sub.example.com/path/to/wordpress/',
path: 'themes/name/asdf.php',
vulns_file: 'XXX.xml',
version: '1.0'
)
instance2 = WpTheme.new(:base_url => "http://sub.example.com/path/to/wordpress/",
:path => "themes/name/asdf.php",
:vulns_file => "XXX.xml",
:version => "2.0"
instance2 = WpTheme.new(
base_url: 'http://sub.example.com/path/to/wordpress/',
path: 'themes/name/asdf.php',
vulns_file: 'XXX.xml',
version: '2.0'
)
(instance === instance2).should == false
end
it "should return false (version and name not equal)" do
instance = WpTheme.new(:base_url => "http://sub.example.com/path/to/wordpress/",
:path => "themes/name/asdf.php",
:vulns_file => "XXX.xml",
:version => "1.0"
it 'should return false (version and name not equal)' do
instance = WpTheme.new(
base_url: 'http://sub.example.com/path/to/wordpress/',
path: 'themes/name/asdf.php',
vulns_file: 'XXX.xml',
version: '1.0'
)
instance2 = WpTheme.new(:base_url => "http://sub.example.com/path/to/wordpress/",
:path => "themes/newname/asdf.php",
:vulns_file => "XXX.xml",
:version => "2.0"
instance2 = WpTheme.new(
base_url: 'http://sub.example.com/path/to/wordpress/',
path: 'themes/newname/asdf.php',
vulns_file: 'XXX.xml',
version: '2.0'
)
(instance === instance2).should == false
end
it "should return true" do
instance = WpTheme.new(:base_url => "http://sub.example.com/path/to/wordpress/",
:path => "themes/test/asdf.php",
:vulns_file => "XXX.xml",
:version => "1.0"
it 'should return true' do
instance = WpTheme.new(
base_url: 'http://sub.example.com/path/to/wordpress/',
path: 'themes/test/asdf.php',
vulns_file: 'XXX.xml',
version: '1.0'
)
instance2 = WpTheme.new(:base_url => "http://sub.example.com/path/to/wordpress/",
:path => "themes/test/asdf.php",
:vulns_file => "XXX.xml",
:version => "1.0"
instance2 = WpTheme.new(
base_url: 'http://sub.example.com/path/to/wordpress/',
path: 'themes/test/asdf.php',
vulns_file: 'XXX.xml',
version: '1.0'
)
(instance === instance2).should == true
end

71
spec/lib/wpscan/wp_user_spec.rb
View File

@@ -1,3 +1,4 @@
# encoding: UTF-8
#--
# WPScan - WordPress Security Scanner
# Copyright (C) 2012-2013
@@ -16,69 +17,69 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#++
require File.expand_path(File.dirname(__FILE__) + "/wpscan_helper")
require File.expand_path(File.dirname(__FILE__) + '/wpscan_helper')
describe WpUser do
describe "#initialize" do
it "should replace nil with empty" do
describe '#initialize' do
it 'should replace nil with empty' do
user = WpUser.new(nil, nil, nil)
user.name.should == "empty"
user.id.should == "empty"
user.nickname == "empty"
user.name.should == 'empty'
user.id.should == 'empty'
user.nickname == 'empty'
end
it "should initialize a user object" do
user = WpUser.new("name", "id", "nickname")
user.name.should == "name"
user.id.should == "id"
user.nickname == "nickname"
it 'should initialize a user object' do
user = WpUser.new('name', 'id', 'nickname')
user.name.should == 'name'
user.id.should == 'id'
user.nickname == 'nickname'
end
end
describe "#<=>" do
it "should return -1" do
user1 = WpUser.new("b", nil, nil)
user2 = WpUser.new("a", nil, nil)
describe '#<=>' do
it 'should return -1' do
user1 = WpUser.new('b', nil, nil)
user2 = WpUser.new('a', nil, nil)
(user1 <=> user2).should === -1
end
it "should return 0" do
user1 = WpUser.new("a", nil, nil)
user2 = WpUser.new("a", nil, nil)
it 'should return 0' do
user1 = WpUser.new('a', nil, nil)
user2 = WpUser.new('a', nil, nil)
(user1 <=> user2).should === 0
end
it "should return 1" do
user1 = WpUser.new("a", nil, nil)
user2 = WpUser.new("b", nil, nil)
it 'should return 1' do
user1 = WpUser.new('a', nil, nil)
user2 = WpUser.new('b', nil, nil)
(user1 <=> user2).should === 1
end
end
describe "#===" do
it "should return true" do
user1 = WpUser.new("a", "id", "nick")
user2 = WpUser.new("a", "id", "nick")
describe '#===' do
it 'should return true' do
user1 = WpUser.new('a', 'id', 'nick')
user2 = WpUser.new('a', 'id', 'nick')
(user1 === user2).should be_true
end
it "should return false" do
user1 = WpUser.new("a", "id", "nick")
user2 = WpUser.new("b", "id", "nick")
it 'should return false' do
user1 = WpUser.new('a', 'id', 'nick')
user2 = WpUser.new('b', 'id', 'nick')
(user1 === user2).should be_false
end
end
describe "#eql?" do
it "should return true" do
user1 = WpUser.new("a", "id", "nick")
user2 = WpUser.new("a", "id", "nick")
describe '#eql?' do
it 'should return true' do
user1 = WpUser.new('a', 'id', 'nick')
user2 = WpUser.new('a', 'id', 'nick')
(user1.eql? user2).should be_true
end
it "should return false" do
user1 = WpUser.new("a", "id", "nick")
user2 = WpUser.new("b", "id", "nick")
it 'should return false' do
user1 = WpUser.new('a', 'id', 'nick')
user2 = WpUser.new('b', 'id', 'nick')
(user1.eql? user2).should be_false
end
end

