cms_scanner 0.0.2

data/spec/shared_examples.rb

@@ -0,0 +1,11 @@
+
+require 'shared_examples/browser_actions'
+require 'shared_examples/formatter_buffer'
+require 'shared_examples/formatter_class_methods'
+require 'shared_examples/finding'
+require 'shared_examples/independent_finder'
+require 'shared_examples/target/platform/wordpress'
+require 'shared_examples/target/platform/php'
+require 'shared_examples/target/server/generic'
+require 'shared_examples/target/server/apache'
+require 'shared_examples/target/server/iis'

data/spec/shared_examples/browser_actions.rb

@@ -0,0 +1,32 @@
+
+shared_examples CMSScanner::Browser::Actions do
+
+  let(:url)     { 'http://example.com/file.txt' }
+  let(:browser) { CMSScanner::Browser }
+
+  describe '#get, #post, #head' do
+    [:get, :post, :head].each do |method|
+      it 'calls the method and returns a Typhoeus::Response' do
+        stub_request(method, url)
+
+        expect(browser.send(method, url)).to be_a Typhoeus::Response
+      end
+    end
+  end
+
+  describe '#get_and_follow_location' do
+    let(:redirection) { 'http://redirect.me' }
+
+    it 'follows the location' do
+      stub_request(:get, url).to_return(status: 301, headers: { location: redirection })
+      stub_request(:get, redirection).to_return(status: 200, body: 'Got me')
+
+      response = browser.get_and_follow_location(url)
+      expect(response).to be_a Typhoeus::Response
+      # Line below is not working due to an issue in Typhoeus/Webmock
+      # See https://github.com/typhoeus/typhoeus/issues/279
+      # expect(response.body).to eq 'Got me'
+    end
+  end
+
+end

data/spec/shared_examples/finding.rb

@@ -0,0 +1,20 @@
+
+shared_examples CMSScanner::Finders::Finding do
+
+  [:references, :confirmed_by, :interesting_entries].each do |opt|
+    describe "##{opt}" do
+      its(opt) { should eq [] }
+
+      context 'when supplied in the #new' do
+        let(:opts) { { opt => 'test' } }
+
+        its(opt) { should eq 'test' }
+      end
+    end
+  end
+
+  describe '#parse_finding_options' do
+    xit
+  end
+
+end

data/spec/shared_examples/formatter_buffer.rb

@@ -0,0 +1,8 @@
+
+shared_examples CMSScanner::Formatter::Buffer do
+
+  describe '#buffer' do
+    its(:buffer) { should be_empty }
+  end
+
+end

data/spec/shared_examples/formatter_class_methods.rb

@@ -0,0 +1,26 @@
+
+shared_examples CMSScanner::Formatter::ClassMethods do
+  describe '#load' do
+    context 'w/o parameter' do
+      it 'loads the default formatter' do
+        expect(subject.load).to be_a subject::Cli
+      end
+    end
+
+    it 'loads the correct formatter' do
+      expect(subject.load('cli_no_colour')).to be_a subject::CliNoColour
+    end
+
+    it 'adds the custom_views' do
+      formatter = subject.load(nil, %w(/path/views1 /path2/views))
+
+      expect(formatter.views_directories).to include('/path/views1', '/path2/views')
+    end
+  end
+
+  describe '#availables' do
+    it 'returns the right list' do
+      expect(subject.availables).to match_array(%w(json cli-no-colour cli))
+    end
+  end
+end

data/spec/shared_examples/independent_finder.rb

@@ -0,0 +1,33 @@
+
+shared_examples CMSScanner::Finders::IndependentFinder do
+
+  describe '::find' do
+    it 'creates a new object and call finders#find' do
+      created = described_class.new(target)
+
+      expect(described_class).to receive(:new).and_return(created)
+      expect(created).to receive(:find)
+
+      described_class.find(target)
+    end
+  end
+
+  describe '#find' do
+    it 'calls finders#run' do
+      expect(subject.finders).to receive(:run).with({})
+      subject.find
+    end
+  end
+
+  describe '#finders' do
+    its(:finders) { should be_a CMSScanner::Finders::IndependentFinders }
+
+    it 'returns the correct finders' do
+      finders = subject.finders
+
+      expect(finders.size).to eq expected_finders.size
+      expect(finders.map { |f| f.class.to_s.demodulize }).to eq expected_finders
+    end
+  end
+
+end

