RubyGems - arachni - Versions diffs - 1.5 → 1.5.1 - Mend

arachni 1.5 → 1.5.1

Files changed (100) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +15 -0
data/README.md +2 -2
data/Rakefile +0 -42
data/arachni.gemspec +2 -2
data/components/path_extractors/scripts.rb +1 -1
data/components/plugins/metrics.rb +19 -19
data/components/reporters/html.rb +1 -1
data/config/write_paths.yml +4 -0
data/lib/arachni.rb +0 -6
data/lib/arachni/browser/javascript.rb +0 -7
data/lib/arachni/browser/javascript/scripts/dom_monitor.js +0 -15
data/lib/arachni/browser/javascript/scripts/taint_tracer.js +17 -10
data/lib/arachni/check/auditor.rb +18 -61
data/lib/arachni/element/capabilities/analyzable/signature.rb +1 -1
data/lib/arachni/framework/parts/report.rb +1 -1
data/lib/arachni/http/message.rb +1 -1
data/lib/arachni/http/response.rb +2 -2
data/lib/arachni/option_groups/paths.rb +11 -0
data/lib/arachni/options.rb +1 -1
data/lib/arachni/parser.rb +2 -8
data/lib/arachni/parser/nodes/text.rb +1 -1
data/lib/arachni/parser/with_children.rb +1 -1
data/lib/arachni/snapshot.rb +1 -1
data/lib/arachni/support/database/base.rb +1 -3
data/lib/version +1 -1
data/spec/arachni/browser/javascript/dom_monitor_spec.rb +0 -20
data/spec/arachni/browser/javascript_spec.rb +0 -7
data/spec/arachni/check/auditor_spec.rb +44 -165
data/spec/arachni/issue_spec.rb +1 -1
data/spec/arachni/option_groups/paths_spec.rb +23 -1
data/spec/arachni/platform/list_spec.rb +1 -2
data/spec/arachni/snapshot_spec.rb +1 -1
data/spec/arachni/state/framework_spec.rb +2 -2
data/spec/support/factories/issue.rb +1 -2
metadata +6 -132
data/logs/error-11897.log +0 -2006
data/logs/error-3855.log +0 -382
data/spec/support/logs/Dispatcher - 1024-31864.log +0 -10
data/spec/support/logs/Dispatcher - 1047-41465.log +0 -10
data/spec/support/logs/Dispatcher - 1274-60799.log +0 -64
data/spec/support/logs/Dispatcher - 1295-1058.log +0 -44
data/spec/support/logs/Dispatcher - 1313-27076.log +0 -40
data/spec/support/logs/Dispatcher - 1332-17127.log +0 -35
data/spec/support/logs/Dispatcher - 1350-7351.log +0 -29
data/spec/support/logs/Dispatcher - 1368-38528.log +0 -22
data/spec/support/logs/Dispatcher - 1386-17419.log +0 -14
data/spec/support/logs/Dispatcher - 31030-26156.log +0 -10
data/spec/support/logs/Dispatcher - 321-27189.log +0 -12
data/spec/support/logs/Dispatcher - 32353-50061.log +0 -20
data/spec/support/logs/Dispatcher - 32450-61574.log +0 -10
data/spec/support/logs/Dispatcher - 32470-53874.log +0 -20
data/spec/support/logs/Dispatcher - 32491-10523.log +0 -18
data/spec/support/logs/Dispatcher - 32509-8583.log +0 -14
data/spec/support/logs/Dispatcher - 32536-21209.log +0 -10
data/spec/support/logs/Dispatcher - 32556-53881.log +0 -10
data/spec/support/logs/Dispatcher - 32579-49083.log +0 -50
data/spec/support/logs/Dispatcher - 32761-20025.log +0 -12
data/spec/support/logs/Dispatcher - 347-17512.log +0 -12
data/spec/support/logs/Dispatcher - 3489-43230.log +0 -24
data/spec/support/logs/Dispatcher - 3524-57459.log +0 -26
data/spec/support/logs/Dispatcher - 3559-21544.log +0 -20
data/spec/support/logs/Dispatcher - 3764-33844.log +0 -25
data/spec/support/logs/Dispatcher - 3798-45350.log +0 -26
data/spec/support/logs/Dispatcher - 382-15725.log +0 -12
data/spec/support/logs/Dispatcher - 3836-6205.log +0 -21
data/spec/support/logs/Dispatcher - 4112-45433.log +0 -22
data/spec/support/logs/Dispatcher - 4148-53510.log +0 -26
data/spec/support/logs/Dispatcher - 415-29873.log +0 -14
data/spec/support/logs/Dispatcher - 4185-29736.log +0 -18
data/spec/support/logs/Dispatcher - 4268-60912.log +0 -25
data/spec/support/logs/Dispatcher - 4303-39372.log +0 -26
data/spec/support/logs/Dispatcher - 4342-42190.log +0 -21
data/spec/support/logs/Dispatcher - 463-55220.log +0 -26
data/spec/support/logs/Dispatcher - 4649-12104.log +0 -22
data/spec/support/logs/Dispatcher - 4683-32355.log +0 -26
data/spec/support/logs/Dispatcher - 4724-41636.log +0 -18
data/spec/support/logs/Dispatcher - 4881-57692.log +0 -22
data/spec/support/logs/Dispatcher - 4961-64665.log +0 -26
data/spec/support/logs/Dispatcher - 502-8742.log +0 -25
data/spec/support/logs/Dispatcher - 5052-61726.log +0 -18
data/spec/support/logs/Dispatcher - 536-15972.log +0 -22
data/spec/support/logs/Dispatcher - 620-2220.log +0 -20
data/spec/support/logs/Dispatcher - 638-17826.log +0 -18
data/spec/support/logs/Dispatcher - 656-23967.log +0 -16
data/spec/support/logs/Dispatcher - 700-15701.log +0 -12
data/spec/support/logs/Dispatcher - 726-6080.log +0 -10
data/spec/support/logs/Dispatcher - 749-56590.log +0 -18
data/spec/support/logs/Dispatcher - 807-19073.log +0 -18
data/spec/support/logs/Dispatcher - 871-8764.log +0 -10
data/spec/support/logs/Dispatcher - 898-21496.log +0 -12
data/spec/support/logs/Dispatcher - 933-64070.log +0 -12
data/spec/support/logs/Instance - 1577-32284.error.log +0 -151
data/spec/support/logs/Instance - 1625-58174.error.log +0 -154
data/spec/support/logs/Instance - 2727-57968.error.log +0 -151
data/spec/support/logs/Instance - 2898-20648.error.log +0 -303
data/spec/support/logs/Instance - 2901-30845.error.log +0 -429
data/spec/support/logs/Instance - 31185-37600.error.log +0 -174
data/spec/support/logs/Instance - 3319-20111.error.log +0 -175
data/spec/support/logs/error-3855.log +0 -5132

