garfield/wpscan
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Updates rubocop & fixes offences

Browse Source
This commit is contained in:
erwanlr
2020-06-23 20:30:48 +02:00
parent e223936a81
commit d76d4b70f5
24 changed files with 43 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
.rubocop.yml
View File

@@ -12,6 +12,8 @@ Layout/SpaceAroundMethodCallOperator:
Enabled: true
Lint/DeprecatedOpenSSLConstant:
Enabled: true
Lint/MixedRegexpCaptureTypes:
Enabled: true
Lint/UriEscapeUnescape:
Enabled: false
Lint/RaiseException:
@@ -28,7 +30,7 @@ Metrics/ClassLength:
Exclude:
- 'app/controllers/enumeration/cli_options.rb'
Metrics/CyclomaticComplexity:
Max: 8
Max: 10
Metrics/MethodLength:
Max: 20
Exclude:
@@ -50,5 +52,11 @@ Style/HashTransformValues:
Style/NumericPredicate:
Exclude:
- 'app/controllers/vuln_api.rb'
Style/RedundantFetchBlock:
Enabled: true
Style/RedundantRegexpCharacterClass:
Enabled: true
Style/RedundantRegexpEscape:
Enabled: true
Style/SlicingWithRange:
Enabled: true

2
app/controllers/password_attack.rb
View File

@@ -82,7 +82,7 @@ module WPScan
if xmlrpc&.enabled? &&
xmlrpc.available_methods.include?('wp.getUsersBlogs') &&
xmlrpc.method_call('wp.getUsersBlogs', [SecureRandom.hex[0, 6], SecureRandom.hex[0, 4]])
.run.body !~ /XML\-RPC services are disabled/
.run.body !~ /XML-RPC services are disabled/
true
else

2
app/finders/interesting_findings/mu_plugins.rb
View File

@@ -7,7 +7,7 @@ module WPScan
class MuPlugins < CMSScanner::Finders::Finder
# @return [ InterestingFinding ]
def passive(_opts = {})
pattern = %r{#{target.content_dir}/mu\-plugins/}i
pattern = %r{#{target.content_dir}/mu-plugins/}i
target.in_scope_uris(target.homepage_res, '(//@href|//@src)[contains(., "mu-plugins")]') do |uri|
next unless uri.path&.match?(pattern)

4
app/finders/main_theme/css_style_in_homepage.rb
View File

@@ -21,7 +21,7 @@ module WPScan
def passive_from_css_href(res, opts)
target.in_scope_uris(res, '//link/@href[contains(., "style.css")]') do |uri|
next unless uri.path =~ %r{/themes/([^\/]+)/style.css\z}i
next unless uri.path =~ %r{/themes/([^/]+)/style.css\z}i
return create_theme(Regexp.last_match[1], uri.to_s, opts)
end
@@ -33,7 +33,7 @@ module WPScan
code = tag.text.to_s
next if code.empty?
next unless code =~ %r{#{item_code_pattern('themes')}\\?/style\.css[^"'\( ]*}i
next unless code =~ %r{#{item_code_pattern('themes')}\\?/style\.css[^"'( ]*}i
return create_theme(Regexp.last_match[1], Regexp.last_match[0].strip, opts)
end

4
app/finders/plugin_version/readme.rb
View File

@@ -48,7 +48,7 @@ module WPScan
#
# @return [ String, nil ] The version number detected from the stable tag
def from_stable_tag(body)
return unless body =~ /\b(?:stable tag|version):\s*(?!trunk)([0-9a-z\.-]+)/i
return unless body =~ /\b(?:stable tag|version):\s*(?!trunk)([0-9a-z.-]+)/i
number = Regexp.last_match[1]
@@ -59,7 +59,7 @@ module WPScan
#
# @return [ String, nil ] The best version number detected from the changelog section
def from_changelog_section(body)
extracted_versions = body.scan(%r{[=]+\s+(?:v(?:ersion)?\s*)?([0-9\.-]+)[ \ta-z0-9\(\)\.\-\/]*[=]+}i)
extracted_versions = body.scan(%r{=+\s+(?:v(?:ersion)?\s*)?([0-9.-]+)[ \ta-z0-9().\-/]*=+}i)
return if extracted_versions.nil? || extracted_versions.empty?

