cms_scanner 0.0.5 → 0.0.6

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: a4df8e5a102999fc7c177b6b99e3b2c31b6753a4
-  data.tar.gz: 5558b190e7bf8f1b1ea5d13354fdb4ebab2c4b2b
+  metadata.gz: 4678e465b2b4eaf41a295ca51d5c8e19036cd608
+  data.tar.gz: 4791201f53009021294db6cb8ebbf8a502fe996a
 SHA512:
-  metadata.gz: 4e28abacf6e31208804bbdc0e1f61368bcb598d3460f49940476bc8f878b7f9f9d0f2c9e579551ac15abcac69e49cf14e79848e0fe6256aa6c5f6acc91aef11b
-  data.tar.gz: 49c1f25826da617ab18d36241c63cc2b012faef1a9391fa70297ed309c46a4064f5e6deb11bddf91ff7655f885cfa99852f3e88343eaa2872f2bd13275271643
+  metadata.gz: aa604fb6779740c7a82aa02d435b8281ed80bd422cf843660803d1eb12e5544c5b96686c5234d41aad53b61cdf101d4cded4c4731595ca1db9745b16fb78d312
+  data.tar.gz: 3fae9b03e48e97719cc01404a1cef60fc418b29137dd2cedf7892923a07ad243a69a3274b50758653f3ca676ad28d85fc69028d343a82145fa19b34b6053a519

data/.gitignore

@@ -3,16 +3,5 @@
 .bundle
 .config
 coverage
-InstalledFiles
-lib/bundler/man
 pkg
-rdoc
-spec/reports
-test/tmp
-test/version_tmp
-tmp
-
-# YARD artifacts
-.yardoc
-_yardoc
-doc/
+Gemfile.lock

data/.rubocop.yml

@@ -4,3 +4,5 @@ ClassVars:
   Enabled: false
 MethodLength:
   Max: 15
+Metrics/AbcSize:
+  Max: 20

data/.travis.yml

@@ -5,6 +5,8 @@ rvm:
   - 2.1.1
   - 2.1.2
   - 2.1.3
+  - 2.1.4
+  - 2.1.5
   - ruby-head
 matrix:
   allow_failures:

data/app/views/cli/interesting_files/findings.erb

@@ -2,15 +2,17 @@ Interesting Findings: <%= @findings.size %>
 <% @findings.each do |finding| -%>
 
 [+] <%= finding.url %>
+<% if finding.confidence > 0 -%>
  | Confidence: <%= finding.confidence %>%
+<% end -%>
  | Found By: <%= finding.found_by %>
 <% unless (confirmed = finding.confirmed_by).empty? -%>
 <% if confirmed.size == 1 -%>
- | Confirmed By: <%= confirmed.first.found_by %>, <%= confirmed.first.confidence %>% confidence
+ | Confirmed By: <%= confirmed.first.found_by %><% if confirmed.first.confidence > 0 %>, <%= confirmed.first.confidence %>% confidence<% end %>
 <% else -%>
  | Confirmed By:
 <% confirmed.each do |c| -%>
- |  - <%= c.found_by %>, <%= c.confidence %>% confidence
+ |  - <%= c.found_by %><% if c.confidence > 0 %>, <%= c.confidence %>% confidence<% end %>
 <% end -%>
 <% end -%>
 <% end -%>

data/app/views/json/core/finished.erb

@@ -1,3 +1,3 @@
 "stop_time": <%= @stop_time.to_i %>,
-"elapsed": <%= @elapsed %>,
-"used_memory": <%= @used_memory %>,
+"elapsed": <%= @elapsed.to_i %>,
+"used_memory": <%= @used_memory.to_i %>,

data/app/views/json/core/started.erb

@@ -1,3 +1,3 @@
 "start_time": <%= @start_time.to_i %>,
-"start_memory": <%= @start_memory %>,
-"target_url": "<%= @url %>",
+"start_memory": <%= @start_memory.to_i %>,
+"target_url": <%= @url.to_s.to_json %>,