241
spec/lib/wpscan/wp_version_spec.rb
View File

@@ -1,3 +1,4 @@
# encoding: UTF-8
#--
# WPScan - WordPress Security Scanner
# Copyright (C) 2012-2013
@@ -22,283 +23,283 @@ describe WpVersion do
before :all do
@target_uri = URI.parse('http://example.localhost/')
@browser = Browser.instance(:config_file => SPEC_FIXTURES_CONF_DIR + '/browser/browser.conf.json')
@browser = Browser.instance(config_file: SPEC_FIXTURES_CONF_DIR + '/browser/browser.conf.json')
end
describe "#find_from_meta_generator" do
let(:fixtures_dir) { SPEC_FIXTURES_WPSCAN_WP_VERSION_DIR + "/meta-generator" }
describe '#find_from_meta_generator' do
let(:fixtures_dir) { SPEC_FIXTURES_WPSCAN_WP_VERSION_DIR + '/meta-generator' }
after :each do
stub_request_to_fixture(:url => @target_uri.to_s, :fixture => @fixture)
WpVersion.find_from_meta_generator(:base_url => @target_uri.to_s).should === @expected
stub_request_to_fixture(url: @target_uri.to_s, fixture: @fixture)
WpVersion.find_from_meta_generator(base_url: @target_uri.to_s).should === @expected
end
it "should return nil if the meta-generator is not found" do
@fixture = fixtures_dir + "/no-meta-generator.htm"
it 'should return nil if the meta-generator is not found' do
@fixture = fixtures_dir + '/no-meta-generator.htm'
@expected = nil
end
it "should return 3.3.2" do
@fixture = fixtures_dir + "/3.3.2.htm"
@expected = "3.3.2"
it 'should return 3.3.2' do
@fixture = fixtures_dir + '/3.3.2.htm'
@expected = '3.3.2'
end
it "should return 3.4-beta4" do
@fixture = fixtures_dir + "/3.4-beta4.htm"
@expected = "3.4-beta4"
it 'should return 3.4-beta4' do
@fixture = fixtures_dir + '/3.4-beta4.htm'
@expected = '3.4-beta4'
end
it "should return nil if it's not a valid version, must contains at least one '.'" do
@fixture = fixtures_dir + "/invalid_version.htm"
@fixture = fixtures_dir + '/invalid_version.htm'
@expected = nil
end
it "should return 3.5" do
@fixture = fixtures_dir + "/3.5_minified.htm"
@expected = "3.5"
it 'should return 3.5' do
@fixture = fixtures_dir + '/3.5_minified.htm'
@expected = '3.5'
end
end
describe "#find_from_rss_generator" do
let(:fixtures_dir) { SPEC_FIXTURES_WPSCAN_WP_VERSION_DIR + "/rss-generator" }
describe '#find_from_rss_generator' do
let(:fixtures_dir) { SPEC_FIXTURES_WPSCAN_WP_VERSION_DIR + '/rss-generator' }
after :each do
@status_code ||= 200
stub_request_to_fixture(:url => @target_uri.merge("feed/").to_s, :status => @status_code, :fixture => @fixture)
WpVersion.find_from_rss_generator(:base_url => @target_uri).should === @expected
stub_request_to_fixture(url: @target_uri.merge('feed/').to_s, status: @status_code, fixture: @fixture)
WpVersion.find_from_rss_generator(base_url: @target_uri).should === @expected
end
it "should return nil on a 404" do
it 'should return nil on a 404' do
@status_code = 404
@fixture = SPEC_FIXTURES_WPSCAN_WP_VERSION_DIR + "/404.htm"
@fixture = SPEC_FIXTURES_WPSCAN_WP_VERSION_DIR + '/404.htm'
@expected = nil
end
it "should return nil if the rss-generator is not found" do
@fixture = fixtures_dir + "/no-rss-generator.htm"
it 'should return nil if the rss-generator is not found' do
@fixture = fixtures_dir + '/no-rss-generator.htm'
@expected = nil
end
it "should return nil if the version is not found (but the rss-generator is present)" do
@fixture = fixtures_dir + "/no-version.htm"
it 'should return nil if the version is not found (but the rss-generator is present)' do
@fixture = fixtures_dir + '/no-version.htm'
@expected = nil
end
it "shuld return 3.3.2" do
@fixture = fixtures_dir + "/3.3.2.htm"
@expected = "3.3.2"
it 'shuld return 3.3.2' do
@fixture = fixtures_dir + '/3.3.2.htm'
@expected = '3.3.2'
end
it "should return 3.4-beta4" do
@fixture = fixtures_dir + "/3.4-beta4.htm"
@expected = "3.4-beta4"
it 'should return 3.4-beta4' do
@fixture = fixtures_dir + '/3.4-beta4.htm'
@expected = '3.4-beta4'
end
it "should return nil if it's not a valid version, must contains at least one '.'" do
@fixture = fixtures_dir + "/invalid_version.htm"
@fixture = fixtures_dir + '/invalid_version.htm'
@expected = nil
end
end
describe "#find_from_rdf_generator" do
let(:fixtures_dir) { SPEC_FIXTURES_WPSCAN_WP_VERSION_DIR + "/rdf-generator" }
describe '#find_from_rdf_generator' do
let(:fixtures_dir) { SPEC_FIXTURES_WPSCAN_WP_VERSION_DIR + '/rdf-generator' }
after :each do
@status_code ||= 200
stub_request_to_fixture(:url => @target_uri.merge("feed/rdf/").to_s, :status => @status_code, :fixture => @fixture)
WpVersion.find_from_rdf_generator(:base_url => @target_uri).should === @expected
stub_request_to_fixture(url: @target_uri.merge('feed/rdf/').to_s, status: @status_code, fixture: @fixture)
WpVersion.find_from_rdf_generator(base_url: @target_uri).should === @expected
end
it "should return nil on a 404" do
it 'should return nil on a 404' do
@status_code = 404
@fixture = SPEC_FIXTURES_WPSCAN_WP_VERSION_DIR + "/404.htm"
@fixture = SPEC_FIXTURES_WPSCAN_WP_VERSION_DIR + '/404.htm'
@expected = nil
end
it "should return nil if the rdf-generator is not found" do
@fixture = fixtures_dir + "/no-rdf-generator.htm"
it 'should return nil if the rdf-generator is not found' do
@fixture = fixtures_dir + '/no-rdf-generator.htm'
@expected = nil
end
it "should return nil if the version is not found (but the rdf-generator is present)" do
@fixture = fixtures_dir + "/no-version.htm"
it 'should return nil if the version is not found (but the rdf-generator is present)' do
@fixture = fixtures_dir + '/no-version.htm'
@expected = nil
end
it "shuld return 3.3.2" do
@fixture = fixtures_dir + "/3.3.2.htm"
@expected = "3.3.2"
it 'shuld return 3.3.2' do
@fixture = fixtures_dir + '/3.3.2.htm'
@expected = '3.3.2'
end
it "should return 3.4-beta4" do
@fixture = fixtures_dir + "/3.4-beta4.htm"
@expected = "3.4-beta4"
it 'should return 3.4-beta4' do
@fixture = fixtures_dir + '/3.4-beta4.htm'
@expected = '3.4-beta4'
end
it "should return nil if it's not a valid version, must contains at least one '.'" do
@fixture = fixtures_dir + "/invalid_version.htm"
@fixture = fixtures_dir + '/invalid_version.htm'
@expected = nil
end
end
describe "#find_from_atom_generator" do
let(:fixtures_dir) { SPEC_FIXTURES_WPSCAN_WP_VERSION_DIR + "/atom-generator" }
describe '#find_from_atom_generator' do
let(:fixtures_dir) { SPEC_FIXTURES_WPSCAN_WP_VERSION_DIR + '/atom-generator' }
after :each do
@status_code ||= 200
stub_request_to_fixture(:url => @target_uri.merge("feed/atom/").to_s, :status => @status_code, :fixture => @fixture)
WpVersion.find_from_atom_generator(:base_url => @target_uri).should === @expected
stub_request_to_fixture(url: @target_uri.merge('feed/atom/').to_s, status: @status_code, fixture: @fixture)
WpVersion.find_from_atom_generator(base_url: @target_uri).should === @expected
end
it "should return nil on a 404" do
it 'should return nil on a 404' do
@status_code = 404
@fixture = SPEC_FIXTURES_WPSCAN_WP_VERSION_DIR + "/404.htm"
@fixture = SPEC_FIXTURES_WPSCAN_WP_VERSION_DIR + '/404.htm'