data/lib/arachni/element/capabilities/analyzable/signature.rb CHANGED

@@ -109,7 +109,7 @@ module Signature
     #       {Element::Capabilities::Submittable#platforms applicable platforms}
     #       for the {Element::Capabilities::Submittable#action resource} to be audited.
     # @param  [Hash]    opts
-    #   Options as described in {Arachni::Check::Auditor::OPTIONS} and
+    #   Options as described in {Arachni::Element::Auditable::OPTIONS} and
     #   {SIGNATURE_OPTIONS}.
     #
     # @return   [Bool]

data/lib/arachni/framework/parts/report.rb CHANGED

@@ -79,7 +79,7 @@ module Report
                      "Reporter '#{name}' cannot format the audit results as a String."
             end
-            outfile = "#{Arachni.tmpdir}/#{generate_token}"
+            outfile = "#{Options.paths.tmpdir}/#{generate_token}"
             @reporters.run( name, external_report, outfile: outfile )
             IO.binread( outfile )

data/lib/arachni/http/message.rb CHANGED

@@ -73,7 +73,7 @@ class Message
     def url=( url )
         if @normalize_url || @normalize_url.nil?
-            @url = URI.normalize_url( url ).to_s.freeze
+            @url = URI.normalize( url ).to_s.freeze
         else
             @url = url.to_s.freeze
         end

