cms_scanner 0.0.37.12 → 0.0.38.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 92c1a1bc745065a29c4770a7ff9143749f5373ea
-  data.tar.gz: 3ee76b460d6cd72f72aa03eb0beb095e367aa663
+  metadata.gz: a268201443a7ffead0d0a0d4070cd8ae295081bd
+  data.tar.gz: f6b9f3e7e3779b6f05759d556d2c1da282db2ddd
 SHA512:
-  metadata.gz: 756dd179151bbf8a904b1a8ee2a206e39b9a76cbe8891a3cabc80b71670cb87550385709246bb5c67f82309cb9f675c03ee622cc2116fccf038442820aac5ab9
-  data.tar.gz: 45eacba22c283773bf2cb8eb8e7dcc0694fa263a54d5932b6e6d2bf2a3adc0437de2d7db2566b9aab9903ccdc7c8a6836542a267d400b637000c5ce1b25a58f6
+  metadata.gz: 927269d831ec38b8615c92a0c29fafb3c2eb27e827140368d01d2e522a3440c3751df0cefac16e063e5d039ea6decfbdac23be0abb19ac0409cc311ed143e5b3
+  data.tar.gz: 313fa9f6958d7838f88744d7cb29db154be90f408cfccbbc960a2b202490a71145da0ec404272bff1944c44b0874bb0ec36066cda0d9d8ad6d2f835e64e6df3b

data/app/controllers/core.rb

@@ -29,13 +29,13 @@ module CMSScanner
 
         case res.code
         when 0
-          fail TargetDownError, res
+          raise TargetDownError, res
         when 401
-          fail HTTPAuthRequiredError
+          raise HTTPAuthRequiredError
         when 403
-          fail AccessForbiddenError
+          raise AccessForbiddenError
         when 407
-          fail ProxyAuthRequiredError
+          raise ProxyAuthRequiredError
         end
 
         # Checks for redirects
@@ -44,7 +44,7 @@ module CMSScanner
 
         return if target.in_scope?(effective_url)
 
-        fail HTTPRedirectError, effective_url unless parsed_options[:ignore_main_redirect]
+        raise HTTPRedirectError, effective_url unless parsed_options[:ignore_main_redirect]
 
         target.homepage_res = res
       end

data/app/finders/interesting_findings/fantastico_fileslist.rb

@@ -12,7 +12,7 @@ module CMSScanner
         def aggressive(_opts = {})
           res = NS::Browser.get(url)
 
-          return unless res && res.code == 200 && !res.body.empty?
+          return unless res&.code == 200 && !res.body.empty?
           return unless res.headers && res.headers['Content-Type'] =~ %r{\Atext/plain}
 
           NS::FantasticoFileslist.new(url, confidence: 70, found_by: found_by)

data/app/finders/interesting_findings/robots_txt.rb

@@ -12,7 +12,7 @@ module CMSScanner
         def aggressive(_opts = {})
           res = NS::Browser.get(url)
 
-          return unless res && res.code == 200 && res.body =~ /(?:user-agent|(?:dis)?allow):/i
+          return unless res&.code == 200 && res.body =~ /(?:user-agent|(?:dis)?allow):/i
 
           NS::RobotsTxt.new(url, confidence: 100, found_by: found_by)
         end

data/app/finders/interesting_findings/search_replace_db_2.rb

@@ -12,7 +12,7 @@ module CMSScanner
         def aggressive(_opts = {})
           res = NS::Browser.get(url)
 
-          return unless res && res.code == 200 && res.body =~ /by interconnect/i
+          return unless res&.code == 200 && res.body =~ /by interconnect/i
 
           NS::InterestingFinding.new(url, confidence: 100,
                                           found_by: found_by,

data/app/finders/interesting_findings/xml_rpc.rb

@@ -46,7 +46,7 @@ module CMSScanner
 
             res = NS::Browser.get(potential_url)
 