data/app/views/json/interesting_files/findings.erb

@@ -1 +1,25 @@
-"todo": "Not yet done",
+"interesting_files": [
+<% unless @findings.empty? -%>
+  {
+  <% last_index = @findings.size - 1 %>
+  <% @findings.each.with_index do |finding, index| -%>
+    <%= finding.url.to_s.to_json %>: {
+      "found_by": <%= finding.found_by.to_s.to_json %>,
+      "confidence": <%= finding.confidence.to_json %>,
+      "confirmed_by": [
+      <% unless (confirmed = finding.confirmed_by).empty? -%>
+      <% c_last_index = confirmed.size - 1 %>
+        {
+        <% confirmed.each.with_index do |c, i| -%>
+          <%= c.found_by.to_s.to_json %>: { "confidence": <%= c.confidence.to_json %> }<% unless i == c_last_index %>,<% end %>
+        <% end -%>
+        }
+      <% end -%>
+      ],
+      "references": <%= finding.references.to_json %>,
+      "interesting_entries": <%= finding.interesting_entries.to_json %>
+    }<% unless index == last_index %>,<% end %>
+  <% end -%>
+  }
+<% end -%>
+],

data/cms_scanner.gemspec

@@ -31,7 +31,7 @@ Gem::Specification.new do |s|
   s.add_development_dependency 'rspec', '~> 3.1'
   s.add_development_dependency 'rspec-its'
   s.add_development_dependency 'bundler', '~> 1.6'
-  s.add_development_dependency 'rubocop', '~> 0.26'
+  s.add_development_dependency 'rubocop', '~> 0.27'
   s.add_development_dependency 'webmock', '>= 1.18'
   s.add_development_dependency 'simplecov', '~> 0.9'
 end

data/lib/cms_scanner/finders/finding.rb

@@ -22,6 +22,11 @@ module CMSScanner
         @interesting_entries ||= []
       end
 
+      # @return [ Integer ]
+      def confidence
+        @confidence ||= 0
+      end
+
       # @param [ Hash ] opts
       # TODO: Maybe use instance_variable_set ?
       def parse_finding_options(opts = {})

data/lib/cms_scanner/finders/findings.rb

@@ -8,7 +8,12 @@ module CMSScanner
           next unless found == other
 
           found.confirmed_by << other
-          # TODO: Increase confidence (e.g: (found + other) / 1.5 ?)
+
+          confidence = (found.confidence + other.confidence) / 1.5
+          confidence = 100 if confidence > 100 || other.confidence == 100
+
+          found.confidence = confidence.floor unless found.confidence == 100
+
           return self
         end
 

data/lib/cms_scanner/finders/independent_finders.rb

@@ -17,11 +17,7 @@ module CMSScanner
       def run(opts = {})
         each do |finder|
           symbols_from_mode(opts[:mode]).each do |symbol|
-            r = finder.send(symbol, opts)
-
-            next unless r
-
-            findings + [*r]
+            findings + [*finder.send(symbol, opts)]
           end
         end
 

data/lib/cms_scanner/version.rb

@@ -1,4 +1,4 @@
 # Version
 module CMSScanner
-  VERSION = '0.0.5'
+  VERSION = '0.0.6'
 end

data/spec/app/views_spec.rb

@@ -22,11 +22,12 @@ describe 'App::Views' do
       end
 
       after do
-        view_filename  = "#{view}.#{formatter.to_s.underscore.downcase}"
-        controller_dir = controller.class.to_s.demodulize.underscore.downcase
-        output         = File.read(File.join(fixtures, controller_dir, view_filename))
+        view_filename   = defined?(expected_view) ? expected_view : view
+        view_filename   = "#{view_filename}.#{formatter.to_s.underscore.downcase}"
+        controller_dir  = controller.class.to_s.demodulize.underscore.downcase
+        expected_output = File.read(File.join(fixtures, controller_dir, view_filename))
 
-        expect($stdout).to receive(:puts).with(output)
+        expect($stdout).to receive(:puts).with(expected_output)
 
         controller.output(view, @tpl_vars)
         controller.formatter.beautify # Mandatory to be able to test formatter such as JSON

data/spec/lib/cms_scanner_spec.rb

@@ -22,8 +22,8 @@ describe CMSScanner::Scan do
 
   describe '#run' do
     it 'runs the controlllers and calls the formatter#beautify' do
-      expect(scanner.controllers).to receive(:run)
-      expect(scanner.formatter).to receive(:beautify)
+      expect(scanner.controllers).to receive(:run).ordered
+      expect(scanner.formatter).to receive(:beautify).ordered
       scanner.run
     end
 

data/spec/lib/controllers_spec.rb

@@ -37,14 +37,12 @@ describe CMSScanner::Controllers do
       spec = controller_mod::Spec.new
       base = controller_mod::Base.new
 
