diff --git a/lib/wpscan/db/vuln_api.rb b/lib/wpscan/db/vuln_api.rb index bf83d85f..3a2f48e5 100644 --- a/lib/wpscan/db/vuln_api.rb +++ b/lib/wpscan/db/vuln_api.rb @@ -70,6 +70,7 @@ module WPScan headers: { 'Host' => uri.host, # Reset in case user provided a --vhost for the target 'Referer' => nil, # Removes referer set by the cmsscanner to the target url + 'CF-Connecting-IP' => nil, # Removes in case user provided one for the target 'User-Agent' => Browser.instance.default_user_agent, 'Authorization' => "Token token=#{token}" } diff --git a/spec/lib/db/vuln_api_spec.rb b/spec/lib/db/vuln_api_spec.rb index adbea90d..4dd95a0c 100644 --- a/spec/lib/db/vuln_api_spec.rb +++ b/spec/lib/db/vuln_api_spec.rb @@ -3,6 +3,17 @@ describe WPScan::DB::VulnApi do subject(:api) { described_class } + let(:request_headers) do + { + 'Host' => api.uri.host, + 'Expect' => nil, + 'Referer' => nil, + 'CF-Connecting-IP' => nil, + 'User-Agent' => WPScan::Browser.instance.default_user_agent, + 'Authorization' => 'Token token=s3cRet' + } + end + describe '#uri' do its(:uri) { should be_a Addressable::URI } end @@ -40,9 +51,7 @@ describe WPScan::DB::VulnApi do context 'when no timeouts' do before do stub_request(:get, api.uri.join(path)) - .with(headers: { 'Host' => api.uri.host, 'Expect' => nil, 'Referer' => nil, - 'User-Agent' => WPScan::Browser.instance.default_user_agent, - 'Authorization' => 'Token token=s3cRet' }) + .with(headers: request_headers) .to_return(status: code, body: body) end @@ -95,9 +104,7 @@ describe WPScan::DB::VulnApi do context 'when all requests timeout' do before do stub_request(:get, api.uri.join('path')) - .with(headers: { 'Host' => api.uri.host, 'Expect' => nil, 'Referer' => nil, - 'User-Agent' => WPScan::Browser.instance.default_user_agent, - 'Authorization' => 'Token token=s3cRet' }) + .with(headers: request_headers) .to_return(status: 0) end @@ -113,9 +120,7 @@ describe WPScan::DB::VulnApi do context 'when only the first request timeout' do before do stub_request(:get, api.uri.join('path')) - .with(headers: { 'Host' => api.uri.host, 'Expect' => nil, 'Referer' => nil, - 'User-Agent' => WPScan::Browser.instance.default_user_agent, - 'Authorization' => 'Token token=s3cRet' }) + .with(headers: request_headers) .to_return(status: 0).then .to_return(status: 200, body: { data: 'test' }.to_json) end @@ -237,9 +242,7 @@ describe WPScan::DB::VulnApi do stub_request(:get, api.uri.join('status')) .with(query: { version: WPScan::VERSION }, - headers: { 'Host' => api.uri.host, 'Expect' => nil, 'Referer' => nil, - 'User-Agent' => WPScan::Browser.instance.default_user_agent, - 'Authorization' => 'Token token=s3cRet' }) + headers: request_headers) .to_return(status: code, body: return_body.to_json) end @@ -268,6 +271,22 @@ describe WPScan::DB::VulnApi do expect(status['requests_remaining']).to eql 'Unlimited' end end + + context 'when CF-Connecting-IP provided in CLI' do + let(:return_body) { { success: true, plan: 'free', requests_remaining: 100 } } + + before do + WPScan::Browser.instance.headers = { 'CF-Connecting-IP' => '123.123.123.123' } + end + + it 'removes the CF-Connecting-IP header from the request' do + status = api.status + + expect(status['success']).to be true + expect(status['plan']).to eql 'free' + expect(status['requests_remaining']).to eql 100 + end + end end context 'when 401' do