-            next unless res && res.body =~ /XML-RPC server accepts POST requests only/i
+            next unless res&.body =~ /XML-RPC server accepts POST requests only/i
 
             return NS::XMLRPC.new(potential_url,
                                   confidence: 100,

data/app/models/headers.rb

@@ -4,7 +4,7 @@ module CMSScanner
     # @return [ Hash ] The headers
     def entries
       res = NS::Browser.get(url)
-      return [] unless res && res.headers
+      return [] unless res&.headers
       res.headers
     end
 

data/app/models/interesting_finding.rb

@@ -21,7 +21,7 @@ module CMSScanner
     def entries
       res = NS::Browser.get(url)
 
-      return [] unless res && res.headers['Content-Type'] =~ %r{\Atext/plain;}i
+      return [] unless res && res.headers['Content-Type'] =~ %r{\Atext/plain;}i # rubocop:disable Style/SafeNavigation
 
       res.body.split("\n").reject { |s| s.strip.empty? }
     end

data/app/models/version.rb

@@ -34,7 +34,7 @@ module CMSScanner
       other = self.class.new(other) unless other.is_a?(self.class) # handle potential '.1' version
 
       Gem::Version.new(number) <=> Gem::Version.new(other.number)
-    rescue
+    rescue ArgumentError
       false
     end
 

data/cms_scanner.gemspec

@@ -1,4 +1,3 @@
-# coding: utf-8
 lib = File.expand_path('../lib', __FILE__)
 $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
 
@@ -8,7 +7,7 @@ Gem::Specification.new do |s|
   s.name                  = 'cms_scanner'
   s.version               = CMSScanner::VERSION
   s.platform              = Gem::Platform::RUBY
-  s.required_ruby_version = '>= 2.2.2'
+  s.required_ruby_version = '>= 2.3'
   s.authors               = ['WPScanTeam']
   s.email                 = ['team@wpscan.org']
   s.summary               = 'CMS Scanner Framework (experimental)'
@@ -32,24 +31,24 @@ Gem::Specification.new do |s|
   s.executables           = s.files.grep(%r{^bin/}) { |f| File.basename(f) }
   s.require_path          = 'lib'
 
-  s.add_dependency 'typhoeus', '~> 1.3.0'
   s.add_dependency 'nokogiri', '~> 1.8.0'
-  s.add_dependency 'yajl-ruby', '~> 1.3.0' # Better JSON parser regarding memory usage
+  s.add_dependency 'opt_parse_validator', '~> 0.0.14.0'
   s.add_dependency 'public_suffix', '~> 3.0.0'
   s.add_dependency 'ruby-progressbar', '~> 1.9.0'
-  s.add_dependency 'opt_parse_validator', '~> 0.0.13.11'
+  s.add_dependency 'typhoeus', '~> 1.3.0'
+  s.add_dependency 'yajl-ruby', '~> 1.3.0' # Better JSON parser regarding memory usage
 
   # Already required by opt_parse_validator
   # so version restriction loosen to avoid potential future conflicts
-  s.add_dependency 'addressable', '~> 2.5'
   s.add_dependency 'activesupport', '~> 5.0'
+  s.add_dependency 'addressable', '~> 2.5'
 
+  s.add_development_dependency 'bundler', '~> 1.6'
+  s.add_development_dependency 'coveralls', '~> 0.8.0'
   s.add_development_dependency 'rake', '~> 12.0'
   s.add_development_dependency 'rspec', '~> 3.7.0'
   s.add_development_dependency 'rspec-its', '~> 1.2.0'
-  s.add_development_dependency 'bundler', '~> 1.6'
-  s.add_development_dependency 'rubocop', '~> 0.50.0'
-  s.add_development_dependency 'webmock', '~> 1.22.0'
+  s.add_development_dependency 'rubocop', '~> 0.51.0'
   s.add_development_dependency 'simplecov', '~> 0.14.0' # Can't update to 0.15 as it breaks coveralls dep
-  s.add_development_dependency 'coveralls', '~> 0.8.0'
+  s.add_development_dependency 'webmock', '~> 3.1.0'
 end