@expected = nil
end
it "should return nil if the atom-generator is not found" do
@fixture = fixtures_dir + "/no-atom-generator.htm"
it 'should return nil if the atom-generator is not found' do
@fixture = fixtures_dir + '/no-atom-generator.htm'
@expected = nil
end
it "should return nil if the version is not found (but the atom-generator is present)" do
@fixture = fixtures_dir + "/no-version.htm"
it 'should return nil if the version is not found (but the atom-generator is present)' do
@fixture = fixtures_dir + '/no-version.htm'
@expected = nil
end
it "shuld return 3.3.2" do
@fixture = fixtures_dir + "/3.3.2.htm"
@expected = "3.3.2"
it 'shuld return 3.3.2' do
@fixture = fixtures_dir + '/3.3.2.htm'
@expected = '3.3.2'
end
it "should return 3.4-beta4" do
@fixture = fixtures_dir + "/3.4-beta4.htm"
@expected = "3.4-beta4"
it 'should return 3.4-beta4' do
@fixture = fixtures_dir + '/3.4-beta4.htm'
@expected = '3.4-beta4'
end
it "should return nil if it's not a valid version, must contains at least one '.'" do
@fixture = fixtures_dir + "/invalid_version.htm"
@fixture = fixtures_dir + '/invalid_version.htm'
@expected = nil
end
end
describe "#find_from_sitemap_generator" do
describe '#find_from_sitemap_generator' do
after :each do
stub_request(:get, @target_uri.merge("sitemap.xml").to_s).
to_return(:status => 200, :body => @body)
stub_request(:get, @target_uri.merge('sitemap.xml').to_s).
to_return(status: 200, body: @body)
WpVersion.find_from_sitemap_generator(:base_url => @target_uri).should === @expected
WpVersion.find_from_sitemap_generator(base_url: @target_uri).should === @expected
end
it "should return nil if the generator is not found" do
it 'should return nil if the generator is not found' do
@body = ''
@expected = nil
end
it "should return the version : 3.3.2" do
@body = "<!-- generator=\"wordpress/3.3.2\" -->"
@expected = "3.3.2"
it 'should return the version : 3.3.2' do
@body = '<!-- generator="wordpress/3.3.2" -->'
@expected = '3.3.2'
end
it "should return nil if it's not a valid version, must contains at least one '.'" do
@body = "<!-- generator=\"wordpress/5065\" -->"
@body = '<!-- generator="wordpress/5065" -->'
@expected = nil
end
end
describe "#find_from_readme" do
describe '#find_from_readme' do
let(:fixtures_dir) { SPEC_FIXTURES_WPSCAN_WP_VERSION_DIR + '/readme' }
after :each do
@status_code ||= 200
stub_request_to_fixture(:url => @target_uri.merge("readme.html").to_s, :status => @status_code, :fixture => @fixture)
stub_request_to_fixture(url: @target_uri.merge('readme.html').to_s, status: @status_code, fixture: @fixture)
WpVersion.find_from_readme(:base_url => @target_uri).should === @expected
WpVersion.find_from_readme(base_url: @target_uri).should === @expected
end
it "should return nil on a 404" do
it 'should return nil on a 404' do
@status_code = 404
@fixture = SPEC_FIXTURES_WPSCAN_WP_VERSION_DIR + "/404.htm"
@fixture = SPEC_FIXTURES_WPSCAN_WP_VERSION_DIR + '/404.htm'
@expected = nil
end
it "should return nil if the version number is not present" do
@fixture = fixtures_dir + "/empty-version.html"
it 'should return nil if the version number is not present' do
@fixture = fixtures_dir + '/empty-version.html'
@expected = nil
end
it "should return 3.3.2" do
@fixture = fixtures_dir + "/readme-3.3.2.html"
@expected = "3.3.2"
it 'should return 3.3.2' do
@fixture = fixtures_dir + '/readme-3.3.2.html'
@expected = '3.3.2'
end
it "should return nil if it's not a valid version, must contains at least one '.'" do
@fixture = fixtures_dir + "/invalid_version.html"
@fixture = fixtures_dir + '/invalid_version.html'
@expected = nil
end
end
describe "#find_from_advanced_fingerprinting" do
let(:fixtures_dir) { SPEC_FIXTURES_WPSCAN_WP_VERSION_DIR + "/advanced" }
describe '#find_from_advanced_fingerprinting' do
let(:fixtures_dir) { SPEC_FIXTURES_WPSCAN_WP_VERSION_DIR + '/advanced' }
it "should return 3.2.1" do
it 'should return 3.2.1' do
stub_request_to_fixture(
:url => @target_uri.merge("wp-admin/js/wp-fullscreen.js").to_s,
:fixture => "#{fixtures_dir}/3.2.1.js"
url: @target_uri.merge('wp-admin/js/wp-fullscreen.js').to_s,
fixture: "#{fixtures_dir}/3.2.1.js"
)
version = WpVersion.find_from_advanced_fingerprinting(
:base_url => @target_uri,
:wp_content_dir => "wp-content",
:version_xml => "#{fixtures_dir}/wp_versions.xml"
base_url: @target_uri,
wp_content_dir: 'wp-content',
version_xml: "#{fixtures_dir}/wp_versions.xml"
)
version.should == "3.2.1"
version.should == '3.2.1'
end
end
describe "#find_from_links_opml" do
let(:fixtures_dir) { SPEC_FIXTURES_WPSCAN_WP_VERSION_DIR + "/opml" }
describe '#find_from_links_opml' do
let(:fixtures_dir) { SPEC_FIXTURES_WPSCAN_WP_VERSION_DIR + '/opml' }
it "should return 3.4.2" do
it 'should return 3.4.2' do
stub_request_to_fixture(
:url => @target_uri.merge("wp-links-opml.php").to_s,
:fixture => "#{fixtures_dir}/wp-links-opml.xml"
url: @target_uri.merge('wp-links-opml.php').to_s,
fixture: "#{fixtures_dir}/wp-links-opml.xml"
)
version = WpVersion.find_from_links_opml(:base_url => @target_uri)
version.should == "3.4.2"
version = WpVersion.find_from_links_opml(base_url: @target_uri)
version.should == '3.4.2'
end
it "should return nil" do
it 'should return nil' do
stub_request_to_fixture(
:url => @target_uri.merge("wp-links-opml.php").to_s,
:fixture => "#{fixtures_dir}/wp-links-opml-nogenerator.xml"
url: @target_uri.merge('wp-links-opml.php').to_s,
fixture: "#{fixtures_dir}/wp-links-opml-nogenerator.xml"
)
version = WpVersion.find_from_links_opml(:base_url => @target_uri)
version = WpVersion.find_from_links_opml(base_url: @target_uri)
version.should be_nil
end
end
describe "#initialize" do
it "should initialize a WpVersion object" do
v = WpVersion.new(1, {:discovery_method => "method", :vulns_file => "asdf.xml"})
describe '#initialize' do
it 'should initialize a WpVersion object' do
v = WpVersion.new(1, {discovery_method: 'method', vulns_file: 'asdf.xml'})
v.number.should == 1
v.discovery_method.should == "method"
v.discovery_method.should == 'method'
end
end
describe "#find" do
describe '#find' do
let(:fixtures_dir) { SPEC_FIXTURES_WPSCAN_WP_VERSION_DIR + '/advanced' }
it "should find all versions" do
it 'should find all versions' do
# All requests get a HTTP 404
stub_request(:any, /.*/).to_return(:status => 404)
stub_request(:any, /.*/).to_return(status: 404)
# Wordpress Version 3.2.1
stub_request_to_fixture(
:url => @target_uri.merge("wp-admin/js/wp-fullscreen.js").to_s,
:fixture => "#{fixtures_dir}/3.2.1.js"
url: @target_uri.merge('wp-admin/js/wp-fullscreen.js').to_s,
fixture: "#{fixtures_dir}/3.2.1.js"
)
version = WpVersion.find(@target_uri, "wp-content")
version.number.should == "3.2.1"
version.discovery_method.should == "advanced fingerprinting"
version = WpVersion.find(@target_uri, 'wp-content')
version.number.should == '3.2.1'
version.discovery_method.should == 'advanced fingerprinting'
end
end

