cms_scanner 0.0.41.10 → 0.0.42.0

data/app/models/robots_txt.rb

@@ -1,22 +1,26 @@
+# frozen_string_literal: true
+
 module CMSScanner
-  # Robots.txt
-  class RobotsTxt < InterestingFinding
-    # @todo Better detection, currently everything not empty or / is returned
-    #
-    # @return [ Array<String> ] The interesting Allow/Disallow rules detected
-    def interesting_entries
-      results = []
+  module Model
+    # Robots.txt
+    class RobotsTxt < InterestingFinding
+      # @todo Better detection, currently everything not empty or / is returned
+      #
+      # @return [ Array<String> ] The interesting Allow/Disallow rules detected
+      def interesting_entries
+        results = []
 
-      entries.each do |entry|
-        next unless entry =~ /\A(?:dis)?allow:\s*(.+)\z/i
+        entries.each do |entry|
+          next unless entry =~ /\A(?:dis)?allow:\s*(.+)\z/i
 
-        match = Regexp.last_match(1)
-        next if match == '/'
+          match = Regexp.last_match(1)
+          next if match == '/'
 
-        results << match
-      end
+          results << match
+        end
 
-      results.uniq
+        results.uniq
+      end
     end
   end
 end

data/app/models/user.rb

@@ -1,31 +1,35 @@
+# frozen_string_literal: true
+
 module CMSScanner
-  # User
-  class User
-    include Finders::Finding
+  module Model
+    # User
+    class User
+      include Finders::Finding
 
-    attr_accessor :password
-    attr_reader :id, :username
+      attr_accessor :password
+      attr_reader :id, :username
 
-    # @param [ String ] username
-    # @param [ Hash ] opts
-    # @option opts [ Integer ] :id
-    # @option opts [ String ] :password
-    def initialize(username, opts = {})
-      @username = username
-      @password = opts[:password]
-      @id       = opts[:id]
+      # @param [ String ] username
+      # @param [ Hash ] opts
+      # @option opts [ Integer ] :id
+      # @option opts [ String ] :password
+      def initialize(username, opts = {})
+        @username = username
+        @password = opts[:password]
+        @id       = opts[:id]
 
-      parse_finding_options(opts)
-    end
+        parse_finding_options(opts)
+      end
 
-    def ==(other)
-      return false unless self.class == other.class
+      def ==(other)
+        return false unless self.class == other.class
 
-      username == other.username && password == other.password
-    end
+        username == other.username && password == other.password
+      end
 
-    def to_s
-      username
+      def to_s
+        username
+      end
     end
   end
 end

data/app/models/version.rb

@@ -1,45 +1,49 @@
-module CMSScanner
-  # Version
-  class Version
-    include Finders::Finding
-
-    attr_reader :number
-
-    def initialize(number, opts = {})
-      @number = number.to_s
-      @number = "0#{number}" if @number[0, 1] == '.'
-
-      parse_finding_options(opts)
-    end
-
-    # @param [ Version, String ] other
-    # rubocop:disable Style/NumericPredicate
-    def ==(other)
-      (self <=> other) == 0
-    end
-    # rubocop:enable all
+# frozen_string_literal: true
 
-    # @param [ Version, String ] other
-    def <(other)
-      (self <=> other) == -1
-    end
-
-    # @param [ Version, String ] other
-    def >(other)
-      (self <=> other) == 1
-    end
-
-    # @param [ Version, String ] other
-    def <=>(other)
-      other = self.class.new(other) unless other.is_a?(self.class) # handle potential '.1' version
-
-      Gem::Version.new(number) <=> Gem::Version.new(other.number)
-    rescue ArgumentError
-      false
-    end
-
-    def to_s
-      number
+module CMSScanner
+  module Model
+    # Version
+    class Version
+      include Finders::Finding
+
+      attr_reader :number
+
+      def initialize(number, opts = {})
+        @number = number.to_s
+        @number = "0#{number}" if @number[0, 1] == '.'
+
+        parse_finding_options(opts)
+      end
+
+      # @param [ Version, String ] other
+      # rubocop:disable Style/NumericPredicate
+      def ==(other)
+        (self <=> other) == 0
+      end
+      # rubocop:enable all
+
+      # @param [ Version, String ] other
+      def <(other)
+        (self <=> other) == -1
+      end
+
+      # @param [ Version, String ] other
+      def >(other)
+        (self <=> other) == 1
+      end
+
+      # @param [ Version, String ] other
+      def <=>(other)
+        other = self.class.new(other) unless other.is_a?(self.class) # handle potential '.1' version
+
+        Gem::Version.new(number) <=> Gem::Version.new(other.number)
+      rescue ArgumentError
+        false
+      end
+
+      def to_s
+        number
+      end
     end
   end
 end

data/app/models/xml_rpc.rb

@@ -1,69 +1,73 @@
+# frozen_string_literal: true
+
 module CMSScanner
-  # XML RPC
-  class XMLRPC < InterestingFinding
-    # @return [ Browser ]
-    def browser
-      @browser ||= NS::Browser.instance
-    end
+  module Model
+    # XML RPC
+    class XMLRPC < InterestingFinding
+      # @return [ Browser ]
+      def browser
+        @browser ||= NS::Browser.instance
+      end
 