data/lib/arachni/http/response.rb CHANGED

@@ -286,7 +286,7 @@ class Response < Message
         redirections = response.redirections.map do |redirect|
             rurl   = URI.to_absolute( redirect.headers['Location'],
                                       response.effective_url )
-            rurl ||= response.effective_url
+            rurl ||= URI.normalize( response.effective_url )
             # Broken redirection, skip it...
             next if !rurl
@@ -296,7 +296,7 @@ class Response < Message
                 code:          redirect.code,
                 headers:       redirect.headers
             ))
-        end
+        end.compact
         return_code    = response.return_code
         return_message = response.return_message

data/lib/arachni/option_groups/paths.rb CHANGED

@@ -7,6 +7,7 @@
 =end
 require 'fileutils'
+require 'tmpdir'
 module Arachni::OptionGroups
@@ -75,6 +76,16 @@ class Paths < Arachni::OptionGroup
         File.expand_path( File.dirname( __FILE__ ) + '/../../..' ) + '/'
     end
+    def tmpdir
+        if config['framework']['tmpdir'].to_s.empty?
+            # On MS Windows Dir.tmpdir can return the path with a shortname,
+            # better avoid that as it can be insonsistent with other paths.
+            Arachni.get_long_win32_filename( Dir.tmpdir )
+        else
+            Arachni.get_long_win32_filename( config['framework']['tmpdir'] )
+        end
+    end
     def config
         self.class.config
     end

data/lib/arachni/options.rb CHANGED

@@ -221,7 +221,7 @@ class Options
         elsif parsed.host == 'localhost' || parsed.host.start_with?( '127.' )
             fail Error::ReservedHostname,
-                 "Loopback interfaces (like #{parsed.host}) are nor supported," <<
+                 "Loopback interfaces (like #{parsed.host}) are not supported," <<
                      ' please use a different IP address or hostname.'
         else

data/lib/arachni/parser.rb CHANGED

@@ -237,16 +237,10 @@ class Parser
     #   `nil` if the response data wasn't {#text? text-based} or the response
     #   couldn't be parsed.
     def document
+        return @document if @document
         return if !text?
-        if from_document?
-            @document
-        else
-            @document = self.class.parse(
-                body,
-                whitelist: WHITELIST
-            )
-        end
+        @document = self.class.parse( body, filter: true )
     end
     # @note It will include common request headers as well headers from the HTTP

data/lib/arachni/parser/nodes/text.rb CHANGED

@@ -17,7 +17,7 @@ class Text < Base
     include WithValue
     def text
-        @value
+        @value.to_s
     end
     def to_html( indentation = 2, level = 0 )

data/lib/arachni/parser/with_children.rb CHANGED

@@ -20,7 +20,7 @@ module WithChildren
     def text
         txt = children.find { |n| n.is_a? Parser::Nodes::Text }
-        return if !txt
+        return '' if !txt
         txt.value
     end

data/lib/arachni/snapshot.rb CHANGED

@@ -149,7 +149,7 @@ class <<self
     end
     def get_temporary_directory
-        "#{Arachni.tmpdir}/Arachni_Snapshot_#{Utilities.generate_token}/"
+        "#{Options.paths.tmpdir}/Arachni_Snapshot_#{Utilities.generate_token}/"
     end
     def extract( archive, directory )

data/lib/arachni/support/database/base.rb CHANGED

@@ -6,8 +6,6 @@
     web site for more information on licensing and terms of use.
 =end
-require 'tmpdir'
 module Arachni
 module Support::Database
@@ -96,7 +94,7 @@ class Base
     def generate_filename
         # Should be unique enough...
-        "#{Arachni.tmpdir}/#{self.class.name}_#{Process.pid}_#{object_id}_#{@filename_counter}".gsub( '::', '_' )
+        "#{Options.paths.tmpdir}/#{self.class.name}_#{Process.pid}_#{object_id}_#{@filename_counter}".gsub( '::', '_' )
     ensure
         @filename_counter += 1
     end

