arachni 1.0.4 → 1.0.5

data/lib/arachni/support/profiler.rb

@@ -147,6 +147,8 @@ class Profiler
     private
 
     def object_within_namespace?( object, namespaces )
+        return true if namespaces.empty?
+
         namespaces.each do |namespace|
             return true if object.class.to_s.start_with?( namespace.to_s )
         end

data/lib/arachni/uri.rb

@@ -563,6 +563,7 @@ class URI
     # @return [String]
     #   `domain_name.tld`
     def domain
+        return if !host
         return host if ip_address?
 
         s = host.split( '.' )
@@ -612,7 +613,7 @@ class URI
         q = self.query
         return {} if q.to_s.empty?
 
-        q.split( '&' ).inject( {} ) do |h, pair|
+        q.recode.split( '&' ).inject( {} ) do |h, pair|
             name, value = pair.split( '=', 2 )
             h[::URI.decode( name.to_s )] = ::URI.decode( value.to_s )
             h

data/lib/version

@@ -1 +1 @@
-1.0.4
+1.0.5

data/spec/arachni/browser/javascript_spec.rb

@@ -372,4 +372,19 @@ _#{subject.token}TaintTracer.update_tracers(); // Injected by Arachni::Browser::
         end
     end
 
+    describe '#run_without_elements' do
+        it 'executes the given script and unwraps Watir elements' do
+            @browser.load @dom_monitor_url
+            source = Nokogiri::HTML(@browser.source).to_s
+
+            source.should ==
+                Nokogiri::HTML(subject.run_without_elements( 'return document.documentElement' ) ).to_s
+
+            source.should ==
+                Nokogiri::HTML(subject.run_without_elements( 'return [document.documentElement]' ).first ).to_s
+
+            source.should ==
+                Nokogiri::HTML(subject.run_without_elements( 'return { html: document.documentElement }' )['html'] ).to_s
+        end
+    end
 end

data/spec/arachni/check/manager_spec.rb

@@ -95,6 +95,23 @@ describe Arachni::Check::Manager do
             issues.size.should equal 1
             issues.first.name.should == checks['test'].info[:issue][:name]
         end
+
+        context 'when the check was ran' do
+            it 'returns true' do
+                checks.load :test
+                checks.run_one( checks.values.first, page ).should be_true
+            end
+        end
+
+        context 'when the check was not ran' do
+            it 'returns false' do
+                checks.load :test
+
+                allow(Arachni::Checks::Test).to receive(:check?).and_return(false)
+
+                checks.run_one( checks.values.first, page ).should be_false
+            end
+        end
     end
 
 end

data/spec/arachni/framework_spec.rb

@@ -1100,6 +1100,10 @@ describe Arachni::Framework do
             end
         end
 
+        context 'when the page contains elements seen in previous pages' do
+            it 'removes them from the page'
+        end
+
         context 'when a check fails with an exception' do
             it 'moves to the next one' do
                 @options.paths.checks  = fixtures_path + '/checks/'
@@ -1208,8 +1212,6 @@ describe Arachni::Framework do
         let(:page) { Arachni::Page.from_url( @url + '/train/true' ) }
 
         it 'pushes it to the page audit queue and returns true' do
-            page = Arachni::Page.from_url( @url + '/train/true' )
-
             subject.options.audit.elements :links, :forms, :cookies
             subject.checks.load :taint
 

data/spec/arachni/http/client_spec.rb

@@ -497,7 +497,7 @@ describe Arachni::HTTP::Client do
 
         context "when a #{RuntimeError} occurs" do
             it 'returns nil' do
-                subject.instance.stub(:hydra_run){ raise }
+                subject.instance.stub(:client_run){ raise }
 
                 subject.run.should be_nil
             end

data/spec/arachni/session_spec.rb

@@ -108,56 +108,99 @@ describe Arachni::Session do
     end
 
     describe '#login' do
-        it 'finds and submits the login form with the given credentials' do
-            configured.login
-            configured.should be_logged_in
-        end
+        context 'when given a login sequence' do
+            context 'when a browser is available' do
+                it 'passes a browser instance' do
+                    b = nil
+                    subject.record_login_sequence do |browser|
+                        b = browser
+                    end
 
-        context 'when a browser is available' do
-            before { subject.stub(:has_browser?) { false } }
+                    subject.login
 
-            it 'uses the framework Page helpers' do
-                configured.should_not be_logged_in
-                configured.login.should be_kind_of Arachni::Page
-                configured.should be_logged_in
+                    b.should be_kind_of Arachni::Browser
+                end
+
+                it 'updates the system cookies from the browser' do
+                    subject.record_login_sequence do |browser|
+                        browser.goto @url
+                        browser.watir.cookies.add 'foo', 'bar'
+                    end
+
+                    subject.login
+
+                    Arachni::HTTP::Client.cookies.find { |c| c.name == 'foo' }.should be_true
+                end
             end
-        end
 