-    # @return [ Array<String> ]
-    def available_methods
-      return @available_methods if @available_methods
+      # @return [ Array<String> ]
+      def available_methods
+        return @available_methods if @available_methods
 
-      @available_methods = []
+        @available_methods = []
 
-      res = method_call('system.listMethods').run
-      doc = Nokogiri::XML.parse(res.body)
+        res = method_call('system.listMethods').run
+        doc = Nokogiri::XML.parse(res.body)
 
-      doc.search('methodResponse params param value array data value string').each do |s|
-        @available_methods << s.text
-      end
+        doc.search('methodResponse params param value array data value string').each do |s|
+          @available_methods << s.text
+        end
 
-      @available_methods
-    end
+        @available_methods
+      end
 
-    # @return [ Boolean ] Whether or not the XMLRPC is enabled
-    def enabled?
-      !available_methods.empty?
-    end
+      # @return [ Boolean ] Whether or not the XMLRPC is enabled
+      def enabled?
+        !available_methods.empty?
+      end
 
-    # @param [ String ] method_name
-    # @param [ Array ] method_params
-    # @param [ Hash ] request_params
-    #
-    # @return [ Typhoeus::Request ]
-    def method_call(method_name, method_params = [], request_params = {})
-      browser.forge_request(
-        url,
-        request_params.merge(
-          method: :post,
-          body: ::XMLRPC::Create.new.methodCall(method_name, *method_params)
+      # @param [ String ] method_name
+      # @param [ Array ] method_params
+      # @param [ Hash ] request_params
+      #
+      # @return [ Typhoeus::Request ]
+      def method_call(method_name, method_params = [], request_params = {})
+        browser.forge_request(
+          url,
+          request_params.merge(
+            method: :post,
+            body: ::XMLRPC::Create.new.methodCall(method_name, *method_params)
+          )
         )
-      )
-    end
+      end
 
-    # @param [ Array<Array> ] methods_and_params
-    # @param [ Hash ] request_params
-    #
-    # Example of methods_and_params:
-    # [
-    #   [method1, param1, param2],
-    #   [method2, param1],
-    #   [method3]
-    # ]
-    #
-    # @return [ Typhoeus::Request ]
-    def multi_call(methods_and_params = [], request_params = {})
-      browser.forge_request(
-        url,
-        request_params.merge(
-          method: :post,
-          body: ::XMLRPC::Create.new.methodCall(
-            'system.multicall',
-            methods_and_params.collect { |m| { methodName: m[0], params: m[1..-1] } }
+      # @param [ Array<Array> ] methods_and_params
+      # @param [ Hash ] request_params
+      #
+      # Example of methods_and_params:
+      # [
+      #   [method1, param1, param2],
+      #   [method2, param1],
+      #   [method3]
+      # ]
+      #
+      # @return [ Typhoeus::Request ]
+      def multi_call(methods_and_params = [], request_params = {})
+        browser.forge_request(
+          url,
+          request_params.merge(
+            method: :post,
+            body: ::XMLRPC::Create.new.methodCall(
+              'system.multicall',
+              methods_and_params.collect { |m| { methodName: m[0], params: m[1..-1] } }
+            )
           )
         )
-      )
+      end
     end
   end
 end

