cms_scanner 0.0.18 → 0.0.19

data/spec/lib/public_suffix/domain_spec.rb

@@ -1,49 +0,0 @@
-require 'spec_helper'
-
-describe PublicSuffix::Domain do
-  describe '#match' do
-    it 'returns true' do
-      expect(PublicSuffix.parse('g.com').match('g.com')).to eql true
-    end
-
-    it 'returns true' do
-      expect(PublicSuffix.parse('s.g.com').match('*.g.com')).to eql true
-    end
-
-    it 'returns false' do
-      expect(PublicSuffix.parse('a.b.g.com').match('*.g.com')).to eql false
-    end
-
-    it 'returns true' do
-      expect(PublicSuffix.parse('a.b.g.com').match('*.b.g.com')).to eql true
-    end
-
-    it 'returns true' do
-      expect(PublicSuffix.parse('a.b.g.com').match('**.g.com')).to eql true
-    end
-
-    it 'returns false' do
-      expect(PublicSuffix.parse('a.b.y.g.com').match('**.b.g.com')).to eql false
-    end
-
-    it 'returns false' do
-      expect(PublicSuffix.parse('w.g.com').match('*.g2.com')).to eql false
-    end
-
-    it 'returns true' do
-      expect(PublicSuffix.parse('a.b.g.com').match('a.b.g.com')).to eql true
-    end
-
-    it 'returns false' do
-      expect(PublicSuffix.parse('a.b.g.com').match('a.y.g.com')).to eql false
-    end
-
-    it 'returns true' do
-      expect(PublicSuffix.parse('a.b.c.d.g.com').match('**.c.d.g.com')).to eql true
-    end
-
-    it 'returns true' do
-      expect(PublicSuffix.parse('a.b.c.d.g.com').match('*.b.c.d.g.com')).to eql true
-    end
-  end
-end

data/spec/lib/sub_scanner_spec.rb

@@ -1,45 +0,0 @@
-require 'spec_helper'
-
-# Module including the CMSScanner to test its correct inclusion
-module SubScanner
-  include CMSScanner
-
-  # This Target class should be called in the CMSScanner::Controller::Base
-  # instead of the CMSScanner::Target
-  class Target < CMSScanner::Target
-    def new_method
-      'working'
-    end
-  end
-
-  # Custom method for all formatters
-  module Formatter
-    include CMSScanner::Formatter
-
-    # Implements a #custom method which should be available in all formatters
-    module InstanceMethods
-      def custom
-        'It Works!'
-      end
-    end
-  end
-end
-
-describe SubScanner::Scan do
-  subject(:scanner)     { described_class.new }
-  let(:formatter_class) { SubScanner::Formatter }
-
-  it 'loads the overrided Target class' do
-    target = scanner.controllers.first.target
-
-    expect(target).to be_a SubScanner::Target
-    expect(target).to respond_to(:new_method)
-    expect(target.new_method).to eq 'working'
-  end
-
-  it 'adds the #custom method for all formatters' do
-    formatter_class.availables.each do |format|
-      expect(formatter_class.load(format).custom).to eql 'It Works!'
-    end
-  end
-end