data/lib/version CHANGED

	@@ -1 +1 @@
1	- 1.5
1	+ 1.5.1

data/spec/arachni/browser/javascript/dom_monitor_spec.rb CHANGED

@@ -131,26 +131,6 @@ describe Arachni::Browser::Javascript::DOMMonitor do
         end
     end
-    describe '#intervals' do
-        it 'keeps track of setInterval() timers' do
-            load '/intervals'
-            expect(subject.intervals).to eq([
-                [
-                    "function (name, value) {\n            document.cookie = name + \"=post-\" + value;\n        }",
-                    2000, 'timeout1', 2000
-                ]
-            ])
-            sleep 2
-            expect(@browser.cookies.size).to eq(2)
-            expect(@browser.cookies.map { |c| c.to_s }.sort).to eq([
-                'timeout1=post-2000',
-                'timeout=pre'
-            ].sort)
-        end
-    end
     describe '#elements_with_events' do
         it 'skips non visible elements' do
             load '/elements_with_events/with-hidden'

data/spec/arachni/browser/javascript_spec.rb CHANGED

@@ -285,13 +285,6 @@ describe Arachni::Browser::Javascript do
         end
     end
-    describe '#intervals' do
-        it 'keeps track of setInterval() timers' do
-            @browser.load( @dom_monitor_url + 'interval-tracker' )
-            expect(subject.intervals).to eq(subject.dom_monitor.intervals)
-        end
-    end
     describe '#has_sinks?' do
         context 'when there are execution-flow sinks' do
             it 'returns true' do