39
spec/lib/wpscan/wp_vulnerability_spec.rb
View File

@@ -1,30 +1,37 @@
# encoding: UTF-8
# TODO
describe "#vulnerabilities" do
let(:location_url) { "http://example.localhost/" }
let(:fixtures_dir) { SPEC_FIXTURES_WPSCAN_WP_PLUGIN_DIR + "/vulnerabilities" }
let(:vulns_file) { fixtures_dir + "/plugin_vulns.xml" }
let(:wp_plugin) { WpPlugin.new(:base_url => location_url,
:name => "spec-plugin",
:path => "plugins/spec-plugin/",
:vulns_file => vulns_file)
describe '#vulnerabilities' do
let(:location_url) { 'http://example.localhost/' }
let(:fixtures_dir) { SPEC_FIXTURES_WPSCAN_WP_PLUGIN_DIR + '/vulnerabilities' }
let(:vulns_file) { fixtures_dir + '/plugin_vulns.xml' }
let(:wp_plugin) {
WpPlugin.new(
base_url: location_url,
name: 'spec-plugin',
path: 'plugins/spec-plugin/',
vulns_file: vulns_file
)
}
it "should return an empty array when no vulnerabilities are found" do
WpPlugin.new(:base_url => "http://example.localhost/",
:name => "no-vulns",
:path => "plugins/no-vulns/",
:vulns_file => vulns_file).vulnerabilities.should be_empty
it 'should return an empty array when no vulnerabilities are found' do
WpPlugin.new(
base_url: 'http://example.localhost/',
name: 'no-vulns',
path: 'plugins/no-vulns/',
vulns_file: vulns_file
).vulnerabilities.should be_empty
end
it "should return an arry with 2 vulnerabilities" do
it 'should return an arry with 2 vulnerabilities' do
vulnerabilities = wp_plugin.vulnerabilities
vulnerabilities.should_not be_empty
vulnerabilities.length.should == 2
vulnerabilities.each { |vulnerability| vulnerability.should be_a WpVulnerability }
vulnerabilities[0].title.should === "WPScan Spec"
vulnerabilities[1].title.should === "Spec SQL Injection"
vulnerabilities[0].title.should === 'WPScan Spec'
vulnerabilities[1].title.should === 'Spec SQL Injection'
end
end

7
spec/lib/wpscan/wpscan_helper.rb
View File

@@ -1,3 +1,4 @@
# encoding: UTF-8
#--
# WPScan - WordPress Security Scanner
# Copyright (C) 2012-2013
@@ -35,8 +36,8 @@ class WpScanModuleSpec
def initialize(target_url)
@uri = URI.parse(add_http_protocol(target_url))
Browser.instance(
:config_file => SPEC_FIXTURES_CONF_DIR + '/browser/browser.conf.json',
:cache_timeout => 0
config_file: SPEC_FIXTURES_CONF_DIR + '/browser/browser.conf.json',
cache_timeout: 0
)
end
@@ -45,7 +46,7 @@ class WpScanModuleSpec
end
def login_url
@uri.merge("wp-login.php").to_s
@uri.merge('wp-login.php').to_s
end
end

