pluginscan 0.9.0

data/spec/pluginscan/issues_scanner/variable_safety_checker_spec.rb

@@ -0,0 +1,81 @@
+require 'spec_helper'
+
+RSpec.describe Pluginscan::VariableSafetyChecker do
+  describe ".all_safe" do
+    it "returns true when two superglobals are both safe" do
+      variable = "$_POST"
+      content  = "if ( isset( $_POST['action'] ) && $_POST['action'] == 'enter-key' ) \{"
+      expect(described_class.new.all_safe?(variable, content)).to eq true
+    end
+
+    it "returns false when, of two superglobals only one is safe" do
+      variable = "$_POST"
+      content  = "$submitted = isset( $_POST[$tagname] ) ? $_POST[$tagname] : '';"
+      expect(described_class.new.all_safe?(variable, content)).to eq false
+    end
+  end
+
+  describe ".match_count" do
+    it "returns 1 when there is 1 occurrence" do
+      expect(described_class.new.match_count("$_POST", "$contact_form->set_title( $_POST['wpcf7-title'] );")).to eq 1
+    end
+    it "returns 2 when there are 2 occurrences" do
+      expect(described_class.new.match_count("$_POST", "$submitted = isset( $_POST[$tagname] ) ? $_POST[$tagname] : '';")).to eq 2
+    end
+  end
+
+  describe ".wrapped_in_function_count - isset" do
+    def count(content)
+      described_class.new.wrapped_in_function_count('isset', variable, content)
+    end
+
+    context "when a single superglobal is wrapped in an 'isset'" do
+      let(:variable) { "$_GET" }
+      specify { expect(count("if ( isset( $_GET['action'] ) )")).to eq 1 }
+      specify { expect(count("if ( isset ( $_GET['action'] ) )")).to eq 1 }
+      specify { expect(count("if ( isset($_GET['action']))")).to eq 1 }
+    end
+
+    context 'when one superglobal is wrapped in isset and another is not' do
+      let(:variable) { "$_POST" }
+      specify { expect(count("$submitted = isset( $_POST[$tagname] ) ? $_POST[$tagname] : '';")).to eq 1 }
+    end
+  end
+
+  describe ".wrapped_in_function_count - 'empty'" do
+    def count(content)
+      described_class.new.wrapped_in_function_count('empty', "$_POST", content)
+    end
+
+    context "when a single superglobal is wrapped in an 'empty'" do
+      specify { expect(count("if ( ! empty( $_POST['post_ID'] ))")).to eq 1 }
+      specify { expect(count("if ( ! empty ( $_POST['post_ID'] ) )")).to eq 1 }
+      specify { expect(count("if ( ! empty($_POST['post_ID']))")).to eq 1 }
+    end
+
+    context "when two superglobals are wrapped in an 'empty'" do
+      specify { expect(count("if ( !empty( $_POST['id'] ) && !empty( $_POST['url'] ) && check_admin_referer( 'comment_author_url_nonce' ) ) \{")).to eq 2 }
+    end
+  end
+
+  describe ".used_in_infix_check_count - ==" do
+    def count(content)
+      described_class.new.used_in_infix_check_count('==', variable, content)
+    end
+
+    context "when a single superglobal is used in an equality check" do
+      let(:variable) { "$_SERVER" }
+      specify { expect(count("if ( 'POST'== $_SERVER['REQUEST_METHOD'] ) \{")).to eq 1 }
+      specify { expect(count("if ( 'POST' == $_SERVER['REQUEST_METHOD'] ) \{")).to eq 1 }
+      specify { expect(count("if ( 'POST' ==$_SERVER[ 'REQUEST_METHOD'] ) \{")).to eq 1 }
+      specify { expect(count("if ( 'POST'==$_SERVER['REQUEST_METHOD'] ) \{")).to eq 1 }
+      specify { expect(count("return $_SERVER[ 'HTTP_X_REQUESTED_WITH' ] == 'XMLHttpRequest';")).to be_truthy }
+      specify { expect(count("return $_SERVER['HTTP_X_REQUESTED_WITH']=='XMLHttpRequest';")).to be_truthy }
+    end
+
+    context 'when one superglobal is used in an equality check and another is not' do
+      let(:variable) { "$_POST" }
+      specify { expect(count("if ( isset( $_POST['action'] ) && $_POST['action'] == 'enter-key' ) \{")).to eq 1 }
+    end
+  end
+end

