Merges with Master (and solves conflicts)

2019-03-24 13:01:29 +00:00
parent 047a188b34 fa0582ce0b
commit f9435906e7
27 changed files with 245 additions and 80 deletions
--- a/spec/app/finders/users/wp_json_api_spec.rb
+++ b/spec/app/finders/users/wp_json_api_spec.rb
@@ -7,7 +7,10 @@ describe WPScan::Finders::Users::WpJsonApi do
  let(:fixtures)   { FINDERS_FIXTURES.join('users', 'wp_json_api') }

  describe '#aggressive' do
-    before { allow(target).to receive(:sub_dir).and_return(false) }
+    before do
+      allow(target).to receive(:sub_dir).and_return(false)
+      allow(finder).to receive(:api_url).and_return(target.url('wp-json/wp/v2/users/'))
+    end

    context 'when only one page of results' do
      before do
@@ -80,4 +83,54 @@ describe WPScan::Finders::Users::WpJsonApi do
      end
    end
  end
+
+  describe '#api_url' do
+    let(:fixtures) { super().join('api_url') }
+
+    context 'when url in the homepage' do
+      {
+        in_scope: 'https://wp.lab/wp-json/wp/v2/users/',
+        out_of_scope: 'http://wp.lab/wp-json/wp/v2/users/'
+      }.each do |fixture, expected|
+        it "returns #{expected} for #{fixture}.html" do
+          stub_request(:get, target.url).to_return(body: File.read(fixtures.join("#{fixture}.html")))
+
+          expect(finder.api_url).to eql expected
+        end
+      end
+
+      context 'when subdir' do
+        before { allow(target).to receive(:subdir).and_return('cms') }
+
+        {
+          in_scope_subdir: 'https://wp.lab/cms/wp-json/wp/v2/users/',
+          in_scope_subdir_ignored: 'https://wp.lab/wp-json/wp/v2/users/'
+        }.each do |fixture, expected|
+          it "returns #{expected} for #{fixture}.html" do
+            stub_request(:get, target.url).to_return(body: File.read(fixtures.join("#{fixture}.html")))
+
+            expect(finder.api_url).to eql expected
+          end
+        end
+      end
+    end
+
+    context 'when not in the homepage' do
+      before { stub_request(:get, target.url) }
+
+      its(:api_url) { should eql target.url('wp-json/wp/v2/users/') }
+    end
+
+    context 'when api_url already found' do
+      before { allow(target).to receive(:sub_dir).and_return(false) }
+
+      it 'does not check the homepage again' do
+        url = target.url('wp-json/wp/v2/users/')
+
+        finder.instance_variable_set(:@api_url, url)
+
+        expect(finder.api_url).to eql url
+      end
+    end
+  end
 end