data/lib/cms_scanner.rb

@@ -103,11 +103,11 @@ module CMSScanner
       @run_error = e
 
       formatter.output('@usage', msg: e.message)
-    rescue Interrupt, StandardError => e
+    rescue StandardError, SignalException => e
       @run_error = e
 
       formatter.output('@scan_aborted',
-                       reason: e.message,
+                       reason: e.is_a?(Interrupt) ? 'Canceled by User' : e.message,
                        trace: e.backtrace,
                        verbose: controllers.first.parsed_options[:verbose])
     ensure

data/lib/cms_scanner/browser/options.rb

@@ -44,7 +44,7 @@ module CMSScanner
     #
     # @param [ Integer ] number
     def max_threads=(number)
-      @max_threads = number.to_i > 0 && throttle.zero? ? number.to_i : 1
+      @max_threads = number.to_i.positive? && throttle.zero? ? number.to_i : 1
 
       hydra.max_concurrency = @max_threads
     end
@@ -79,11 +79,11 @@ module CMSScanner
     def throttle=(value)
       @throttle = value.to_i.abs / 1000.0
 
-      self.max_threads = 1 if @throttle > 0
+      self.max_threads = 1 if @throttle.positive?
     end
 
     def trottle!
-      sleep(throttle) if throttle > 0
+      sleep(throttle) if throttle.positive?
     end
   end
 end

data/lib/cms_scanner/cache/file_store.rb

@@ -34,7 +34,7 @@ module CMSScanner
         return if expired_entry?(key)
 
         serializer.load(File.read(file_path))
-      rescue
+      rescue StandardError
         nil
       end
 
@@ -42,7 +42,7 @@ module CMSScanner
       # @param [ Mixed ] data_to_store
       # @param [ Integer ] cache_ttl
       def write_entry(key, data_to_store, cache_ttl)
-        return unless cache_ttl.to_i > 0
+        return unless cache_ttl.to_i.positive?
 
         File.write(entry_path(key), serializer.dump(data_to_store))
         File.write(entry_expiration_path(key), Time.now.to_i + cache_ttl)
@@ -68,7 +68,9 @@ module CMSScanner
       #
       # @return [ Boolean ]
       def expired_entry?(key)
-        File.read(entry_expiration_path(key)).to_i <= Time.now.to_i rescue true
+        File.read(entry_expiration_path(key)).to_i <= Time.now.to_i
+      rescue StandardError
+        true
       end
     end
   end

data/lib/cms_scanner/finders/finder.rb

@@ -47,13 +47,15 @@ module CMSScanner
         @hydra ||= browser.hydra
       end
 
-      def found_by
+      # @param [ String, Symbol ] klass
+      # @return [ String ]
+      def found_by(klass = self)
         caller_locations.each do |call|
           label = call.label
 
           next unless %w[aggressive passive].include? label
 
-          return "#{titleize} (#{label.capitalize} Detection)"
+          return "#{klass.titleize} (#{label.capitalize} Detection)"
         end
         nil
       end

data/lib/cms_scanner/finders/finder/smart_url_checker.rb

@@ -10,7 +10,7 @@ module CMSScanner
         #
         # @return []
         def process_urls(_urls, _opts = {})
-          fail NotImplementedError
+          raise NotImplementedError
         end
 
         # @param [ Hash ] opts
@@ -29,7 +29,7 @@ module CMSScanner
 
         # @return [ String ]
         def passive_urls_xpath
-          fail NotImplementedError
+          raise NotImplementedError
         end
 
         # @param [ Hash ] opts
@@ -47,7 +47,7 @@ module CMSScanner
         #
         # @return [ Array<String> ]
         def aggressive_urls(_opts = {})
-          fail NotImplementedError
+          raise NotImplementedError
         end
       end
     end

data/lib/cms_scanner/finders/finding.rb

@@ -38,6 +38,7 @@ module CMSScanner
         FINDING_OPTS.each { |opt| send("#{opt}=", opts[opt]) if opts.key?(opt) }
       end
 