data/spec/lib/target/hashes_spec.rb

@@ -1,90 +0,0 @@
-require 'spec_helper'
-
-describe CMSScanner::Target do
-  subject(:target) { described_class.new(url) }
-  let(:url)        { 'http://e.org' }
-
-  def md5sum(body)
-    Digest::MD5.hexdigest(body)
-  end
-
-  describe '#page_hash' do
-    after { expect(described_class.page_hash(page)).to eql @expected }
-
-    context 'when the page is an url' do
-      let(:page) { 'http://e.org/somepage.php' }
-
-      it 'returns the MD5 hash of the page' do
-        body = 'Hello World !'
-
-        stub_request(:get, page).to_return(body: body)
-
-        @expected = md5sum(body)
-      end
-    end
-
-    context 'when the page is a Typhoeus::Response' do
-      let(:page) { Typhoeus::Response.new(body: 'Hello Example!') }
-
-      it 'returns the correct hash' do
-        @expected = md5sum('Hello Example!')
-      end
-    end
-
-    context 'when there are comments' do
-      let(:page) do
-        body = "yolo\n\n<!--I should <script>no longer be</script> there -->\nworld!"
-        Typhoeus::Response.new(body: body)
-      end
-
-      it 'removes them' do
-        @expected = md5sum("yolo\n\n\nworld!")
-      end
-    end
-  end
-
-  describe '#homepage_hash' do
-    it 'returns the MD5 hash of the homepage' do
-      body = 'Hello World'
-
-      stub_request(:get, target.url).to_return(body: body)
-
-      expect(target.homepage_hash).to eql md5sum(body)
-    end
-  end
-
-  describe '#error_404_hash' do
-    it 'returns the md5sum of the 404 page' do
-      stub_request(:any, /.*/).to_return(status: 404, body: '404 page !')
-
-      expect(target.error_404_hash).to eql md5sum('404 page !')
-    end
-  end
-
-  describe '#homepage_or_404?' do
-    let(:page_url) { target.url('page') }
-
-    before do
-      expect(target).to receive(:homepage_hash).and_return(md5sum('Home'))
-      expect(target).to receive(:error_404_hash).and_return(md5sum('Custom 404'))
-
-      stub_request(:get, page_url).to_return(body: body)
-    end
-
-    context 'when hashes do not match' do
-      let(:body) { 'Page!' }
-
-      it 'returns false' do
-        expect(target.homepage_or_404?(page_url)).to eql false
-      end
-    end
-
-    context 'when hashes match' do
-      let(:body) { 'Custom 404' }
-
-      it 'returns true' do
-        expect(target.homepage_or_404?(page_url)).to eql true
-      end
-    end
-  end
-end

data/spec/lib/target/platforms_spec.rb

@@ -1,13 +0,0 @@
-require 'spec_helper'
-
-[:PHP].each do |platform|
-  describe CMSScanner::Target do
-    subject(:target) do
-      described_class.new(url).extend(described_class::Platform.const_get(platform))
-    end
-    let(:url)      { 'http://e.org' }
-    let(:fixtures) { File.join(FIXTURES, 'target', 'platform', platform.to_s.downcase) }
-
-    it_behaves_like described_class::Platform.const_get(platform)
-  end
-end

