Formatting

Add fix for oembed API
Handle a string response from a WP REST API endpoint
2023-11-30 17:00:01 -04:00 · 2023-11-30 16:58:26 -04:00 · 2023-11-30 16:47:21 -04:00
4 changed files with 32 additions and 10 deletions
--- a/app/finders/users/oembed_api.rb
+++ b/app/finders/users/oembed_api.rb
@@ -36,6 +36,8 @@ module WPScan

          oembed_data = oembed_data.first if oembed_data.is_a?(Array)

+          oembed_data = {} unless oembed_data.is_a?(Hash)
+
          if oembed_data['author_url'] =~ %r{/author/([^/]+)/?\z}
            details = [Regexp.last_match[1], 'Author URL', 90]
          elsif oembed_data['author_name'] && !oembed_data['author_name'].empty?
--- a/app/finders/users/wp_json_api.rb
+++ b/app/finders/users/wp_json_api.rb
@@ -42,12 +42,16 @@ module WPScan
        def users_from_response(response)
          found = []

-          JSON.parse(response.body)&.each do |user|
-            found << Model::User.new(user['slug'],
-                                     id: user['id'],
-                                     found_by: found_by,
-                                     confidence: 100,
-                                     interesting_entries: [response.effective_url])
+          json = JSON.parse(response.body)
+
+          if json.is_a?(Enumerable)
+            json.each do |user|
+              found << Model::User.new(user['slug'],
+                                       id: user['id'],
+                                       found_by: found_by,
+                                       confidence: 100,
+                                       interesting_entries: [response.effective_url])
+            end
          end

          found
--- a/spec/app/finders/users/oembed_api_spec.rb
+++ b/spec/app/finders/users/oembed_api_spec.rb
@@ -13,9 +13,17 @@ describe WPScan::Finders::Users::OembedApi do
    end

    context 'when not a JSON response' do
-      let(:body) { '' }
+      context 'when empty' do
+        let(:body) { '' }

-      its(:aggressive) { should eql([]) }
+        its(:aggressive) { should eql([]) }
+      end
+
+      context 'when a string' do
+        let(:body) { '404' }
+
+        its(:aggressive) { should eql([]) }
+      end
    end

    context 'when a JSON response' do
--- a/spec/app/finders/users/wp_json_api_spec.rb
+++ b/spec/app/finders/users/wp_json_api_spec.rb
@@ -20,9 +20,17 @@ describe WPScan::Finders::Users::WpJsonApi do
      end

      context 'when not a JSON response' do
-        let(:body) { '' }
+        context 'when empty' do
+          let(:body) { '' }

-        its(:aggressive) { should eql([]) }
+          its(:aggressive) { should eql([]) }
+        end
+
+        context 'when a string' do
+          let(:body) { '404' }
+
+          its(:aggressive) { should eql([]) }
+        end
      end

      context 'when a JSON response' do
Author	SHA1	Message	Date
Alex Sanford	d2841dbf5a	Formatting	2023-11-30 17:00:01 -04:00
Alex Sanford	c7d49556f1	Add fix for oembed API	2023-11-30 16:58:26 -04:00
Alex Sanford	804bdfc146	Handle a string response from a WP REST API endpoint	2023-11-30 16:47:21 -04:00