data/spec/pluginscan/issues_scanner_spec.rb

@@ -0,0 +1,21 @@
+RSpec.describe Pluginscan::FileScanner do
+  describe "#scan" do
+    subject(:scanner) { Pluginscan::FileScanner.new(double) }
+    let(:results) { scanner.scan(file_contents) }
+
+    context 'with a file which is invalid utf-8' do
+      let(:file_contents) { "\xc2" }
+      it "finds one result" do
+        expect(results.count).to eq 1
+      end
+      it "finds a result of invalid UTF-8" do
+        expect(results.first.check.name).to eq 'Encoding'
+        expect(results.first.check.message).to eq 'invalid UTF-8'
+      end
+      it "finds a result with no findings" do
+        expect(results.first.findings).to eq []
+      end
+    end
+  end
+end
+

data/spec/pluginscan/sloccount_scanner/sloccount_scanner_spec.rb

@@ -0,0 +1,95 @@
+require 'spec_helper'
+require 'support/heredoc_helper'
+
+RSpec.describe SLOCCountScanner, type: :process do
+  # For safety and speed: disable the system calls by default
+  before do
+    stub_const('SystemSLOCCount', double)
+  end
+
+  describe ".scan" do
+    it "returns a SLOCCount object when sloccount is successful" do
+      stub_dir_exists
+      system_sloccount = fake_system_sloccount(
+        result: "The thing worked. Your sloccount was lots",
+        process_status: successful_process_status
+      )
+      expect(SLOCCountScanner.new(system_sloccount).scan("my_directory")).to be_a(SLOCCount)
+    end
+
+    it "returns a null SLOCCount object when sloccount gives a zero sloc result" do
+      stub_dir_exists
+      system_sloccount = fake_system_sloccount(
+        result: ZERO_SLOCCOUNT_OUTPUT,
+        process_status: failed_process_status
+      )
+      expect(SLOCCountScanner.new(system_sloccount).scan("my_directory")).to be_a(NullSLOCCount)
+    end
+
+    # EXCEPTION HANDLING:
+    #####################
+
+    it "raises an error when no directory is passed" do
+      expect{ SLOCCountScanner.new(anything).scan(nil) }
+        .to raise_error SLOCCountScanner::ArgumentError
+    end
+
+    it "raises an error when the directory doesn't exist" do
+      system_sloccount = fake_system_sloccount(available: true)
+      expect{ SLOCCountScanner.new(system_sloccount).scan("my_directory") }
+        .to raise_error SLOCCountScanner::NoDirectory
+    end
+
+    it "raises an error when sloccount was not available" do
+      stub_dir_exists
+      system_sloccount = fake_system_sloccount(available: false)
+      expect{ SLOCCountScanner.new(system_sloccount).scan("my_directory") }
+        .to raise_error SLOCCountScanner::Unavailable
+    end
+
+    it 'raises an error when sloccount returns an unrecognised error' do
+      stub_dir_exists
+      system_sloccount = fake_system_sloccount(
+        result: "Some nonsense",
+        process_status: failed_process_status
+      )
+      expect{ SLOCCountScanner.new(system_sloccount).scan("my_directory") }
+        .to raise_error SLOCCountScanner::Exception
+    end
+
+    it 'raises an error when sloccount returns a `no input` error' do
+      stub_dir_exists
+      # In reality this should never happen because we check for this case
+      system_sloccount = fake_system_sloccount(
+        result: NO_INPUT_SLOCCOUNT_OUTPUT,
+        process_status: failed_process_status
+      )
+      expect{ SLOCCountScanner.new(system_sloccount).scan("my_directory") }
+        .to raise_error SLOCCountScanner::NoInput
+    end
+
+    def fake_system_sloccount(result: nil, process_status: successful_process_status, available: true)
+      instance_double('SystemSLOCCount').tap do |fake|
+        allow(fake).to receive(:call).and_return [result, process_status]
+        allow(fake).to receive(:available?).and_return(available)
+      end
+    end
+
+    def stub_dir_exists
+      allow(Dir).to receive(:exist?).and_return(true)
+    end
+
+    ZERO_SLOCCOUNT_OUTPUT = <<-EOS.heredoc_unindent
+      filelist for tmp
+      Categorizing files.
+      Computing results.
+
+
+      SLOC Directory SLOC-by-Language (Sorted)
+      0       tmp             (none)
+      SLOC total is zero, no further analysis performed.
+    EOS
+
+    NO_INPUT_SLOCCOUNT_OUTPUT = "Error: You must provide a directory or directories of source code.\n".freeze
+  end
+end