data/spec/lib/target/scope_spec.rb

@@ -1,103 +0,0 @@
-require 'spec_helper'
-
-describe CMSScanner::Target do
-  subject(:target) { described_class.new(url, opts) }
-  let(:url)        { 'http://e.org' }
-  let(:fixtures)   { File.join(FIXTURES, 'target', 'scope') }
-  let(:opts)       { { scope: nil } }
-
-  describe '#scope' do
-    let(:default_domains) { [PublicSuffix.parse('e.org')] }
-
-    context 'when none supplied' do
-      its('scope.domains') { should eq default_domains }
-    end
-
-    context 'when scope provided' do
-      let(:opts) { super().merge(scope: ['*.e.org']) }
-
-      its('scope.domains') { should eq default_domains << PublicSuffix.parse(opts[:scope].first) }
-
-      context 'when invalid domains provided' do
-        let(:opts) { super().merge(scope: ['wp-lamp', '192.168.1.12']) }
-
-        it 'adds them in the invalid_domains attribute' do
-          expect(target.scope.domains).to eq default_domains
-          expect(target.scope.invalid_domains).to eq opts[:scope]
-        end
-      end
-    end
-  end
-
-  describe '#in_scope?' do
-    context 'when default scope (target domain)' do
-      [nil, '', 'http://out-of-scope.com', '//jquery.com/j.js',
-       'javascript:alert(3)', 'mailto:p@g.com'
-      ].each do |url|
-        it "returns false for #{url}" do
-          expect(target.in_scope?(url)).to eql false
-        end
-      end
-
-      %w(https://e.org/file.txt http://e.org/ //e.org).each do |url|
-        it "returns true for #{url}" do
-          expect(target.in_scope?(url)).to eql true
-        end
-      end
-    end
-
-    context 'when custom scope' do
-      let(:opts) { { scope: ['*.e.org', '192.168.1.12'] } }
-
-      [nil, '', 'http://out-of-scope.com', '//jquery.com/j.js', 'http://192.168.1.2/'].each do |url|
-        it "returns false for #{url}" do
-          expect(target.in_scope?(url)).to eql false
-        end
-      end
-
-      %w(http://e.org //cdn.e.org/f.txt http://s.e.org/ https://192.168.1.12/h).each do |url|
-        it "returns true for #{url}" do
-          expect(target.in_scope?(url)).to eql true
-        end
-      end
-    end
-  end
-
-  describe '#in_scope_urls' do
-    let(:res) { Typhoeus::Response.new(body: File.open(File.join(fixtures, 'index.html'))) }
-
-    context 'when block given' do
-      it 'yield the url' do
-        expect { |b| target.in_scope_urls(res, &b) }
-          .to yield_successive_args('http://e.org/f.txt', 'http://e.org/script/s.js', 'http://e.org/feed')
-      end
-    end
-
-    context 'when xpath argument given' do
-      it 'returns the expected array' do
-        xpath = '//link[@rel="alternate" and @type="application/rss+xml"]'
-
-        expect(target.in_scope_urls(res, xpath)).to eql(%w(http://e.org/feed))
-      end
-    end
-
-    context 'when no block given' do
-      after { expect(target.in_scope_urls(res)).to eql @expected }
-
-      context 'when default scope' do
-        it 'returns the expected array' do
-          @expected = %w(http://e.org/f.txt http://e.org/script/s.js http://e.org/feed)
-        end
-      end
-
-      context 'when supplied scope' do
-        let(:opts) { super().merge(scope: ['*.e.org', 'wp-lamp']) }
-
-        it 'returns the expected array' do
-          @expected = %w(http://e.org/f.txt https://cdn.e.org/f2.js http://e.org/script/s.js
-                         http://wp-lamp/robots.txt http://e.org/feed)
-        end
-      end
-    end
-  end
-end

data/spec/lib/target/servers_spec.rb

@@ -1,13 +0,0 @@
-require 'spec_helper'
-
-[:Generic, :Apache, :IIS].each do |server|
-  describe CMSScanner::Target do
-    subject(:target) do
-      described_class.new(url).extend(described_class::Server.const_get(server))
-    end
-    let(:url)      { 'http://e.org' }
-    let(:fixtures) { File.join(FIXTURES, 'target', 'server', server.to_s.downcase) }
-
-    it_behaves_like described_class::Server.const_get(server)
-  end
-end