data/lib/cms_scanner.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 # Gems
 require 'typhoeus'
 require 'nokogiri'
@@ -15,16 +17,16 @@ require 'fileutils'
 require 'pathname'
 require 'timeout'
 require 'xmlrpc/client'
-# Monkey Patches
+# Monkey Patches/Fixes
 require 'cms_scanner/typhoeus/response' # Adds a Response#html using Nokogiri to parse the body
 require 'cms_scanner/typhoeus/hydra' # https://github.com/typhoeus/typhoeus/issues/439
 require 'cms_scanner/public_suffix/domain' # Adds a Domain#match method and logic, used in scope stuff
 require 'cms_scanner/numeric' # Adds a Numeric#bytes_to_human
 # Custom Libs
+require 'cms_scanner/scan'
 require 'cms_scanner/helper'
 require 'cms_scanner/exit_code'
-require 'cms_scanner/errors/http'
-require 'cms_scanner/errors/scan'
+require 'cms_scanner/errors'
 require 'cms_scanner/cache/typhoeus'
 require 'cms_scanner/target'
 require 'cms_scanner/browser'
@@ -121,88 +123,6 @@ module CMSScanner
     base.extend(ClassMethods)
     super(base)
   end
-
-  # Scan
-  class Scan
-    attr_reader :run_error
-
-    def initialize
-      controllers << NS::Controller::Core.new
-
-      exit_hook
-
-      yield self if block_given?
-    end
-
-    # @return [ Controllers ]
-    def controllers
-      @controllers ||= NS::Controllers.new
-    end
-
-    def run
-      controllers.run
-    rescue OptParseValidator::NoRequiredOption => e
-      @run_error = e
-
-      formatter.output('@usage', msg: e.message)
-    rescue NoMemoryError, ScriptError, SecurityError, SignalException, StandardError, SystemStackError => e
-      @run_error = e
-
-      formatter.output('@scan_aborted',
-                       reason: e.is_a?(Interrupt) ? 'Canceled by User' : e.message,
-                       trace: e.backtrace,
-                       verbose: controllers.first.parsed_options[:verbose] ||
-                                run_error_exit_code == NS::ExitCode::EXCEPTION)
-    ensure
-      Browser.instance.hydra.abort
-
-      formatter.beautify
-    end
-
-    # Used for convenience
-    # @See Formatter
-    def formatter
-      controllers.first.formatter
-    end
-
-    # @return [ Hash ]
-    def datastore
-      controllers.first.datastore
-    end
-
-    # Hook to be able to have an exit code returned
-    # depending on the findings / errors
-    # :nocov:
-    def exit_hook
-      # Avoid hooking the exit when rspec is running, otherwise it will always return 0
-      # and Travis won't detect failed builds. Couldn't find a better way, even though
-      # some people managed to https://github.com/rspec/rspec-core/pull/410
-      return if defined?(RSpec)
-
-      at_exit do
-        exit(run_error_exit_code) if run_error
-
-        controller = controllers.first
-
-        # The parsed_option[:url] must be checked to avoid raising erros when only -h/-v are given
-        exit(NS::ExitCode::VULNERABLE) if controller.parsed_options[:url] && controller.target.vulnerable?
-        exit(NS::ExitCode::OK)
-      end
-    end
-    # :nocov:
-
-    # @return [ Integer ] The exit code related to the run_error
-    def run_error_exit_code
-      return NS::ExitCode::CLI_OPTION_ERROR if run_error.is_a?(OptParseValidator::Error) ||
-                                               run_error.is_a?(OptionParser::ParseError)
-
-      return NS::ExitCode::INTERRUPTED if run_error.is_a?(Interrupt)
-
-      return NS::ExitCode::ERROR if run_error.is_a?(NS::Error) || run_error.is_a?(CMSScanner::Error)
-
-      NS::ExitCode::EXCEPTION
-    end
-  end
 end
 
 require "#{CMSScanner::APP_DIR}/app"

data/lib/cms_scanner/browser.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'cms_scanner/browser/actions'
 require 'cms_scanner/browser/options'
 

data/lib/cms_scanner/browser/actions.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module CMSScanner
   class Browser
     # Browser Actions (get, post etc)
@@ -5,43 +7,41 @@ module CMSScanner
       # @param [ String ] url
       # @param [ Hash ] params
       #
-      # @return [ Typhoeus::Response ]
-      def get(url, params = {})
-        process(url, params.merge(method: :get))
+      # @return [ Typhoeus::Request ]
+      def forge_request(url, params = {})
+        NS::Browser.instance.forge_request(url, params)
       end
 
       # @param [ String ] url
       # @param [ Hash ] params
       #
       # @return [ Typhoeus::Response ]
-      def post(url, params = {})
-        process(url, params.merge(method: :post))
+      def get(url, params = {})
+        forge_request(url, params.merge(method: :get)).run
       end
 
       # @param [ String ] url
       # @param [ Hash ] params
       #
       # @return [ Typhoeus::Response ]
-      def head(url, params = {})
-        process(url, params.merge(method: :head))
+      def post(url, params = {})
+        forge_request(url, params.merge(method: :post)).run
       end
 
       # @param [ String ] url
       # @param [ Hash ] params
       #
       # @return [ Typhoeus::Response ]
-      def get_and_follow_location(url, params = {})
-        get(url, { followlocation: true, maxredirs: 3 }.merge(params))
+      def head(url, params = {})
+        forge_request(url, params.merge(method: :head)).run
       end
 
-      protected
-
       # @param [ String ] url
       # @param [ Hash ] params
       #
       # @return [ Typhoeus::Response ]
-      def process(url, params)
-        Typhoeus::Request.new(url, NS::Browser.instance.request_params(params)).run
+      def get_and_follow_location(url, params = {})
+        get(url, { followlocation: true, maxredirs: 3 }.merge(params))
       end
     end
   end