data/spec/shared_examples/target/platform/php.rb

@@ -0,0 +1,58 @@
+
+shared_examples CMSScanner::Target::Platform::PHP do
+
+  before { stub_request(:get, target.url(path)).to_return(body: body) }
+
+  describe '#debug_log?' do
+    let(:path) { 'd.log' }
+
+    context 'when the body matches' do
+      %w(debug.log).each do |file|
+        context "when #{file} body" do
+          let(:body) { File.read(File.join(fixtures, 'debug_log', file)) }
+
+          it 'returns true' do
+            expect(target.debug_log?(path)).to be true
+          end
+        end
+      end
+    end
+
+    context 'when the body does not match' do
+      let(:body) { '' }
+
+      it 'returns false' do
+        expect(target.debug_log?(path)).to be false
+      end
+    end
+  end
+
+  describe '#full_path_disclosure?, #full_path_disclosure_entries' do
+    let(:path) { 'p.php' }
+
+    context 'when the body matches a FPD' do
+      {
+        'wp_rss_functions.php' => %w(/short-path/rss-f.php)
+      }
+      .each do |file, expected|
+        context "when #{file} body" do
+          let(:body) { File.read(File.join(fixtures, 'fpd', file)) }
+
+          it 'returns the expected array' do
+            expect(target.full_path_disclosure_entries(path)).to eql expected
+            expect(target.full_path_disclosure?(path)).to be true
+          end
+        end
+      end
+    end
+
+    context 'when no FPD' do
+      let(:body) { '' }
+
+      it 'returns an empty array' do
+        expect(target.full_path_disclosure_entries(path)).to eq []
+        expect(target.full_path_disclosure?(path)).to be false
+      end
+    end
+  end
+end

data/spec/shared_examples/target/platform/wordpress.rb

@@ -0,0 +1,41 @@
+require_relative 'wordpress/custom_directories'
+
+shared_examples CMSScanner::Target::Platform::WordPress do
+
+  it_behaves_like 'WordPress::CustomDirectories'
+
+  describe '#wordpress?' do
+    let(:fixtures) { File.join(super(), 'detection') }
+
+    before do
+      stub_request(:get, target.url).to_return(body: File.read(File.join(fixtures, "#{body}.html")))
+    end
+
+    %w(default wp_includes).each do |file|
+      context "when a wordpress page (#{file}.html)" do
+        let(:body) { file }
+
+        its(:wordpress?) { should be true }
+      end
+    end
+
+    %w(not_wp).each do |file|
+      context "when not a wordpress page (#{file}.html)" do
+        let(:body) { file }
+
+        its(:wordpress?) { should be false }
+      end
+    end
+  end
+
+  describe '#wordpress_hosted?' do
+    its(:wordpress_hosted?) { should be false }
+
+    context 'when the target host matches' do
+      let(:url) { 'http://ex.wordpress.com' }
+
+      its(:wordpress_hosted?) { should be true }
+    end
+  end
+
+end

data/spec/shared_examples/target/platform/wordpress/custom_directories.rb

@@ -0,0 +1,50 @@
+
+shared_examples 'WordPress::CustomDirectories' do
+  let(:fixtures) { File.join(super(), 'custom_directories') }
+
+  describe '#content_dir' do
+    {
+      default: 'wp-content', https: 'wp-content', custom_w_spaces: 'custom content spaces'
+    }
+    .each do |file, expected|
+      it "returns #{expected} for #{file}.html" do
+        fixture = File.join(fixtures, "#{file}.html")
+
+        stub_request(:get, target.url).to_return(body: File.read(fixture))
+
+        expect(target.content_dir).to eql expected
+      end
+    end
+  end
+
+  describe '#content_dir=, #plugins_dir=' do
+    ['wp-content' 'wp-custom'].each do |dir|
+      context "when content_dir = #{dir} and no plugins_dir" do
+        before { target.content_dir = dir }
+
+        its(:content_dir) { should eq dir.chomp('/') }
+        its(:plugins_dir) { should eq dir.chomp('/') + '/plugins' }
+      end
+
+      context "when content_dir = #{dir} and plugins_dir = #{dir}" do
+        before do
+          target.content_dir = dir
+          target.plugins_dir = dir
+        end
+
+        its(:content_dir) { should eq dir.chomp('/') }
+        its(:plugins_dir) { should eq dir.chomp('/') }
+      end
+    end
+  end
+
+  describe '#content_uri, #content_url, #plugins_uri, #plugins_url' do
+    before { target.content_dir = 'wp-content' }
+
+    its(:content_uri) { should eq Addressable::URI.parse("#{url}/wp-content/") }
+    its(:content_url) { should eq "#{url}/wp-content/" }
+
+    its(:plugins_uri) { should eq Addressable::URI.parse("#{url}/wp-content/plugins/") }
+    its(:plugins_url) { should eq "#{url}/wp-content/plugins/" }
+  end
+end