-        context 'when a browser is available' do
-            it 'can handle Javascript forms' do
-                subject.configure(
-                    url:    "#{@url}/javascript_login",
-                    inputs: {
-                        username: 'john',
-                        password: 'doe'
-                    }
-                )
+            context 'when a browser is not available' do
+                before { subject.stub(:has_browser?) { false } }
 
-                @opts.session.check_url     = @url
-                @opts.session.check_pattern = 'logged-in user'
+                it 'does not pass a browser instance' do
+                    b = true
+                    subject.record_login_sequence do |browser|
+                        b = browser
+                    end
 
-                subject.login
+                    subject.login
 
-                subject.should be_logged_in
+                    b.should be_nil
+                end
+            end
+        end
+
+        context 'when given login form info' do
+            it 'finds and submits the login form with the given credentials' do
+                configured.login
+                configured.should be_logged_in
+            end
+
+            context 'when a browser is not available' do
+                before { subject.stub(:has_browser?) { false } }
+
+                it 'uses the framework Page helpers' do
+                    configured.should_not be_logged_in
+                    configured.login.should be_kind_of Arachni::Page
+                    configured.should be_logged_in
+                end
             end
 
-            it 'returns the resulting browser evaluated page' do
-                configured.login.should be_kind_of Arachni::Page
+            context 'when a browser is available' do
+                it 'can handle Javascript forms' do
+                    subject.configure(
+                        url:    "#{@url}/javascript_login",
+                        inputs: {
+                            username: 'john',
+                            password: 'doe'
+                        }
+                    )
 
-                transition = configured.login.dom.transitions.first
-                transition.event.should == :load
-                transition.element.should == :page
-                transition.options[:url].should == configured.configuration[:url]
+                    @opts.session.check_url     = @url
+                    @opts.session.check_pattern = 'logged-in user'
 
-                transition = configured.login.dom.transitions.last
-                transition.event.should == :submit
-                transition.element.tag_name.should == :form
+                    subject.login
+
+                    subject.should be_logged_in
+                end
 
-                transition.options[:inputs]['username'].should ==
-                    configured.configuration[:inputs][:username]
+                it 'returns the resulting browser evaluated page' do
+                    configured.login.should be_kind_of Arachni::Page
 
-                transition.options[:inputs]['password'].should ==
-                    configured.configuration[:inputs][:password]
+                    transition = configured.login.dom.transitions.first
+                    transition.event.should == :load
+                    transition.element.should == :page
+                    transition.options[:url].should == configured.configuration[:url]
+
+                    transition = configured.login.dom.transitions.last
+                    transition.event.should == :submit
+                    transition.element.tag_name.should == :form
+
+                    transition.options[:inputs]['username'].should ==
+                        configured.configuration[:inputs][:username]
+
+                    transition.options[:inputs]['password'].should ==
+                        configured.configuration[:inputs][:password]
+                end
             end
         end
 

data/spec/arachni/state/framework_spec.rb

@@ -9,6 +9,7 @@ describe Arachni::State::Framework do
     before(:each) { subject.clear }
 
     let(:page) { Factory[:page] }
+    let(:element) { Factory[:link] }
     let(:url) { page.url }
     let(:dump_directory) do
         @dump_directory = "#{Dir.tmpdir}/framework-#{Arachni::Utilities.generate_token}"
@@ -114,6 +115,28 @@ describe Arachni::State::Framework do
         end
     end
 
+    describe '#element_checked?' do
+        context 'when an element has already been checked' do
+            it 'returns true' do
+                subject.element_pre_check_filter << element
+                subject.element_checked?( element ).should be_true
+            end
+        end
+
+        context 'when an element has not been checked' do
+            it 'returns false' do
+                subject.element_checked?( element ).should be_false
+            end
+        end
+    end
+
+    describe '#element_checked' do
+        it 'marks an element as checked' do
+            subject.element_checked element
+            subject.element_checked?( element ).should be_true
+        end
+    end
+
     describe '#page_seen?' do
         context 'when a page has already been seen' do
             it 'returns true' do
@@ -805,6 +828,15 @@ describe Arachni::State::Framework do
             described_class.load( dump_directory ).rpc.should be_kind_of described_class::RPC
         end
 