-      controllers << spec << base
-
-      # TODO: Any way to test the orders ? (after_scan should reverse the order)
-      [base, spec].each do |c|
-        expect(c).to receive(:before_scan)
-        expect(c).to receive(:run)
-        expect(c).to receive(:after_scan)
-      end
+      controllers << base << spec
+
+      [base, spec].each { |c| expect(c).to receive(:before_scan).ordered }
+      [base, spec].each { |c| expect(c).to receive(:run).ordered }
+      [spec, base].each { |c| expect(c).to receive(:after_scan).ordered }
+
       controllers.run
     end
   end

data/spec/lib/finders/independent_finders_spec.rb

@@ -17,48 +17,84 @@ describe CMSScanner::Finders::IndependentFinders do
     end
 
     before do
-      finders << CMSScanner::Finders::DummyFinder.new(target) <<
-                 CMSScanner::Finders::NoAggressiveResult.new(target)
+      finders <<
+        CMSScanner::Finders::DummyFinder.new(target) <<
+        CMSScanner::Finders::NoAggressiveResult.new(target)
+    end
 
-      @found = finders.run(mode: mode)
+    describe 'method call orders' do
+      after { finders.run(mode: mode) }
 
-      expect(@found).to be_a(CMSScanner::Finders::Findings)
+      [:passive, :aggressive].each do |current_mode|
+        context "when #{current_mode} mode" do
+          let(:mode) { current_mode }
 
-      @found.each { |f| expect(f).to be_a finding }
-    end
+          it "calls the #{current_mode} method on each finder" do
+            finders.each { |f| expect(f).to receive(current_mode).ordered }
+          end
+        end
+      end
 
-    context 'when :passive mode' do
-      let(:mode) { :passive }
+      context 'when :mixed mode' do
+        let(:mode) { :mixed }
 
-      it 'returns 2 results' do
-        expect(@found.size).to eq 2
-        expect(@found.first).to eql expected_passive.first
-        expect(@found.last).to eql expected_passive.last
+        it 'calls :passive then :aggressive on each finder' do
+          finders.each do |finder|
+            [:passive, :aggressive].each do |method|
+              expect(finder).to receive(method).ordered
+            end
+          end
+        end
       end
     end
 
-    context 'when :aggressive mode' do
-      let(:mode) { :aggressive }
+    describe 'returned results' do
+      before do
+        @found = finders.run(mode: mode)
 
-      it 'returns 1 result' do
-        expect(@found.size).to eq 1
-        expect(@found.first).to eql expected_aggressive
+        expect(@found).to be_a(CMSScanner::Finders::Findings)
+
+        @found.each { |f| expect(f).to be_a finding }
       end
-    end
 
-    context 'when :mixed mode' do
-      let(:mode) { :mixed }
+      context 'when :passive mode' do
+        let(:mode) { :passive }
 
-      it 'returns 2 results' do
-        expect(@found.size).to eq 2
-        expect(@found.first).to eql expected_passive.first
-        expect(@found.first.confirmed_by).to eql [expected_aggressive]
-        expect(@found.last).to eql expected_passive.last
+        it 'returns 2 results' do
+          expect(@found.size).to eq 2
+          expect(@found.first).to eql expected_passive.first
+          expect(@found.last).to eql expected_passive.last
+        end
       end
-    end
 
-    context 'when multiple results returned' do
+      context 'when :aggressive mode' do
+        let(:mode) { :aggressive }
 
+        it 'returns 1 result' do
+          expect(@found.size).to eq 1
+          expect(@found.first).to eql expected_aggressive
+        end
+      end
+
+      context 'when :mixed mode' do
+        let(:mode) { :mixed }
+
+        it 'returns 2 results' do
+          # As the first passive is confirmed by the expected_aggressive, the confidence
+          # increases and should be 100% due to the expected_aggressive.confidence
+          first_passive = expected_passive.first.dup
+          first_passive.confidence = 100
+
+          expect(@found.size).to eq 2
+          expect(@found.first).to eql first_passive
+          expect(@found.first.confirmed_by).to eql [expected_aggressive]
+          expect(@found.last).to eql expected_passive.last
+        end
+      end
+
+      context 'when multiple results returned' do
+        xit
+      end
     end
   end
 

data/spec/output/core/finished.cli_no_colour

@@ -1,4 +1,4 @@
 
-[+] Finished: Thu Oct 30 13:02:03 2014
+[+] Finished: Thu Oct 30 12:02:03 2014
 [+] Memory used: 100 B
-[+] Elapsed time: 00:00:03
+[+] Elapsed time: 00:00:02