data/spec/pluginscan/sloccount_scanner/sloccount_spec.rb

@@ -0,0 +1,72 @@
+require 'spec_helper'
+require 'support/heredoc_helper'
+
+RSpec.describe NullSLOCCount do
+  subject(:null_sloccount) { NullSLOCCount.new }
+  describe ".total" do
+    subject { null_sloccount.total }
+    it { is_expected.to eq 0 }
+  end
+end
+
+RSpec.describe SLOCCount do
+  describe "#total" do
+    it "returns the total sloccount shown in the sloccount output file" do
+      sloccount = SLOCCount.new(SLOCCOUNT_OUTPUT_RUBY_785)
+      expect(sloccount.total).to eq 785
+    end
+  end
+
+  SLOCCOUNT_OUTPUT_RUBY_785 = <<-EOS.heredoc_unindent
+    Have a non-directory at the top, so creating directory top_dir
+    Adding /Users/dxwduncan/Dev/Ruby_and_rails/pluginscan/./CHANGELOG.md to top_dir
+    Adding /Users/dxwduncan/Dev/Ruby_and_rails/pluginscan/./Gemfile to top_dir
+    Adding /Users/dxwduncan/Dev/Ruby_and_rails/pluginscan/./Gemfile.lock to top_dir
+    Adding /Users/dxwduncan/Dev/Ruby_and_rails/pluginscan/./README.md to top_dir
+    Adding /Users/dxwduncan/Dev/Ruby_and_rails/pluginscan/./TODO.md to top_dir
+    Creating filelist for bin
+    Creating filelist for coverage
+    Creating filelist for lib
+    Adding /Users/dxwduncan/Dev/Ruby_and_rails/pluginscan/./pluginscan-0.1.1.gem to top_dir
+    Adding /Users/dxwduncan/Dev/Ruby_and_rails/pluginscan/./pluginscan-0.1.2.gem to top_dir
+    Adding /Users/dxwduncan/Dev/Ruby_and_rails/pluginscan/./pluginscan.gemspec to top_dir
+    Creating filelist for spec
+    Creating filelist for tmp
+    Categorizing files.
+    WARNING! File /Users/dxwduncan/Dev/Ruby_and_rails/pluginscan/bin/pluginscan has unknown start: #!/usr/bin/env ruby
+    Finding a working MD5 command....
+    Found a working MD5 command.
+    Computing results.
+
+
+    SLOC  Directory SLOC-by-Language (Sorted)
+    412     spec            ruby=412
+    373     lib             ruby=373
+    0       bin             (none)
+    0       coverage        (none)
+    0       tmp             (none)
+    0       top_dir         (none)
+
+
+    Totals grouped by language (dominant language first):
+    ruby:           785 (100.00%)
+
+
+
+
+    Total Physical Source Lines of Code (SLOC)                = 785
+    Development Effort Estimate, Person-Years (Person-Months) = 0.16 (1.86)
+     (Basic COCOMO model, Person-Months = 2.4 * (KSLOC**1.05))
+    Schedule Estimate, Years (Months)                         = 0.26 (3.17)
+     (Basic COCOMO model, Months = 2.5 * (person-months**0.38))
+    Estimated Average Number of Developers (Effort/Schedule)  = 0.59
+    Total Estimated Cost to Develop                           = $ 20,953
+     (average salary = $56,286/year, overhead = 2.40).
+    SLOCCount, Copyright (C) 2001-2004 David A. Wheeler
+    SLOCCount is Open Source Software/Free Software, licensed under the GNU GPL.
+    SLOCCount comes with ABSOLUTELY NO WARRANTY, and you are welcome to
+    redistribute it under certain conditions as specified by the GNU GPL license;
+    see the documentation for details.
+    Please credit this data as "generated using David A. Wheeler's 'SLOCCount'."
+  EOS
+end