data/spec/arachni/check/auditor_spec.rb CHANGED

@@ -428,62 +428,41 @@ describe Arachni::Check::Auditor do
         end
         it 'sets the auditor' do
-            auditor.each_candidate_element [ Arachni::Link ] do |element|
+            auditor.each_candidate_element do |element|
                 expect(element.auditor).to eq(auditor)
             end
         end
-        context 'when types have been provided' do
-            it 'provides those types of elements' do
-                elements = []
-                auditor.each_candidate_element [ Arachni::Link, Arachni::Header ] do |element|
-                    elements << element
-                end
+        it 'provides the types of elements specified by the check' do
+            auditor.class.info[:elements] = [Arachni::Link, Arachni::Form]
-                expect(elements).to eq((auditor.page.links | auditor.page.headers).
-                    select { |e| e.inputs.any? })
+            elements = []
+            auditor.each_candidate_element do |element|
+                elements << element
             end
-            context 'and are not supported' do
-                it 'raises ArgumentError' do
-                    expect {
-                        auditor.each_candidate_element [Arachni::Link::DOM]
-                    }.to raise_error ArgumentError
-                end
-            end
+            expect(auditor.class.elements).to eq([Arachni::Link, Arachni::Form])
+            expect(elements).to eq((auditor.page.links | auditor.page.forms).
+                select { |e| e.inputs.any? })
         end
-        context 'when types have not been provided' do
-            it 'provides the types of elements specified by the check' do
-                auditor.class.info[:elements] = [Arachni::Link, Arachni::Form]
+        context 'and no types are specified by the check' do
+            it 'provides all types of elements but :inputs and :ui_forms'do
+                auditor.class.info[:elements].clear
+                expected_elements = Arachni::Page::ELEMENTS
+                expected_elements.delete :ui_inputs
+                expected_elements.delete :ui_forms
                 elements = []
                 auditor.each_candidate_element do |element|
                     elements << element
                 end
-                expect(auditor.class.elements).to eq([Arachni::Link, Arachni::Form])
-                expect(elements).to eq((auditor.page.links | auditor.page.forms).
+                expect(elements.map { |e| "#{e.type}s".to_sym }.uniq).to eq(Arachni::Page::ELEMENTS)
+                expect(elements).to eq((auditor.page.elements).
                     select { |e| e.inputs.any? })
             end
-            context 'and no types are specified by the check' do
-                it 'provides all types of elements but :inputs and :ui_forms'do
-                    auditor.class.info[:elements].clear
-                    expected_elements = Arachni::Page::ELEMENTS
-                    expected_elements.delete :ui_inputs
-                    expected_elements.delete :ui_forms
-                    elements = []
-                    auditor.each_candidate_element do |element|
-                        elements << element
-                    end
-                    expect(elements.map { |e| "#{e.type}s".to_sym }.uniq).to eq(Arachni::Page::ELEMENTS)
-                    expect(elements).to eq((auditor.page.elements).
-                        select { |e| e.inputs.any? })
-                end
-            end
         end
     end
@@ -504,54 +483,33 @@ describe Arachni::Check::Auditor do
             end
         end
-        context 'when types have been provided' do
-            it 'provides those types of elements' do
-                elements = []
-                auditor.each_candidate_dom_element [ Arachni::Link::DOM ] do |element|
-                    elements << element
-                end
+        it 'provides the types of elements specified by the check' do
+            auditor.class.info[:elements] = [Arachni::Form::DOM]
+            expect(auditor.class.elements).to eq([Arachni::Form::DOM])
-                expect(elements).to be_any
-                expect(elements).to eq(auditor.page.links.select { |l| l.dom }.map(&:dom))
+            elements = []
+            auditor.each_candidate_dom_element do |element|
+                elements << element
             end
-            context 'and are not supported' do
-                it 'raises ArgumentError' do
-                    expect {
-                        auditor.each_candidate_dom_element [Arachni::Link]
-                    }.to raise_error ArgumentError
-                end
-            end
+            expect(elements).to eq(auditor.page.forms.map(&:dom))
         end
-        context 'when types have not been provided' do
-            it 'provides the types of elements specified by the check' do
-                auditor.class.info[:elements] = [Arachni::Form::DOM]
-                expect(auditor.class.elements).to eq([Arachni::Form::DOM])
+        context 'and no types are specified by the check' do
+            it 'provides all types of elements'do
+                auditor.class.info[:elements].clear
                 elements = []
                 auditor.each_candidate_dom_element do |element|
                     elements << element
                 end
-                expect(elements).to eq(auditor.page.forms.map(&:dom))
-            end
-            context 'and no types are specified by the check' do
-                it 'provides all types of elements'do
-                    auditor.class.info[:elements].clear
-                    elements = []
-                    auditor.each_candidate_dom_element do |element|
-                        elements << element
-                    end
-                    expect(elements).to eq(
-                        (auditor.page.links.select { |l| l.dom } |
-                            auditor.page.forms | auditor.page.cookies |
-                            auditor.page.link_templates | auditor.page.ui_inputs |
-                            auditor.page.ui_forms).map(&:dom)
-                    )
-                end
+                expect(elements).to eq(
+                    (auditor.page.links.select { |l| l.dom } |
+                        auditor.page.forms | auditor.page.cookies |