+        it 'loads #element_pre_check_filter from disk' do
+            subject.element_pre_check_filter << element
+
+            subject.dump( dump_directory )
+
+            described_class.load( dump_directory ).element_pre_check_filter.
+                collection.should == Set.new([element.coverage_hash])
+        end
+
         it 'loads #page_queue_filter from disk' do
             subject.page_queue_filter << page
 
@@ -837,7 +869,8 @@ describe Arachni::State::Framework do
     end
 
     describe '#clear' do
-        %w(rpc browser_skip_states page_queue_filter url_queue_filter).each do |method|
+        %w(rpc element_pre_check_filter browser_skip_states page_queue_filter
+            url_queue_filter).each do |method|
             it "clears ##{method}" do
                 subject.send(method).should receive(:clear)
                 subject.clear

data/spec/arachni/uri_spec.rb

@@ -455,6 +455,13 @@ describe Arachni::URI do
             url = 'http://deep.subdomain.test.com/'
             described_class.parse( url ).domain.should == 'subdomain.test.com'
         end
+
+        context 'when no host is available' do
+            it 'returns nil' do
+                url = '/stuff/'
+                described_class.parse( url ).domain.should be_nil
+            end
+        end
     end
 
     describe '#ip_address?' do

data/spec/components/plugins/login_script_spec.rb

@@ -0,0 +1,157 @@
+require 'spec_helper'
+
+describe name_from_filename do
+    include_examples 'plugin'
+
+    before( :all ) do
+        options.url = url
+    end
+
+    before :each do
+        options.session.check_url     = nil
+        options.session.check_pattern = nil
+
+        IO.write( script_path, script )
+
+        options.plugins[component_name] = { 'script' => script_path }
+    end
+
+    after(:each) { FileUtils.rm_f script_path }
+
+    let(:script) { '' }
+    let(:script_path) { "#{Dir.tmpdir}/login_script_#{Time.now.to_i}" }
+
+    context 'when a browser' do
+        let(:script) do
+            <<EOSCRIPT
+                framework.options.datastore.browser = browser
+EOSCRIPT
+        end
+
+        context 'is available' do
+            it "exposes a Watir::Browser interface via the 'browser' variable" do
+                run
+
+                options.datastore.browser.should be_kind_of Watir::Browser
+            end
+        end
+
+        context 'is not available' do
+            it "sets 'browser' to 'nil'" do
+                framework.options.scope.dom_depth_limit = 0
+                run
+
+                options.datastore.browser.should be_nil
+            end
+        end
+    end
+
+    context 'when the login was successful' do
+        before :each do
+            options.session.check_url     = url
+            options.session.check_pattern = 'Hi there logged-in user'
+        end
+
+        let(:script) do
+            <<EOSCRIPT
+                http.cookie_jar.update 'success' => 'true'
+EOSCRIPT
+        end
+
+        it 'sets the status' do
+            run
+
+            actual_results['status'].should  == 'success'
+        end
+
+        it 'sets the message' do
+            run
+
+            actual_results['message'].should == plugin::STATUSES[:success]
+        end
+
+        it 'sets the cookies' do
+            run
+
+            actual_results['cookies'].should == { 'success' => 'true' }
+        end
+    end
+
+    context 'when there is no session check' do
+        let(:script) do
+            <<EOSCRIPT
+                http.cookie_jar.update 'success' => 'true'
+EOSCRIPT
+        end
+
+        it 'sets the status' do
+            run
+
+            actual_results['status'].should  == 'missing_check'
+        end
+
+        it 'sets the message' do
+            run
+
+            actual_results['message'].should == plugin::STATUSES[:missing_check]
+        end
+
+        it 'aborts the scan' do
+            run
+
+            framework.status.should == :aborted
+        end
+    end
+
+    context 'when the session check fails' do
+        before :each do
+            options.session.check_url     = url
+            options.session.check_pattern = 'Hi there logged-in user'
+        end
+
+        it 'sets the status' do
+            run
+
+            actual_results['status'].should  == 'failure'
+        end
+
+        it 'sets the message' do
+            run
+
+            actual_results['message'].should == plugin::STATUSES[:failure]
+        end
+
+        it 'aborts the scan' do
+            run
+
+            framework.status.should == :aborted
+        end
+    end
+
+    context 'when there is a runtime error in the script' do
+        let(:script) do
+            <<EOSCRIPT
+                fail
+EOSCRIPT
+        end
+
+        it 'sets the status' do
+            run
+
+            actual_results['status'].should  == 'error'
+        end
+
+        it 'sets the message' do
+            run
+
+            actual_results['message'].should == plugin::STATUSES[:error]
+        end
+
+        it 'aborts the scan' do
+            run
+
+            framework.status.should == :aborted
+        end
+    end
+
+end