+      # TODO: maybe also check for interesting_entries and confirmed_by ?
       def eql?(other)
         self == other && confidence == other.confidence && found_by == other.found_by
       end

data/lib/cms_scanner/formatter.rb

@@ -109,11 +109,11 @@ module CMSScanner
         if tpl[0, 1] == '@' # Global Template
           tpl = tpl.delete('@')
         else
-          fail 'The controller_name can not be nil' unless controller_name
+          raise 'The controller_name can not be nil' unless controller_name
           tpl = "#{controller_name}/#{tpl}"
         end
 
-        fail "Wrong tpl format: '#{tpl}'" unless tpl =~ %r{\A[\w/_]+\z}
+        raise "Wrong tpl format: '#{tpl}'" unless tpl =~ %r{\A[\w/_]+\z}
 
         views_directories.reverse_each do |dir|
           formats.each do |format|
@@ -123,7 +123,7 @@ module CMSScanner
           end
         end
 
-        fail "View not found for #{format}/#{tpl}"
+        raise "View not found for #{format}/#{tpl}"
       end
 
       # @return [ Array<String> ] The directories to look into for views

data/lib/cms_scanner/target.rb

@@ -35,16 +35,17 @@ module CMSScanner
       false
     end
 
+    # @param [ String ] xpath
     # @param [ Regexp ] pattern
     # @param [ Typhoeus::Response, String ] page
     #
-    # @return [ Array<Array<MatchData, Nokogiri::XML::Comment>> ]
-    # @yield [ MatchData, Nokogiri::XML::Comment ]
-    def comments_from_page(pattern, page = nil)
+    # @return [ Array<Array<MatchData, Nokogiri::XML::Element>> ]
+    # @yield  [ MatchData, Nokogiri::XML::Element ]
+    def xpath_pattern_from_page(xpath, pattern, page = nil)
       page    = NS::Browser.get(url(page)) unless page.is_a?(Typhoeus::Response)
       matches = []
 
-      page.html.xpath('//comment()').each do |node|
+      page.html.xpath(xpath).each do |node|
         next unless node.text.strip =~ pattern
 
         yield Regexp.last_match, node if block_given?
@@ -55,6 +56,28 @@ module CMSScanner
       matches
     end
 
+    # @param [ Regexp ] pattern
+    # @param [ Typhoeus::Response, String ] page
+    #
+    # @return [ Array<Array<MatchData, Nokogiri::XML::Comment>> ]
+    # @yield  [ MatchData, Nokogiri::XML::Comment ]
+    def comments_from_page(pattern, page = nil)
+      xpath_pattern_from_page('//comment()', pattern, page) do |match, node|
+        yield match, node if block_given?
+      end
+    end
+
+    # @param [ Regexp ] pattern
+    # @param [ Typhoeus::Response, String ] page
+    #
+    # @return [ Array<Array<MatchData, Nokogiri::XML::Element>> ]
+    # @yield  [ MatchData, Nokogiri::XML::Element ]
+    def javascripts_from_page(pattern, page = nil)
+      xpath_pattern_from_page('//script', pattern, page) do |match, node|
+        yield match, node if block_given?
+      end
+    end
+
     # @param [ Typhoeus::Response, String ] page
     # @param [ String ] xpath
     # @param [ Array<String> ] attributes
@@ -72,7 +95,13 @@ module CMSScanner
 
           next unless attr_value && !attr_value.empty?
 