2
app/finders/theme_version/style.rb
View File

@@ -30,7 +30,7 @@ module WPScan
# @return [ Version ]
def style_version
return unless Browser.get(target.style_url).body =~ /Version:[\t ]*(?!trunk)([0-9a-z\.-]+)/i
return unless Browser.get(target.style_url).body =~ /Version:[\t ]*(?!trunk)([0-9a-z.-]+)/i
Model::Version.new(
Regexp.last_match[1],

2
app/finders/users/rss_generator.rb
View File

@@ -13,7 +13,7 @@ module WPScan
urls.each do |url|
res = Browser.get_and_follow_location(url)
next unless res.code == 200 && res.body =~ /<dc\:creator>/i
next unless res.code == 200 && res.body =~ /<dc:creator>/i
potential_usernames = []

2
app/finders/users/yoast_seo_author_sitemap.rb
View File

@@ -13,7 +13,7 @@ module WPScan
found = []
Browser.get(sitemap_url).html.xpath('//url/loc').each do |user_tag|
username = user_tag.text.to_s[%r{/author/([^\/]+)/}, 1]
username = user_tag.text.to_s[%r{/author/([^/]+)/}, 1]
next unless username && !username.strip.empty?

6
app/finders/wp_items/urls_in_page.rb
View File

@@ -55,7 +55,7 @@ module WPScan
#
# @return [ Regexp ]
def item_code_pattern(type)
@item_code_pattern ||= %r{["'\( ]#{item_url_pattern(type)}([^\\\/\)"']+)}i
@item_code_pattern ||= %r{["'( ]#{item_url_pattern(type)}([^\\/)"']+)}i
end
# @param [ String ] type
@@ -66,9 +66,9 @@ module WPScan
item_url = type == 'plugins' ? target.plugins_url : target.content_url
url = /#{item_url.gsub(/\A(?:https?)/i, 'https?').gsub('/', '\\\\\?\/')}/i
item_dir = %r{(?:#{url}|\\?\/#{item_dir.gsub('/', '\\\\\?\/')}\\?/)}i
item_dir = %r{(?:#{url}|\\?/#{item_dir.gsub('/', '\\\\\?\/')}\\?/)}i
type == 'plugins' ? item_dir : %r{#{item_dir}#{type}\\?\/}i
type == 'plugins' ? item_dir : %r{#{item_dir}#{type}\\?/}i
end
end
end

4
app/models/theme.rb
View File

@@ -45,7 +45,7 @@ module WPScan
# @return [ Theme ]
def parent_theme
return unless template
return unless style_body =~ /^@import\surl\(["']?([^"'\)]+)["']?\);\s*$/i
return unless style_body =~ /^@import\surl\(["']?([^"')]+)["']?\);\s*$/i
opts = detection_opts.merge(
style_url: url(Regexp.last_match[1]),
@@ -101,7 +101,7 @@ module WPScan
#
# @return [ String ]
def parse_style_tag(body, tag)
value = body[/#{Regexp.escape(tag)}:[\t ]*([^\r\n\*]+)/i, 1]
value = body[/#{Regexp.escape(tag)}:[\t ]*([^\r\n*]+)/i, 1]
value && !value.strip.empty? ? value.strip : nil
end

2
lib/wpscan/finders/dynamic_finder/version/config_parser.rb
View File

@@ -11,7 +11,7 @@ module WPScan
def self.child_class_constants
@child_class_constants ||= super.merge(
PARSER: nil, KEY: nil, PATTERN: /(?<v>\d+\.[\.\d]+)/, CONFIDENCE: 70
PARSER: nil, KEY: nil, PATTERN: /(?<v>\d+\.[.\d]+)/, CONFIDENCE: 70
)
end

2
lib/wpscan/finders/dynamic_finder/version/query_parameter.rb
View File

@@ -9,7 +9,7 @@ module WPScan
# @return [ Hash ]
def self.child_class_constants
@child_class_constants ||= super().merge(
XPATH: nil, FILES: nil, PATTERN: /(?:v|ver|version)\=(?<v>\d+\.[\.\d]+)/i, CONFIDENCE_PER_OCCURENCE: 10
XPATH: nil, FILES: nil, PATTERN: /(?:v|ver|version)=(?<v>\d+\.[.\d]+)/i, CONFIDENCE_PER_OCCURENCE: 10
)
end

2
lib/wpscan/finders/dynamic_finder/version/xpath.rb
View File

@@ -9,7 +9,7 @@ module WPScan
# @return [ Hash ]
def self.child_class_constants
@child_class_constants ||= super().merge(
XPATH: nil, PATTERN: /\A(?<v>\d+\.[\.\d]+)/, CONFIDENCE: 60
XPATH: nil, PATTERN: /\A(?<v>\d+\.[.\d]+)/, CONFIDENCE: 60
)
end