263
spec/lib/wpscan/wpscan_options_spec.rb
View File

@@ -1,3 +1,4 @@
# encoding: UTF-8
#--
# WPScan - WordPress Security Scanner
# Copyright (C) 2012-2013
@@ -18,58 +19,58 @@
require File.expand_path(File.dirname(__FILE__) + '/wpscan_helper')
describe "WpscanOptions" do
describe 'WpscanOptions' do
before :each do
@wpscan_options = WpscanOptions.new
end
describe "#initialize" do
it "should set all options to nil" do
describe '#initialize' do
it 'should set all options to nil' do
WpscanOptions::ACCESSOR_OPTIONS.each do |option|
@wpscan_options.send(option).should === nil
end
end
end
describe "#url=" do
it "should raise an error if en empty or nil url is supplied" do
describe '#url=' do
it 'should raise an error if en empty or nil url is supplied' do
expect { @wpscan_options.url = '' }.to raise_error
expect { @wpscan_options.url = nil }.to raise_error
end
it "should add the http protocol if not present" do
@wpscan_options.url = "example.com"
@wpscan_options.url.should === "http://example.com"
it 'should add the http protocol if not present' do
@wpscan_options.url = 'example.com'
@wpscan_options.url.should === 'http://example.com'
end
it "should not add the http protocol if it's already present" do
url = "http://example.com"
url = 'http://example.com'
@wpscan_options.url = url
@wpscan_options.url.should === url
end
end
describe "#threads=" do
it "should convert an integer in a string into an integr" do
@wpscan_options.threads = "10"
describe '#threads=' do
it 'should convert an integer in a string into an integr' do
@wpscan_options.threads = '10'
@wpscan_options.threads.should be_an Integer
@wpscan_options.threads.should === 10
end
it "should set to correct number of threads" do
it 'should set to correct number of threads' do
@wpscan_options.threads = 15
@wpscan_options.threads.should be_an Integer
@wpscan_options.threads.should === 15
end
end
describe "#wordlist=" do
it "should raise an error if the wordlist file does not exist" do
expect { @wpscan_options.wordlist = "/i/do/not/exist.txt" }.to raise_error
describe '#wordlist=' do
it 'should raise an error if the wordlist file does not exist' do
expect { @wpscan_options.wordlist = '/i/do/not/exist.txt' }.to raise_error
end
it "should not raise an error" do
it 'should not raise an error' do
wordlist_file = "#{SPEC_FIXTURES_WPSCAN_WPSCAN_OPTIONS_DIR}/wordlist.txt"
@wpscan_options.wordlist = wordlist_file
@@ -77,39 +78,39 @@ describe "WpscanOptions" do
end
end
describe "#proxy=" do
it "should raise an error" do
describe '#proxy=' do
it 'should raise an error' do
expect { @wpscan_options.proxy = 'invalidproxy' }.to raise_error
end
it "should not raise an error" do
proxy = "127.0.0.1:3038"
it 'should not raise an error' do
proxy = '127.0.0.1:3038'
@wpscan_options.proxy = proxy
@wpscan_options.proxy.should === proxy
end
end
describe "#proxy_auth=" do
it "should raise an error if the format is not correct" do
expect { @wpscan_options.proxy_auth = "invalidauth" }.to raise_error
describe '#proxy_auth=' do
it 'should raise an error if the format is not correct' do
expect { @wpscan_options.proxy_auth = 'invalidauth' }.to raise_error
end
it "should not raise en error" do
proxy_auth = "user:pass"
it 'should not raise en error' do
proxy_auth = 'user:pass'
@wpscan_options.proxy_auth = proxy_auth
@wpscan_options.proxy_auth.should === proxy_auth
end
end
describe "#enumerate_plugins=" do
it "should raise an error" do
describe '#enumerate_plugins=' do
it 'should raise an error' do
@wpscan_options.enumerate_only_vulnerable_plugins = true
expect { @wpscan_options.enumerate_plugins = true }.to raise_error(
RuntimeError, "Please choose only one plugin enumeration option"
RuntimeError, 'Please choose only one plugin enumeration option'
)
end
it "should not raise an error" do
it 'should not raise an error' do
@wpscan_options.enumerate_only_vulnerable_plugins = false
@wpscan_options.enumerate_plugins = true
@@ -117,15 +118,15 @@ describe "WpscanOptions" do
end
end
describe "#enumerate_themes=" do
it "should raise an error" do
describe '#enumerate_themes=' do
it 'should raise an error' do
@wpscan_options.enumerate_only_vulnerable_themes = true
expect { @wpscan_options.enumerate_themes = true }.to raise_error(
RuntimeError, "Please choose only one theme enumeration option"
RuntimeError, 'Please choose only one theme enumeration option'
)
end
it "should not raise an error" do
it 'should not raise an error' do
@wpscan_options.enumerate_only_vulnerable_themes = false
@wpscan_options.enumerate_themes = true
@@ -133,15 +134,15 @@ describe "WpscanOptions" do
end
end
describe "#enumerate_only_vulnerable_plugins=" do
it "should raise an error" do
describe '#enumerate_only_vulnerable_plugins=' do
it 'should raise an error' do
@wpscan_options.enumerate_plugins = true
expect { @wpscan_options.enumerate_only_vulnerable_plugins = true }.to raise_error(
RuntimeError, "Please choose only one plugin enumeration option"
RuntimeError, 'Please choose only one plugin enumeration option'
)
end
it "should not raise an error" do
it 'should not raise an error' do
@wpscan_options.enumerate_plugins = false
@wpscan_options.enumerate_only_vulnerable_plugins = true
@@ -149,15 +150,15 @@ describe "WpscanOptions" do
end
end
describe "#enumerate_only_vulnerable_themes=" do
it "should raise an error" do
describe '#enumerate_only_vulnerable_themes=' do
it 'should raise an error' do
@wpscan_options.enumerate_themes = true