-          tag_uri        = uri.join(attr_value.strip) rescue next
+          tag_uri = begin
+                      uri.join(attr_value.strip)
+                    rescue StandardError
+                      # Skip potential malformed URLs etc.
+                      next
+                    end
+
           tag_uri_string = tag_uri.to_s
 
           next unless tag_uri.host

data/lib/cms_scanner/target/scope.rb

@@ -11,7 +11,7 @@ module CMSScanner
     # @return [ Boolean ] true if the url given is in scope
     def in_scope?(url)
       scope.include?(Addressable::URI.parse(url.strip).host)
-    rescue
+    rescue StandardError
       false
     end
 

data/lib/cms_scanner/version.rb

@@ -1,4 +1,4 @@
 # Version
 module CMSScanner
-  VERSION = '0.0.37.12'.freeze
+  VERSION = '0.0.38.0'.freeze
 end

metadata

@@ -1,29 +1,15 @@
 --- !ruby/object:Gem::Specification
 name: cms_scanner
 version: !ruby/object:Gem::Version
-  version: 0.0.37.12
+  version: 0.0.38.0
 platform: ruby
 authors:
 - WPScanTeam
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-10-28 00:00:00.000000000 Z
+date: 2017-11-07 00:00:00.000000000 Z
 dependencies:
-- !ruby/object:Gem::Dependency
-  name: typhoeus
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 1.3.0
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 1.3.0
 - !ruby/object:Gem::Dependency
   name: nokogiri
   requirement: !ruby/object:Gem::Requirement
@@ -39,19 +25,19 @@ dependencies:
       - !ruby/object:Gem::Version
         version: 1.8.0
 - !ruby/object:Gem::Dependency
-  name: yajl-ruby
+  name: opt_parse_validator
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.3.0
+        version: 0.0.14.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.3.0
+        version: 0.0.14.0
 - !ruby/object:Gem::Dependency
   name: public_suffix
   requirement: !ruby/object:Gem::Requirement
@@ -81,33 +67,33 @@ dependencies:
       - !ruby/object:Gem::Version
         version: 1.9.0
 - !ruby/object:Gem::Dependency
-  name: opt_parse_validator
+  name: typhoeus
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.0.13.11
+        version: 1.3.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.0.13.11
+        version: 1.3.0
 - !ruby/object:Gem::Dependency
-  name: addressable
+  name: yajl-ruby
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.5'
+        version: 1.3.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.5'
+        version: 1.3.0
 - !ruby/object:Gem::Dependency
   name: activesupport
   requirement: !ruby/object:Gem::Requirement
@@ -123,89 +109,103 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '5.0'
 - !ruby/object:Gem::Dependency
-  name: rake
+  name: addressable
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '12.0'
+        version: '2.5'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.5'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.6'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '12.0'
+        version: '1.6'
 - !ruby/object:Gem::Dependency
-  name: rspec
+  name: coveralls
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.7.0
+        version: 0.8.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.7.0
+        version: 0.8.0
 - !ruby/object:Gem::Dependency
-  name: rspec-its
+  name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.2.0
+        version: '12.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.2.0
+        version: '12.0'
 - !ruby/object:Gem::Dependency
-  name: bundler
+  name: rspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.6'
+        version: 3.7.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.6'
+        version: 3.7.0
 - !ruby/object:Gem::Dependency
-  name: rubocop
+  name: rspec-its
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.50.0
+        version: 1.2.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.50.0
+        version: 1.2.0
 - !ruby/object:Gem::Dependency
-  name: webmock
+  name: rubocop
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.22.0
+        version: 0.51.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.22.0
+        version: 0.51.0
 - !ruby/object:Gem::Dependency
   name: simplecov
   requirement: !ruby/object:Gem::Requirement
@@ -221,19 +221,19 @@ dependencies:
       - !ruby/object:Gem::Version
         version: 0.14.0
 - !ruby/object:Gem::Dependency
-  name: coveralls
+  name: webmock
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.8.0
+        version: 3.1.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.8.0
+        version: 3.1.0
 description: Framework to provide an easy way to implement CMS Scanners
 email:
 - team@wpscan.org
@@ -358,7 +358,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 2.2.2
+      version: '2.3'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="