data/spec/output/core/finished.json

@@ -1,5 +1,5 @@
 {
   "stop_time": 1414670523,
-  "elapsed": 3,
+  "elapsed": 2,
   "used_memory": 100
 }

data/spec/output/core/started.cli_no_colour

@@ -1,3 +1,3 @@
 [+] URL: http://ex.lo/
-[+] Started: Thu Oct 30 13:02:01 2014
+[+] Started: Thu Oct 30 12:02:01 2014
 

data/spec/output/interesting_files/empty.cli_no_colour

@@ -0,0 +1 @@
+Interesting Findings: 0

data/spec/output/interesting_files/empty.json

@@ -0,0 +1,5 @@
+{
+  "interesting_files": [
+
+  ]
+}

data/spec/output/interesting_files/findings.cli_no_colour

@@ -1,21 +1,21 @@
-Interesting Findings: 3
+Interesting Findings: 4
 
 [+] F1
  | Confidence: 10%
  | Found By: Spec
 
 [+] F2
- | Confidence: 10%
+ | Confidence: 13%
  | Found By: Spec
  | Confirmed By: Spec2, 10% confidence
  | Reference: R1
  | Interesting Entry: IE1
 
 [+] F3
- | Confidence: 10%
+ | Confidence: 100%
  | Found By: Spec
  | Confirmed By:
- |  - Spec2, 10% confidence
+ |  - Spec2, 100% confidence
  |  - Spec3, 10% confidence
  | References:
  |  - R1
@@ -23,3 +23,7 @@ Interesting Findings: 3
  | Interesting Entries:
  |  - IE1
  |  - IE2
+
+[+] F4
+ | Found By: Spec
+ | Confirmed By: Spec2

data/spec/output/interesting_files/findings.json

@@ -1,3 +1,75 @@
 {
-  "todo": "Not yet done"
+  "interesting_files": [
+    {
+      "F1": {
+        "found_by": "Spec",
+        "confidence": 10,
+        "confirmed_by": [
+
+        ],
+        "references": [
+
+        ],
+        "interesting_entries": [
+
+        ]
+      },
+      "F2": {
+        "found_by": "Spec",
+        "confidence": 13,
+        "confirmed_by": [
+          {
+            "Spec2": {
+              "confidence": 10
+            }
+          }
+        ],
+        "references": [
+          "R1"
+        ],
+        "interesting_entries": [
+          "IE1"
+        ]
+      },
+      "F3": {
+        "found_by": "Spec",
+        "confidence": 100,
+        "confirmed_by": [
+          {
+            "Spec2": {
+              "confidence": 100
+            },
+            "Spec3": {
+              "confidence": 10
+            }
+          }
+        ],
+        "references": [
+          "R1",
+          "R2"
+        ],
+        "interesting_entries": [
+          "IE1",
+          "IE2"
+        ]
+      },
+      "F4": {
+        "found_by": "Spec",
+        "confidence": 0,
+        "confirmed_by": [
+          {
+            "Spec2": {
+              "confidence": 0
+            }
+          }
+        ],
+        "references": [
+
+        ],
+        "interesting_entries": [
+
+        ]
+      }
+    }
+  ]
 }

data/spec/shared_examples/finding.rb

@@ -13,6 +13,16 @@ shared_examples CMSScanner::Finders::Finding do
     end
   end
 
+  describe '#confidence' do
+    its(:confidence) { should eql 0 }
+
+    context 'when already set' do
+      before { subject.confidence = 10 }
+
+      its(:confidence) { should eql 10 }
+    end
+  end
+
   describe '#parse_finding_options' do
     xit
   end

data/spec/shared_examples/target/platform/php.rb

@@ -33,8 +33,7 @@ shared_examples CMSScanner::Target::Platform::PHP do
     context 'when the body matches a FPD' do
       {
         'wp_rss_functions.php' => %w(/short-path/rss-f.php)
-      }
-      .each do |file, expected|
+      }.each do |file, expected|
         context "when #{file} body" do
           let(:body) { File.read(File.join(fixtures, 'fpd', file)) }
 

data/spec/shared_examples/target/platform/wordpress/custom_directories.rb

@@ -5,8 +5,7 @@ shared_examples 'WordPress::CustomDirectories' do
   describe '#content_dir' do
     {
       default: 'wp-content', https: 'wp-content', custom_w_spaces: 'custom content spaces'
-    }
-    .each do |file, expected|
+    }.each do |file, expected|
       it "returns #{expected} for #{file}.html" do
         fixture = File.join(fixtures, "#{file}.html")
 