data/spec/lib/target_spec.rb

@@ -1,69 +0,0 @@
-require 'spec_helper'
-
-describe CMSScanner::Target do
-  subject(:target) { described_class.new(url) }
-  let(:url)        { 'http://e.org' }
-
-  describe '#interesting_files' do
-    before do
-      expect(CMSScanner::Finders::InterestingFiles::Base).to receive(:find).and_return(stubbed)
-    end
-
-    context 'when no findings' do
-      let(:stubbed) { [] }
-
-      its(:interesting_files) { should eq stubbed }
-    end
-
-    context 'when findings' do
-      let(:stubbed) { ['yolo'] }
-
-      it 'allows findings to be added with <<' do
-        expect(target.interesting_files).to eq stubbed
-
-        target.interesting_files << 'other-finding'
-
-        expect(target.interesting_files).to eq(stubbed << 'other-finding')
-      end
-    end
-  end
-
-  describe '#comments_from_page' do
-    let(:fixture) { File.join(FIXTURES, 'target', 'comments.html') }
-    let(:page) { Typhoeus::Response.new(body: File.read(fixture)) }
-
-    context 'when the pattern does not match anything' do
-      it 'returns an empty array' do
-        expect(target.comments_from_page(/none/, page)).to eql([])
-      end
-    end
-
-    context 'when the pattern matches' do
-      let(:pattern) { /all in one seo pack/i }
-      let(:s1) { 'All in One SEO Pack 2.2.5.1 by Michael Torbert of Semper Fi Web Design' }
-      let(:s2) { '/all in one seo pack' }
-
-      context 'when no block given' do
-        it 'returns the expected matches' do
-          results = target.comments_from_page(pattern, page)
-
-          [s1, s2].each_with_index do |s, i|
-            expect(results[i].first).to eql s.match(pattern)
-            expect(results[i].last.to_s).to eql "<!-- #{s} -->"
-          end
-        end
-      end
-
-      # The below doesn't work, dunno why
-      context 'when block given' do
-        it 'yield the MatchData' do
-          expect { |b| target.comments_from_page(pattern, page, &b) }
-            .to yield_successive_args(
-              [MatchData, Nokogiri::XML::Comment],
-              [MatchData, Nokogiri::XML::Comment]
-            )
-        end
-      end
-    end
-  end
-end

data/spec/lib/vulnerability/references_spec.rb

@@ -1,75 +0,0 @@
-require 'spec_helper'
-
-describe CMSScanner::Vulnerability do
-  subject(:vuln)   { described_class.new(title, references) }
-  let(:title)      { 'Test Vuln' }
-  let(:references) { {} }
-
-  describe '#new' do
-    context 'when no references' do
-      [:cves, :secunia_ids, :osvdb_ids, :exploitdb_ids, :urls,
-       :msf_modules, :packetstorm_ids
-      ].each do |attribute|
-        its(attribute) { should eql([]) }
-      end
-
-      [:cve_urls, :secunia_urls, :osvdb_urls, :exploitdb_urls, :msf_urls,
-       :packetstorm_urls
-      ].each do |attribute|
-        its(attribute) { should eql([]) }
-      end
-
-      its(:references_urls) { should eql([]) }
-    end
-
-    context 'when references provided as string' do
-      let(:references) do
-        {
-          cve: 11,
-          secunia: 12,
-          osvdb: 13,
-          exploitdb: 14,
-          url: 'single-url',
-          metasploit: '/exploit/yolo',
-          packetstorm: 15
-        }
-      end
-
-      its(:cves)     { should eql %w(11) }
-      its(:cve_urls) { should eql %w(http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-11) }
-
-      its(:secunia_ids)  { should eql %w(12) }
-      its(:secunia_urls) { should eql %w(https://secunia.com/advisories/12) }
-
-      its(:osvdb_ids)  { should eql %w(13) }
-      its(:osvdb_urls) { should eql %w(http://osvdb.org/13) }
-
-      its(:exploitdb_ids)  { should eql %w(14) }
-      its(:exploitdb_urls) { should eql %w(http://www.exploit-db.com/exploits/14/) }
-
-      its(:urls) { should eql %w(single-url) }
-
-      its(:msf_modules) { should eql %w(/exploit/yolo) }
-      its(:msf_urls) { should eql %w(http://www.rapid7.com/db/modules/exploit/yolo) }
-
-      its(:packetstorm_ids)  { should eq %w(15) }
-      its(:packetstorm_urls) { should eql %w(http://packetstormsecurity.com/files/15/) }
-
-      its(:references_urls) do
-        should eql [
-          'http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-11',
-          'https://secunia.com/advisories/12',
-          'http://osvdb.org/13',
-          'http://www.exploit-db.com/exploits/14/',
-          'single-url',
-          'http://www.rapid7.com/db/modules/exploit/yolo',
-          'http://packetstormsecurity.com/files/15/'
-        ]
-      end
-    end
-
-    context 'when references provided as array' do
-      xit
-    end
-  end
-end