expect { @wpscan_options.enumerate_only_vulnerable_themes = true }.to raise_error(
RuntimeError, "Please choose only one theme enumeration option"
RuntimeError, 'Please choose only one theme enumeration option'
)
end
it "should not raise an error" do
it 'should not raise an error' do
@wpscan_options.enumerate_themes = false
@wpscan_options.enumerate_only_vulnerable_themes = true
@@ -165,15 +166,15 @@ describe "WpscanOptions" do
end
end
describe "#enumerate_all_themes=" do
it "should raise an error" do
describe '#enumerate_all_themes=' do
it 'should raise an error' do
@wpscan_options.enumerate_themes = true
expect { @wpscan_options.enumerate_all_themes = true }.to raise_error(
RuntimeError, "Please choose only one theme enumeration option"
RuntimeError, 'Please choose only one theme enumeration option'
)
end
it "should not raise an error" do
it 'should not raise an error' do
@wpscan_options.enumerate_themes = false
@wpscan_options.enumerate_all_themes = true
@@ -181,15 +182,15 @@ describe "WpscanOptions" do
end
end
describe "#enumerate_all_plugins=" do
it "should raise an error" do
describe '#enumerate_all_plugins=' do
it 'should raise an error' do
@wpscan_options.enumerate_plugins = true
expect { @wpscan_options.enumerate_all_plugins = true }.to raise_error(
RuntimeError, "Please choose only one plugin enumeration option"
RuntimeError, 'Please choose only one plugin enumeration option'
)
end
it "should not raise an error" do
it 'should not raise an error' do
@wpscan_options.enumerate_plugins = false
@wpscan_options.enumerate_all_plugins = true
@@ -197,112 +198,112 @@ describe "WpscanOptions" do
end
end
describe "#basic_auth=" do
context "invalid format" do
it "should raise an error if the : is missing" do
expect { @wpscan_options.basic_auth = "helloworld" }.to raise_error(
RuntimeError, "Invalid basic authentication format, login:password expected"
describe '#basic_auth=' do
context 'invalid format' do
it 'should raise an error if the : is missing' do
expect { @wpscan_options.basic_auth = 'helloworld' }.to raise_error(
RuntimeError, 'Invalid basic authentication format, login:password expected'
)
end
end
context "valid format" do
context 'valid format' do
it "should add the 'Basic' word and do the encode64. See RFC 2617" do
@wpscan_options.basic_auth = "Aladdin:open sesame"
@wpscan_options.basic_auth.should == "Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ=="
@wpscan_options.basic_auth = 'Aladdin:open sesame'
@wpscan_options.basic_auth.should == 'Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ=='
end
end
end
describe "#has_options?" do
it "should return false" do
describe '#has_options?' do
it 'should return false' do
@wpscan_options.has_options?.should be_false
end
it "should return true" do
it 'should return true' do
@wpscan_options.verbose = false
@wpscan_options.has_options?.should be_true
end
end
describe "#to_h" do
it "should return an empty hash" do
describe '#to_h' do
it 'should return an empty hash' do
@wpscan_options.to_h.should be_a Hash
@wpscan_options.to_h.should be_empty
end
it "should return a hash with :verbose = true" do
expected = {:verbose => true}
it 'should return a hash with :verbose = true' do
expected = {verbose: true}
@wpscan_options.verbose = true
@wpscan_options.to_h.should === expected
end
end
describe "#clean_option" do
describe '#clean_option' do
after :each do
WpscanOptions.clean_option(@option).should === @expected
end
it "should return 'url'" do
@option = "--url"
@expected = "url"
@option = '--url'
@expected = 'url'
end
it "should return 'u'" do
@option = "-u"
@option = '-u'
@expected = 'u'
end
it "should return 'follow_redirection'" do
@option = "--follow-redirection"
@expected = "follow_redirection"
@option = '--follow-redirection'
@expected = 'follow_redirection'
end
end
describe "#option_to_instance_variable_setter" do
describe '#option_to_instance_variable_setter' do
after :each do
WpscanOptions.option_to_instance_variable_setter(@argument).should === @expected
end
it "should return :url=" do
@argument = "--url"
it 'should return :url=' do
@argument = '--url'
@expected = :url=
end
it "should return :verbose=" do
@argument = "--verbose"
it 'should return :verbose=' do
@argument = '--verbose'
@expected = :verbose=
end
it "should return :proxy= for --proxy" do
@argument = "--proxy"
it 'should return :proxy= for --proxy' do
@argument = '--proxy'
@expected = :proxy=
end
it "should return nil for --enumerate" do
@argument = "--enumerate"
it 'should return nil for --enumerate' do
@argument = '--enumerate'
@expected = nil
end
it "should return :proxy_auth= for --proxy_auth" do
@argument = "--proxy_auth"
it 'should return :proxy_auth= for --proxy_auth' do
@argument = '--proxy_auth'
@expected = :proxy_auth=
end
end
describe "#is_long_option?" do
it "should return true" do
WpscanOptions.is_long_option?("--url").should be_true
describe '#is_long_option?' do
it 'should return true' do
WpscanOptions.is_long_option?('--url').should be_true
end
it "should return false" do
WpscanOptions.is_long_option?("hello").should be_false
WpscanOptions.is_long_option?("--enumerate").should be_false
it 'should return false' do
WpscanOptions.is_long_option?('hello').should be_false
WpscanOptions.is_long_option?('--enumerate').should be_false
end
end
describe "#enumerate_options_from_string" do
describe '#enumerate_options_from_string' do
after :each do