data/spec/shared_examples/views/core.rb

@@ -2,7 +2,8 @@
 shared_examples 'App::Views::Core' do
 
   let(:controller) { CMSScanner::Controller::Core.new }
-  let(:tpl_vars)   { { url: target_url, start_time: Time.parse('2014-10-30 13:02:01 +0100') } }
+  let(:start)      { Time.at(1_414_670_521).in_time_zone('Europe/London') }
+  let(:tpl_vars)   { { url: target_url, start_time: start } }
 
   describe 'started' do
     let(:view) { 'started' }
@@ -17,9 +18,9 @@ shared_examples 'App::Views::Core' do
 
     it 'outputs the expected string' do
       @tpl_vars = tpl_vars.merge(
-        stop_time: Time.parse('2014-10-30 13:02:03 +0100'),
+        stop_time: Time.at(1_414_670_523).in_time_zone('Europe/London'),
         used_memory: 100,
-        elapsed: 3
+        elapsed: 2
       )
     end
   end

data/spec/shared_examples/views/interesting_files.rb

@@ -9,15 +9,27 @@ shared_examples 'App::Views::InterestingFiles' do
     let(:view) { 'findings' }
     let(:opts) { { confidence: 10, found_by: 'Spec' } }
 
+    context 'when empty results' do
+      let(:expected_view) { 'empty' }
+
+      it 'outputs the expected string' do
+        @tpl_vars = tpl_vars.merge(findings: [])
+      end
+    end
+
     it 'outputs the expected string' do
-      findings = CMSScanner::Finders::Findings.new <<
+      findings = CMSScanner::Finders::Findings.new
+
+      findings <<
         interesting_file.new('F1', opts) <<
         interesting_file.new('F2', opts.merge(references: %w(R1), interesting_entries: %w(IE1))) <<
         interesting_file.new('F2', opts.merge(found_by: 'Spec2')) <<
         interesting_file.new('F3',
                              opts.merge(references: %w(R1 R2), interesting_entries: %w(IE1 IE2))) <<
-        interesting_file.new('F3', opts.merge(found_by: 'Spec2')) <<
-        interesting_file.new('F3', opts.merge(found_by: 'Spec3'))
+        interesting_file.new('F3', opts.merge(found_by: 'Spec2', confidence: 100)) <<
+        interesting_file.new('F3', opts.merge(found_by: 'Spec3')) <<
+        interesting_file.new('F4', opts.merge(confidence: 0)) <<
+        interesting_file.new('F4', opts.merge(confidence: 0, found_by: 'Spec2'))
 
       @tpl_vars = tpl_vars.merge(findings: findings)
     end

data/spec/spec_helper.rb

@@ -3,6 +3,7 @@ $LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
 require 'simplecov'
 require 'rspec/its'
 require 'webmock/rspec'
+require 'active_support/time'
 
 if ENV['TRAVIS']
   require 'coveralls'

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: cms_scanner
 version: !ruby/object:Gem::Version
-  version: 0.0.5
+  version: 0.0.6
 platform: ruby
 authors:
 - WPScanTeam - Erwan le Rousseau
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-10-31 00:00:00.000000000 Z
+date: 2014-11-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: opt_parse_validator
@@ -142,14 +142,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.26'
+        version: '0.27'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.26'
+        version: '0.27'
 - !ruby/object:Gem::Dependency
   name: webmock
   requirement: !ruby/object:Gem::Requirement
@@ -324,6 +324,8 @@ files:
 - spec/output/core/finished.json
 - spec/output/core/started.cli_no_colour
 - spec/output/core/started.json
+- spec/output/interesting_files/empty.cli_no_colour
+- spec/output/interesting_files/empty.json
 - spec/output/interesting_files/findings.cli_no_colour
 - spec/output/interesting_files/findings.json
 - spec/shared_examples.rb
@@ -433,6 +435,8 @@ test_files:
 - spec/output/core/finished.json
 - spec/output/core/started.cli_no_colour
 - spec/output/core/started.json
+- spec/output/interesting_files/empty.cli_no_colour
+- spec/output/interesting_files/empty.json
 - spec/output/interesting_files/findings.cli_no_colour
 - spec/output/interesting_files/findings.json
 - spec/shared_examples.rb