+                        auditor.page.link_templates | auditor.page.ui_inputs |
+                        auditor.page.ui_forms).map(&:dom)
+                )
             end
         end
     end
@@ -874,99 +832,20 @@ describe Arachni::Check::Auditor do
                 end
                 auditor.audit( @seed ){}
-                expect($audit_called).to eq(auditor.page.elements.map(&:class))
+                expect($audit_called).to eq(auditor.class.elements)
             end
         end
         context 'when called without a block' do
             it 'delegates to #audit_signature' do
-                expect(auditor).to receive(:audit_signature).with( @seed, described_class::OPTIONS )
-                auditor.audit( @seed )
+                opts = { stuff: :here }
+                expect(auditor).to receive(:audit_signature).with( @seed, opts )
+                auditor.audit( @seed, opts )
             end
         end
         context 'when called with options' do
-            describe ':elements' do
-                before { auditor.load_page_from( @url + '/elem_combo' ) }
-                describe 'Arachni::Element::Link' do
-                    it 'audits links' do
-                        auditor.audit( @seed,
-                            format: [ Arachni::Check::Auditor::Format::STRAIGHT ],
-                            elements: [ Arachni::Element::Link ]
-                         )
-                        @framework.http.run
-                        expect(Arachni::Data.issues.size).to eq(1)
-                        issue = Arachni::Data.issues.first
-                        expect(issue.vector.class).to eq(Arachni::Element::Link)
-                        expect(issue.vector.affected_input_name).to eq('link_input')
-                    end
-                end
-                describe 'Arachni::Element::Form' do
-                    it 'audits forms' do
-                        auditor.audit( @seed,
-                            format: [ Arachni::Check::Auditor::Format::STRAIGHT ],
-                            elements: [ Arachni::Element::Form ]
-                         )
-                        @framework.http.run
-                        expect(Arachni::Data.issues.size).to eq(1)
-                        issue = Arachni::Data.issues.first
-                        expect(issue.vector.class).to eq(Arachni::Element::Form)
-                        expect(issue.vector.affected_input_name).to eq('form_input')
-                    end
-                end
-                describe 'Arachni::Element::Cookie' do
-                    it 'audits cookies' do
-                        auditor.audit( @seed,
-                            format: [ Arachni::Check::Auditor::Format::STRAIGHT ],
-                            elements: [ Arachni::Element::Cookie ]
-                         )
-                        @framework.http.run
-                        expect(Arachni::Data.issues.size).to eq(1)
-                        issue = Arachni::Data.issues.first
-                        expect(issue.vector.class).to eq(Arachni::Element::Cookie)
-                        expect(issue.vector.affected_input_name).to eq('cookie_input')
-                    end
-                    it 'maintains the session while auditing cookies' do
-                        auditor.load_page_from( @url + '/session' )
-                        auditor.audit( @seed,
-                                        format: [ Arachni::Check::Auditor::Format::STRAIGHT ],
-                                        elements: [ Arachni::Element::Cookie ]
-                        )
-                        @framework.http.run
-                        expect(Arachni::Data.issues.size).to eq(1)
-                        issue = Arachni::Data.issues.first
-                        expect(issue.vector.class).to eq(Arachni::Element::Cookie)
-                        expect(issue.vector.affected_input_name).to eq('vulnerable')
-                    end
-                end
-                describe 'Arachni::Element::Header' do
-                    it 'audits headers' do
-                        auditor.audit( @seed,
-                            format: [ Arachni::Check::Auditor::Format::STRAIGHT ],
-                            elements: [ Arachni::Element::Header ]
-                         )
-                        @framework.http.run
-                        expect(Arachni::Data.issues.size).to eq(1)
-                        issue = Arachni::Data.issues.first
-                        expect(issue.vector.class).to eq(Arachni::Element::Header)
-                        expect(issue.vector.affected_input_name).to eq('Referer')
-                    end
-                end
-                context 'when using default options' do
-                    it 'audits all element types' do
-                        auditor.audit( @seed,
-                            format: [ Arachni::Check::Auditor::Format::STRAIGHT ]
-                         )
-                        @framework.http.run
-                        expect(Arachni::Data.issues.size).to eq(4)
-                    end
-                end
-            end
             describe ':train' do
                 context 'default' do
                     it 'parses the responses of forms submitted with their default values and feed any new elements back to the framework to be audited' do
@@ -1061,7 +940,7 @@ describe Arachni::Check::Auditor do
             end
             auditor.audit_signature( 'seed' )
-            expect($audit_signature_called).to eq(auditor.page.elements.map(&:class))
+            expect($audit_signature_called).to eq(auditor.class.elements)
         end
     end
@@ -1080,7 +959,7 @@ describe Arachni::Check::Auditor do
             end
             auditor.audit_differential( { false: '0', pairs: { '1' => '2' } } )
-            expect($audit_differential_called).to eq(auditor.page.elements.map(&:class))
+            expect($audit_differential_called).to eq(auditor.class.elements)
         end
     end
@@ -1099,7 +978,7 @@ describe Arachni::Check::Auditor do
             end
             auditor.audit_timeout( 'seed', timeout: 1 )
-            expect($audit_timeout_called).to eq(auditor.page.elements.map(&:class))
+            expect($audit_timeout_called).to eq(auditor.class.elements)
         end
     end