data/spec/shared_examples/target/server/apache.rb

@@ -0,0 +1,33 @@
+require 'spec_helper'
+
+shared_examples CMSScanner::Target::Server::Apache do
+
+  describe '#server' do
+    its(:server) { should eq :Apache }
+  end
+
+  describe '#directory_listing?, #directory_listing_entries' do
+    before     { stub_request(:get, target.url(path)).to_return(body: body, status: status) }
+    let(:path) { 'somedir' }
+
+    context 'when not a 200' do
+      let(:status) { 404 }
+      let(:body)   { '' }
+
+      it 'returns false and an empty array' do
+        expect(target.directory_listing?(path)).to be false
+        expect(target.directory_listing_entries(path)).to eql []
+      end
+    end
+
+    context 'when 200' do
+      let(:status) { 200 }
+      let(:body)   { File.read(File.join(fixtures, 'directory_listing', '2.2.16.html')) }
+
+      it 'returns true and the expected array' do
+        expect(target.directory_listing?(path)).to be true
+        expect(target.directory_listing_entries(path)).to eq %w(backup.php database-empty.php)
+      end
+    end
+  end
+end

data/spec/shared_examples/target/server/generic.rb

@@ -0,0 +1,34 @@
+require 'spec_helper'
+
+shared_examples CMSScanner::Target::Server::Generic do
+
+  describe '#server' do
+    before { stub_request(:head, target.url).to_return(headers: parse_headers_file(fixture)) }
+
+    context 'when apache headers' do
+      %w(basic.txt).each do |file|
+        context "when #{file} headers" do
+          let(:fixture) { File.join(fixtures, 'server', 'apache', file) }
+
+          its(:server) { should eq :Apache }
+        end
+      end
+    end
+
+    context 'when iis headers' do
+      %w(basic.txt).each do |file|
+        context "when #{file} headers" do
+          let(:fixture) { File.join(fixtures, 'server', 'iis', file) }
+
+          its(:server) { should eq :IIS }
+        end
+      end
+    end
+
+    context 'not detected' do
+      let(:fixture) { File.join(fixtures, 'server', 'not_detected.txt') }
+
+      its(:server) { should be nil }
+    end
+  end
+end

data/spec/shared_examples/target/server/iis.rb

@@ -0,0 +1,38 @@
+require 'spec_helper'
+
+shared_examples CMSScanner::Target::Server::IIS do
+
+  describe '#server' do
+    its(:server) { should eq :IIS }
+  end
+
+  describe '#directory_listing?, #directory_listing_entries' do
+    before     { stub_request(:get, target.url(path)).to_return(body: body, status: status) }
+    let(:path) { 'dir' }
+
+    context 'when not a 200' do
+      let(:status) { 404 }
+      let(:body)   { '' }
+
+      it 'returns false and an empty array' do
+        expect(target.directory_listing?(path)).to be false
+        expect(target.directory_listing_entries(path)).to eql []
+      end
+    end
+
+    context 'when 200' do
+      let(:status) { 200 }
+
+      %w(with_parent.html no_parent.html).each do |file|
+        context "when #{file} body" do
+          let(:body)   { File.read(File.join(fixtures, 'directory_listing', file)) }
+
+          it 'returns true and the expected array' do
+            expect(target.directory_listing?(path)).to be true
+            expect(target.directory_listing_entries(path)).to eq %w(sub-dir web.config)
+          end
+        end
+      end
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,41 @@
+$LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
+
+require 'simplecov'
+require 'rspec/its'
+require 'webmock/rspec'
+
+if ENV['TRAVIS']
+  require 'coveralls'
+  SimpleCov.formatter = Coveralls::SimpleCov::Formatter
+end
+
+SimpleCov.start do
+  add_filter '/spec/'
+  add_filter 'helper'
+end
+
+# See http://betterspecs.org/
+RSpec.configure do |config|
+  config.expect_with :rspec do |c|
+    c.syntax = :expect
+  end
+end
+
+def count_files_in_dir(absolute_dir_path, files_pattern = '*')
+  Dir.glob(File.join(absolute_dir_path, files_pattern)).count
+end
+
+# Parse a file containing raw headers and return the associated Hash
+# @return [ Hash ]
+def parse_headers_file(filepath)
+  Typhoeus::Response::Header.new(File.read(filepath))
+end
+
+require 'cms_scanner'
+require 'shared_examples'
+
+SPECS          = Pathname.new(__FILE__).dirname.to_s
+CACHE          = File.join(SPECS, 'cache')
+FIXTURES       = File.join(SPECS, 'fixtures')
+FIXTURES_VIEWS = File.join(FIXTURES, 'views')
+APP_VIEWS      = File.join(CMSScanner::APP_DIR, 'views')