2
lib/wpscan/finders/dynamic_finder/wp_version.rb
View File

@@ -33,7 +33,7 @@ module WPScan
# @return [ Hash ]
def self.child_class_constants
@child_class_constants ||= super().merge(PATTERN: /ver\=(?<v>\d+\.[\.\d]+)/i)
@child_class_constants ||= super().merge(PATTERN: /ver=(?<v>\d+\.[.\d]+)/i)
end
end

2
lib/wpscan/helper.rb
View File

@@ -13,7 +13,7 @@ end
#
# @return [ Symbol ]
def classify_slug(slug)
classified = slug.to_s.gsub(/[^a-z\d\-]/i, '-').gsub(/\-{1,}/, '_').camelize.to_s
classified = slug.to_s.gsub(/[^a-z\d\-]/i, '-').gsub(/-{1,}/, '_').camelize.to_s
classified = "D_#{classified}" if /\d/.match?(classified[0])
classified.to_sym

8
lib/wpscan/target/platform/wordpress.rb
View File

@@ -11,9 +11,9 @@ module WPScan
module WordPress
include CMSScanner::Target::Platform::PHP
WORDPRESS_PATTERN = %r{/(?:(?:wp-content/(?:themes|(?:mu\-)?plugins|uploads))|wp-includes)/}i.freeze
WP_JSON_OEMBED_PATTERN = %r{/wp\-json/oembed/}i.freeze
WP_ADMIN_AJAX_PATTERN = %r{\\?/wp\-admin\\?/admin\-ajax\.php}i.freeze
WORDPRESS_PATTERN = %r{/(?:(?:wp-content/(?:themes|(?:mu-)?plugins|uploads))|wp-includes)/}i.freeze
WP_JSON_OEMBED_PATTERN = %r{/wp-json/oembed/}i.freeze
WP_ADMIN_AJAX_PATTERN = %r{\\?/wp-admin\\?/admin-ajax\.php}i.freeze
# These methods are used in the associated interesting_findings finders
# to keep the boolean state of the finding rather than re-check the whole thing again
@@ -147,7 +147,7 @@ module WPScan
res = Browser.get_and_follow_location(@login_url)
@login_url = res.effective_url if res.effective_url =~ /wp\-login\.php\z/i && in_scope?(res.effective_url)
@login_url = res.effective_url if res.effective_url =~ /wp-login\.php\z/i && in_scope?(res.effective_url)
@login_url
end

6
lib/wpscan/target/platform/wordpress/custom_directories.rb
View File

@@ -104,7 +104,7 @@ module WPScan
return @sub_dir unless @sub_dir.nil?
# url_pattern is from CMSScanner::Target
pattern = %r{#{url_pattern}(.+?)/(?:xmlrpc\.php|wp\-includes/)}i
pattern = %r{#{url_pattern}(.+?)/(?:xmlrpc\.php|wp-includes/)}i
xpath = '(//@src|//@href|//@data-src)[contains(., "xmlrpc.php") or contains(., "wp-includes/")]'
[homepage_res, error_404_res].each do |page_res|
@@ -124,9 +124,9 @@ module WPScan
def url(path = nil)
return @uri.to_s unless path
if %r{wp\-content/plugins}i.match?(path)
if %r{wp-content/plugins}i.match?(path)
path = +path.gsub('wp-content/plugins', plugins_dir)
elsif /wp\-content/i.match?(path)
elsif /wp-content/i.match?(path)
path = +path.gsub('wp-content', content_dir)
elsif path[0] != '/' && sub_dir
path = "#{sub_dir}/#{path}"

2
spec/lib/finders/dynamic_finder/version/comment_spec.rb
View File

@@ -13,7 +13,7 @@ describe WPScan::Finders::DynamicFinder::Version::Comment do
let(:finder_module) { WPScan::Finders::Version::Rspec }
let(:finder_class) { WPScan::Finders::Version::Rspec::Comment }
let(:finder_config) { { 'pattern' => /some version: (?<v>[\d\.]+)/i } }
let(:finder_config) { { 'pattern' => /some version: (?<v>[\d.]+)/i } }
let(:default) { { 'xpath' => '//comment()', 'confidence' => 60 } }
before { described_class.create_child_class(finder_module, :Comment, finder_config) }