if @argument
wpscan_options = WpscanOptions.new
@@ -311,109 +312,109 @@ describe "WpscanOptions" do
end
end
it "should raise an error if p and p! are " do
expect { @wpscan_options.enumerate_options_from_string("p,vp") }.to raise_error
it 'should raise an error if p and p! are ' do
expect { @wpscan_options.enumerate_options_from_string('p,vp') }.to raise_error
end
it "should set enumerate_plugins to true" do
it 'should set enumerate_plugins to true' do
@argument = 'p'
@expected_hash = {:enumerate_plugins => true}
@expected_hash = {enumerate_plugins: true}
end
it "should set enumerate_only_vulnerable_plugins to tue" do
@argument = "vp"
@expected_hash = {:enumerate_only_vulnerable_plugins => true}
it 'should set enumerate_only_vulnerable_plugins to tue' do
@argument = 'vp'
@expected_hash = {enumerate_only_vulnerable_plugins: true}
end
it "should set enumerate_timthumbs to true" do
it 'should set enumerate_timthumbs to true' do
@argument = 'tt'
@expected_hash = {:enumerate_timthumbs => true}
@expected_hash = {enumerate_timthumbs: true}
end
it "should set enumerate_usernames to true" do
it 'should set enumerate_usernames to true' do
@argument = 'u'
@expected_hash = {:enumerate_usernames => true}
@expected_hash = {enumerate_usernames: true}
end
it "should set enumerate_usernames to true and enumerate_usernames_range to (1..20)" do
@argument = "u[1-20]"
@expected_hash = {:enumerate_usernames => true, :enumerate_usernames_range => (1..20)}
it 'should set enumerate_usernames to true and enumerate_usernames_range to (1..20)' do
@argument = 'u[1-20]'
@expected_hash = {enumerate_usernames: true, enumerate_usernames_range: (1..20)}
end
# Let's try some multiple choices
it "should set enumerate_timthumbs to true, enumerate_usernames to true, enumerate_usernames_range to (1..2)" do
@argument = "u[1-2],tt"
it 'should set enumerate_timthumbs to true, enumerate_usernames to true, enumerate_usernames_range to (1..2)' do
@argument = 'u[1-2],tt'
@expected_hash = {
:enumerate_usernames => true, :enumerate_usernames_range => (1..2),
:enumerate_timthumbs => true
enumerate_usernames: true, enumerate_usernames_range: (1..2),
enumerate_timthumbs: true
}
end
end
describe "#set_option_from_cli" do
it "should raise an error with unknow option" do
expect { @wpscan_options.set_option_from_cli("hello", "") }.to raise_error
describe '#set_option_from_cli' do
it 'should raise an error with unknow option' do
expect { @wpscan_options.set_option_from_cli('hello', '') }.to raise_error
end
it "should set @url to example.com" do
@wpscan_options.set_option_from_cli("--url", "example.com")
@wpscan_options.url.should === "http://example.com"
it 'should set @url to example.com' do
@wpscan_options.set_option_from_cli('--url', 'example.com')
@wpscan_options.url.should === 'http://example.com'
end
it "should set @enumerate_plugins to true" do
@wpscan_options.set_option_from_cli("--enumerate", "p")
it 'should set @enumerate_plugins to true' do
@wpscan_options.set_option_from_cli('--enumerate', 'p')
@wpscan_options.enumerate_plugins.should be_true
@wpscan_options.enumerate_only_vulnerable_plugins.should be_nil
end
it "should set @enumerate_only_vulnerable_plugins, @enumerate_timthumbs and @enumerate_usernames to true if no argument is given" do
@wpscan_options.set_option_from_cli("--enumerate", '')
it 'should set @enumerate_only_vulnerable_plugins, @enumerate_timthumbs and @enumerate_usernames to true if no argument is given' do
@wpscan_options.set_option_from_cli('--enumerate', '')
@wpscan_options.enumerate_only_vulnerable_plugins.should be_true
@wpscan_options.enumerate_timthumbs.should be_true
@wpscan_options.enumerate_usernames.should be_true
end
end
describe "#load_from_arguments" do
describe '#load_from_arguments' do
after :each do
set_argv(@argv)
wpscan_options = WpscanOptions.load_from_arguments
wpscan_options.to_h.should === @expected_hash
end
it "should return {}" do
it 'should return {}' do
@argv = ''
@expected_hash = {}
end
it "should return {:url => 'example.com'}" do
@argv = "--url example.com"
@expected_hash = {:url => "http://example.com"}
@argv = '--url example.com'
@expected_hash = { url: 'http://example.com' }
end
it "should return {:url => 'example.com'}" do
@argv = "-u example.com"
@expected_hash = {:url => "http://example.com"}
@argv = '-u example.com'
@expected_hash = { url: 'http://example.com' }
end
it "should return {:username => 'admin'}" do
@argv = "--username admin"
@expected_hash = {:username => "admin"}
@argv = '--username admin'
@expected_hash = { username: 'admin' }
end
it "should return {:username => 'Youhou'}" do
@argv = "-U Youhou"
@expected_hash = {:username => "Youhou"}
@argv = '-U Youhou'
@expected_hash = { username: 'Youhou' }
end
it "should return {:url => 'example.com', :threads => 5, :force => ''}" do
@argv = "-u example.com --force -t 5"
@expected_hash = {:url => "http://example.com", :threads => 5, :force => ""}
@argv = '-u example.com --force -t 5'
@expected_hash = { url: 'http://example.com', threads: 5, force: '' }
end
it "should return {:url => 'example.com', :enumerate_plugins => true, :enumerate_timthumbs => true}" do
@argv = "-u example.com -e p,tt"
@expected_hash = {:url => 'http://example.com', :enumerate_plugins => true, :enumerate_timthumbs => true}
@argv = '-u example.com -e p,tt'
@expected_hash = { url: 'http://example.com', enumerate_plugins: true, enumerate_timthumbs: true }
end
end