data/spec/pluginscan/vulnerability_scanner_spec.rb

@@ -0,0 +1,96 @@
+RSpec.describe Pluginscan::VulnerabilityScanner do
+  describe "#scan" do
+    subject(:scanner) { Pluginscan::VulnerabilityScanner.new }
+
+    it "raises an error if the result didn't include the plugin slug" do
+      stub_vuln_api_success('another_plugin' => { 'vulnerabilities' => [] })
+      expect{ scanner.scan('my_plugin') }
+        .to raise_error(Pluginscan::WPVulnDB::UnexpectedJSONError)
+    end
+
+    it "raises an error if a list of vulnerabilities couldn't be found" do
+      stub_vuln_api_success('my_plugin' => {})
+      expect{ scanner.scan('my_plugin') }
+        .to raise_error(Pluginscan::WPVulnDB::UnexpectedJSONError)
+    end
+
+    it "returns an empty array if the response was 'not found'" do
+      stub_vuln_api_response_not_found
+      expect(scanner.scan('my_plugin')).to eq []
+    end
+
+    it "raises an error if we got blocked" do
+      stub_vuln_api_response_blocked
+      expect{ scanner.scan('my_plugin') }
+        .to raise_error(Pluginscan::WPVulnDB::AccessDeniedError)
+    end
+
+    it "raises an error if the code wasn't 200" do
+      stub_vuln_api_response(status: 503, body: 'Something went wrong')
+      expect{ scanner.scan('my_plugin') }
+        .to raise_error(Pluginscan::WPVulnDB::APIError)
+    end
+
+    it "raises an error if the connection failed with a socket error" do
+      allow(HTTParty).to receive(:get).and_raise(SocketError, "Failed to open TCP connection to wpvulndb.com:443 (getaddrinfo: nodename nor servname provided, or not known)")
+      expect{ scanner.scan('my_plugin') }
+        .to raise_error(Pluginscan::AdvisoriesAPI::ConnectionError)
+    end
+
+    it "raises an error if the connection failed with a timeout" do
+      allow(HTTParty).to receive(:get).and_raise(Net::OpenTimeout, "execution expired (Net::OpenTimeout)")
+      expect{ scanner.scan('my_plugin') }
+        .to raise_error(Pluginscan::AdvisoriesAPI::ConnectionError)
+    end
+
+    it "returns an array of hashes if results were found" do
+      vulnerabilities = [
+        {
+          'id' => 6425,
+          'title' => "Relevanssi 3.2 - Unspecified SQL Injection",
+          'created_at' => "2014-08-01T10:58:47.000Z",
+          'fixed_in' => "3.3",
+        },
+        {
+          'id' => 6426,
+          'title' => "Relevanssi 2.7.2 - Stored XSS Vulnerability",
+          'created_at' => "2014-08-23T10:58:47.000Z",
+          'fixed_in' => "2.7.3",
+        },
+      ]
+      stub_vuln_api_success('my_plugin' => { 'vulnerabilities' => vulnerabilities })
+      results = scanner.scan('my_plugin')
+      expect(results.count).to eq 2
+
+      expect(results.first.title).to eq "Relevanssi 3.2 - Unspecified SQL Injection"
+      expect(results.first.date).to eq Date.new(2014, 8, 1)
+      expect(results.first.fixed_in).to eq "3.3"
+      expect(results.first.url).to eq "https://wpvulndb.com/vulnerabilities/6425"
+
+      expect(results.last.title).to eq "Relevanssi 2.7.2 - Stored XSS Vulnerability"
+      expect(results.last.date).to eq Date.new(2014, 8, 23)
+      expect(results.last.fixed_in).to eq "2.7.3"
+      expect(results.last.url).to eq "https://wpvulndb.com/vulnerabilities/6426"
+    end
+
+    def stub_vuln_api_success(body)
+      json_header = { 'Content-Type' => 'application/json; charset=utf-8' }
+      stub_vuln_api_response(status: 200, body: body.to_json, headers: json_header)
+    end
+
+    def stub_vuln_api_response_not_found
+      stub_vuln_api_response(status: 404, body: "The page you were looking for doesn't exist (404).")
+    end
+
+    def stub_vuln_api_response_blocked
+      blocked_page = "<!DOCTYPE html>\n<html>\n<head>\n  <meta charset=\"utf-8\">\n  <title>Access denied</title>\n  <link rel=\"stylesheet\" type=\"text/css\" href=\"/style.css\" />\n</head>\n\n<body>\n  <div class=\"center\">\n    <h1>Access denied</h1>\n    <p>Your IP was blocked because of suspicious acitivity.</p>\n    <p>If you think your IP should not be blocked, please contact us at team [at] wpvulndb [.] com</p>\n  </div>\n</body>\n</html>\n"
+      stub_vuln_api_response(status: 403, body: blocked_page)
+    end
+
+    def stub_vuln_api_response(status: 200, body: '', headers: {})
+      stub_request(:get, 'https://wpvulndb.com/api/v2/plugins/my_plugin')
+        .with(headers: { 'Accept' => '*/*', 'Accept-Encoding' => 'gzip;q=1.0,deflate;q=0.6,identity;q=0.3', 'User-Agent' => 'Ruby' })
+        .to_return(status: status, body: body, headers: headers)
+    end
+  end
+end