2
spec/lib/finders/dynamic_finder/version/config_parser_spec.rb
View File

@@ -14,7 +14,7 @@ describe WPScan::Finders::DynamicFinder::Version::ConfigParser do
let(:finder_module) { WPScan::Finders::Version::Rspec }
let(:finder_class) { WPScan::Finders::Version::Rspec::ConfigParser }
let(:finder_config) { { 'key' => 'some-key', 'path' => 'file.json' } }
let(:default) { { 'pattern' => /(?<v>\d+\.[\.\d]+)/, 'confidence' => 70 } }
let(:default) { { 'pattern' => /(?<v>\d+\.[.\d]+)/, 'confidence' => 70 } }
before { described_class.create_child_class(finder_module, :ConfigParser, finder_config) }
after { finder_module.send(:remove_const, :ConfigParser) }

2
spec/lib/finders/dynamic_finder/version/header_pattern_spec.rb
View File

@@ -60,7 +60,7 @@ describe WPScan::Finders::DynamicFinder::Version::HeaderPattern do
end
context 'when PATTERN' do
let(:finder_config) { super().merge('pattern' => /Version: (?<v>[\d\.]+)/i) }
let(:finder_config) { super().merge('pattern' => /Version: (?<v>[\d.]+)/i) }
it 'contains the expected constants' do
expect(finder_class::HEADER).to eql finder_config['header']

2
spec/lib/finders/dynamic_finder/version/javascript_var_spec.rb
View File

@@ -13,7 +13,7 @@ describe WPScan::Finders::DynamicFinder::Version::JavascriptVar do
let(:finder_module) { WPScan::Finders::Version::Rspec }
let(:finder_class) { WPScan::Finders::Version::Rspec::JavascriptVar }
let(:finder_config) { { 'pattern' => /some version: (?<v>[\d\.]+)/i } }
let(:finder_config) { { 'pattern' => /some version: (?<v>[\d.]+)/i } }
let(:default) { { 'xpath' => '//script[not(@src)]', 'confidence' => 60 } }
before { described_class.create_child_class(finder_module, :JavascriptVar, finder_config) }

2
spec/lib/finders/dynamic_finder/version/query_parameter_spec.rb
View File

@@ -14,7 +14,7 @@ describe WPScan::Finders::DynamicFinder::Version::QueryParameter do
let(:finder_module) { WPScan::Finders::Version::Rspec }
let(:finder_class) { WPScan::Finders::Version::Rspec::QueryParameter }
let(:finder_config) { { 'files' => %w[f1 f2] } }
let(:default) { { 'pattern' => /(?:v|ver|version)\=(?<v>\d+\.[\.\d]+)/i, 'confidence_per_occurence' => 10 } }
let(:default) { { 'pattern' => /(?:v|ver|version)=(?<v>\d+\.[.\d]+)/i, 'confidence_per_occurence' => 10 } }
before { described_class.create_child_class(finder_module, :QueryParameter, finder_config) }
after { finder_module.send(:remove_const, :QueryParameter) }

4
spec/lib/finders/dynamic_finder/version/xpath_spec.rb
View File

@@ -14,7 +14,7 @@ describe WPScan::Finders::DynamicFinder::Version::Xpath do
let(:finder_module) { WPScan::Finders::Version::Rspec }
let(:finder_class) { WPScan::Finders::Version::Rspec::Xpath }
let(:finder_config) { { 'xpath' => "//div/h3[@class='version-number']" } }
let(:default) { { 'pattern' => /\A(?<v>\d+\.[\.\d]+)/, 'confidence' => 60 } }
let(:default) { { 'pattern' => /\A(?<v>\d+\.[.\d]+)/, 'confidence' => 60 } }
before { described_class.create_child_class(finder_module, :Xpath, finder_config) }
after { finder_module.send(:remove_const, :Xpath) }
@@ -60,7 +60,7 @@ describe WPScan::Finders::DynamicFinder::Version::Xpath do
end
context 'when PATTERN' do
let(:finder_config) { super().merge('pattern' => /Version: (?<v>[\d\.]+)/i) }
let(:finder_config) { super().merge('pattern' => /Version: (?<v>[\d.]+)/i) }
it 'contains the expected constants' do
expect(finder_class::XPATH).to eql finder_config['xpath']

2
wpscan.gemspec
View File

@@ -28,7 +28,7 @@ Gem::Specification.new do |s|
s.add_development_dependency 'rake', '~> 13.0'
s.add_development_dependency 'rspec', '~> 3.9.0'
s.add_development_dependency 'rspec-its', '~> 1.3.0'
s.add_development_dependency 'rubocop', '~> 0.85.0'
s.add_development_dependency 'rubocop', '~> 0.86.0'
s.add_development_dependency 'rubocop-performance', '~> 1.6.0'
s.add_development_dependency 'simplecov', '~> 0.18.2'
s.add_development_dependency 'simplecov-lcov', '~> 0.8.0'