4
spec/lib/wpstools/plugins/list_generator/generate_list_spec.rb
View File

@@ -1,3 +1,5 @@
require File.expand_path(File.dirname(__FILE__) + "/../../wpstools_helper")
# encoding: UTF-8
require File.expand_path(File.dirname(__FILE__) + '/../../wpstools_helper')
# TODO

4
spec/lib/wpstools/plugins/list_generator/svn_parser_spec.rb
View File

@@ -1,3 +1,5 @@
require File.expand_path(File.dirname(__FILE__) + "/../../wpstools_helper")
# encoding: UTF-8
require File.expand_path(File.dirname(__FILE__) + '/../../wpstools_helper')
# TODO

1
spec/lib/wpstools/wpstools_helper.rb
View File

@@ -1,3 +1,4 @@
# encoding: UTF-8
#--
# WPScan - WordPress Security Scanner
# Copyright (C) 2012-2013

16
spec/spec_helper.rb
View File

@@ -1,3 +1,4 @@
# encoding: UTF-8
#--
# WPScan - WordPress Security Scanner
# Copyright (C) 2012-2013
@@ -20,7 +21,7 @@
# https://github.com/colszowka/simplecov
# Code Coverage (only works with ruby >= 1.9)
if RUBY_VERSION >= "1.9"
if RUBY_VERSION >= '1.9'
require 'simplecov'
end
@@ -59,14 +60,19 @@ end
def stub_request_to_fixture(arguments = {})
arguments[:method] ||= :get
arguments[:status] ||= 200
raise "No arguments[:url] supplied" if arguments[:url].nil?
raise "No arguments[:fixture] supplied" if arguments[:fixture].nil?
raise 'No arguments[:url] supplied' if arguments[:url].nil?
raise 'No arguments[:fixture] supplied' if arguments[:fixture].nil?
stub_request(arguments[:method], arguments[:url].to_s).
to_return(:status => arguments[:status], :body => File.new(arguments[:fixture]))
to_return(
status: arguments[:status],
body: File.new(arguments[:fixture])
)
end
# The object must be given as we will mock the Kernel#` or Kernel#system (Kernel is a module)
# The object must be given as we will mock the Kernel#` or
# Kernel#system (Kernel is a module)
#
# system_method :
# :` for `` or %x
# :system for system()

5
spec/wpscan_spec.rb
View File

@@ -1,3 +1,4 @@
# encoding: UTF-8
#--
# WPScan - WordPress Security Scanner
# Copyright (C) 2012-2013
@@ -18,9 +19,9 @@
require 'spec_helper'
describe "wpscan main checks" do
describe 'wpscan main checks' do
it "check for errors on running the mainscript" do
it 'check for errors on running the mainscript' do
a = %x[ruby #{ROOT_DIR}/wpscan.rb]
a.should =~ /\[ERROR\] No argument supplied/
end

13
spec/xml_checks_spec.rb
View File

@@ -1,3 +1,4 @@
# encoding: UTF-8
#--
# WPScan - WordPress Security Scanner
# Copyright (C) 2012-2013
@@ -18,7 +19,7 @@
require 'spec_helper'
describe "XML checks" do
describe 'XML checks' do
after :each do
FileTest.exists?(@file).should be_true
@@ -34,27 +35,27 @@ describe "XML checks" do
errors.should === []
end
it "check plugin_vulns.xml for syntax errors" do
it 'check plugin_vulns.xml for syntax errors' do
@file = PLUGINS_VULNS_FILE
@xsd = VULNS_XSD
end
it "check theme_vulns.xml for syntax errors" do
it 'check theme_vulns.xml for syntax errors' do
@file = THEMES_VULNS_FILE
@xsd = VULNS_XSD
end
it "check wp_versions.xml for syntax errors" do
it 'check wp_versions.xml for syntax errors' do
@file = WP_VERSIONS_FILE
@xsd = WP_VERSIONS_XSD
end
it "check wp_vulns.xml for syntax errors" do
it 'check wp_vulns.xml for syntax errors' do
@file = WP_VULNS_FILE
@xsd = VULNS_XSD
end
it "check local_vulnerable_files.xml for syntax errors" do
it 'check local_vulnerable_files.xml for syntax errors' do
@file = LOCAL_FILES_FILE
@xsd = LOCAL_FILES_XSD
end