data/spec/process_spec_helper.rb

@@ -0,0 +1,6 @@
+require 'spec_helper'
+require 'support/process_helpers'
+
+RSpec.configure do |config|
+  config.include ProcessHelpers, type: :process
+end

data/spec/spec_helper.rb

@@ -0,0 +1,70 @@
+require 'simplecov'
+SimpleCov.start do
+  add_filter '/spec/'
+end
+
+require 'pluginscan'
+require 'webmock/rspec'
+
+RSpec.configure do |config|
+  config.expect_with :rspec do |expectations|
+    # This option will default to `true` in RSpec 4. It makes the `description`
+    # and `failure_message` of custom matchers include text for helper methods
+    # defined using `chain`, e.g.:
+    # be_bigger_than(2).and_smaller_than(4).description
+    #   # => "be bigger than 2 and smaller than 4"
+    # ...rather than:
+    #   # => "be bigger than 2"
+    expectations.include_chain_clauses_in_custom_matcher_descriptions = true
+  end
+
+  config.mock_with :rspec do |mocks|
+    # Prevents you from mocking or stubbing a method that does not exist on
+    # a real object. This is generally recommended, and will default to
+    # `true` in RSpec 4.
+    mocks.verify_partial_doubles = true
+  end
+
+  config.filter_run :focus
+  config.run_all_when_everything_filtered = true
+
+  # Limits the available syntax to the non-monkey patched syntax that is recommended.
+  # For more details, see:
+  #   - http://myronmars.to/n/dev-blog/2012/06/rspecs-new-expectation-syntax
+  #   - http://teaisaweso.me/blog/2013/05/27/rspecs-new-message-expectation-syntax/
+  #   - http://myronmars.to/n/dev-blog/2014/05/notable-changes-in-rspec-3#new__config_option_to_disable_rspeccore_monkey_patching
+  config.disable_monkey_patching!
+
+  # This setting enables warnings. It's recommended, but in some cases may
+  # be too noisy due to issues in dependencies.
+  config.warnings = true
+
+  # Many RSpec users commonly either run the entire suite or an individual
+  # file, and it's useful to allow more verbose output when running an
+  # individual spec file.
+  if config.files_to_run.one?
+    # Use the documentation formatter for detailed output,
+    # unless a formatter has already been configured
+    # (e.g. via a command-line flag).
+    config.default_formatter = 'doc'
+  end
+
+  config.example_status_persistence_file_path = 'failures.txt'
+
+  # Print the 10 slowest examples and example groups at the
+  # end of the spec run, to help surface which specs are running
+  # particularly slow.
+  # config.profile_examples = 10
+
+  # Run specs in random order to surface order dependencies. If you find an
+  # order dependency and want to debug it, you can fix the order by providing
+  # the seed, which is printed after each run.
+  #     --seed 1234
+  config.order = :random
+
+  # Seed global randomization in this process using the `--seed` CLI option.
+  # Setting this allows you to use `--seed` to deterministically reproduce
+  # test failures related to randomization by passing the same `--seed` value
+  # as the one that triggered the failure.
+  # Kernel.srand config.seed
+end