pluginscan 0.9.0

data/lib/pluginscan/reports/issues_report/issues_scanner/line_issues_scanner.rb

@@ -0,0 +1,15 @@
+module Pluginscan
+  # Responsible for scanning one line of a file for issues of a certain type
+  class LineIssuesScanner
+    def initialize(check)
+      @check = check
+    end
+
+    def scan(line, lineno)
+      @check.run(line).map do |match|
+        ignored = @check.ignore?(match, line)
+        Finding.new(lineno, line, match, ignored)
+      end
+    end
+  end
+end

data/lib/pluginscan/reports/issues_report/issues_scanner/utf8_checker.rb

@@ -0,0 +1,14 @@
+module Pluginscan
+  # Responsible for checking a file for utf-8 validity
+  class UTF8Checker
+    # TODO: This returns nil if the file was valid. Returning nil is bad.
+    def check(file_contents)
+      # Check file contents are valid UTF-8
+      file_contents.force_encoding('utf-8')
+      return if file_contents.valid_encoding?
+      CheckFindings.new(
+        Check.new(name: 'Encoding', message: 'invalid UTF-8')
+      )
+    end
+  end
+end

data/lib/pluginscan/reports/sloccount_report.rb

@@ -0,0 +1,26 @@
+require 'pluginscan/reports/sloccount_report/sloccount'
+require 'pluginscan/reports/sloccount_report/sloccount_scanner'
+require 'pluginscan/reports/sloccount_report/sloccount_printer'
+require 'pluginscan/error_printer'
+
+module Pluginscan
+  module Reports
+    module SLOCCountReport
+      def self.print(plugin_directory, printer, error_printer)
+        sloccount = SLOCCountScanner.new.scan(plugin_directory)
+        printer.print(sloccount)
+
+      rescue SLOCCountScanner::Unavailable
+        error_printer.print("The 'sloccount' command is unavailable. Is it installed and in your path?")
+      rescue SLOCCountScanner::Exception => e
+        error_printer.print("An error occurred while calculating the SLOCCount:\n          #{e.message}")
+      rescue StandardError => e
+        # We don't want an error with CLOC to interrupt the rest of pluginscan
+        # TODO: not sure this is sensible
+        error_printer.print("An error occurred while calculating the SLOCCount:\n          #{e.message}")
+      else
+        return true
+      end
+    end
+  end
+end

data/lib/pluginscan/reports/sloccount_report/sloccount.rb

@@ -0,0 +1,19 @@
+# Responsible for accessing specific data in the output of the `sloccount` command
+class SLOCCount
+  def initialize(sloccount_output)
+    @sloccount_output = sloccount_output
+  end
+
+  def total
+    total_regex = /^Total Physical Source Lines of Code.*= ([\d\,]+)/
+    # Numbers in sloccount are displayed with commas e.g. 1,791
+    @sloccount_output.match(total_regex)[1].delete(',').to_i
+  end
+end
+
+# TODO: should be ZeroSLOCCount? More descriptive, but less obvious it's null object pattern
+class NullSLOCCount
+  def total
+    0
+  end
+end

data/lib/pluginscan/reports/sloccount_report/sloccount_printer.rb

@@ -0,0 +1,22 @@
+require 'pluginscan/printer'
+
+module Pluginscan
+  class SLOCCountPrinter < Printer
+    def print(sloccount)
+      print_headline
+      print_results(sloccount)
+      print_blank_line
+    end
+
+  private
+
+    def print_headline
+      @output.puts "Total sloccount (from David A. Wheeler's 'SLOCCount' tool):".color(:blue)
+    end
+
+    def print_results(sloccount)
+      total = sloccount.total.to_s.color(:red)
+      @output.puts "  #{total} source lines of code"
+    end
+  end
+end

data/lib/pluginscan/reports/sloccount_report/sloccount_scanner.rb

@@ -0,0 +1,86 @@
+require 'open3'
+
+# Responsible for running the `sloccount` system command and handling any resulting errors
+# The SLOCCount project is at http://www.dwheeler.com/sloccount/ and can be installed on OSX using homebrew:
+#     brew install sloccount
+class SLOCCountScanner
+  class Exception < StandardError; end
+  class ArgumentError < RuntimeError; end
+  class Unavailable < RuntimeError; end
+  class NoInput < RuntimeError; end
+  class NoDirectory < RuntimeError; end
+
+  def initialize(system_sloccount = SystemSLOCCount.instance)
+    @system_sloccount = system_sloccount
+  end
+
+  def scan(directory)
+    fail ArgumentError, "directory must must be a string (or quack like a string)" unless directory.respond_to?(:to_str)
+    fail Unavailable, "The 'sloccount' command is unavailable. Is it installed and in your path?" unless @system_sloccount.available?
+    fail NoDirectory, "No such directory: '#{directory}'" unless Dir.exist?(directory)
+
+    result, status = @system_sloccount.call(directory)
+
+    if status.success?
+      SLOCCount.new(result)
+    else
+      check_for_errors(result) { NullSLOCCount.new }
+    end
+  end
+
+private
+
+  def check_for_errors(result)
+    case result
+    when /SLOC total is zero, no further analysis performed/
+      yield
+
+    when /Error: You must provide a directory or directories of source code/
+      # Because of the check above, it shouldn't be possible to get here
+      raise NoInput, "sloccount requires a directory or directories of source code"
+    else
+      raise Exception, "sloccount raised an error we didn't recognise. Here's the output:\n#{result}"
+    end
+  end
+
+  # Responsible for isolating the system calls to run SLOCCount
+  class SystemSLOCCount
+    require 'singleton'
+    include Singleton
+
+    COMMAND_NAME = "sloccount".freeze
+
+    def available?
+      _result, status = system_which_sloccount
+      status.success?
+    end
+
+    def call(directory)
+      # DANGER!!! calling system command
+      # also: danger! not covered by specs
+
+      # Should be safe from injection because of the `Dir.exist?` check.
+      Open3.capture2("#{COMMAND_NAME} #{directory} 2> #{error_log_name}")
+
+    ensure
+      delete_empty_error_log
+    end
+
+  private
+
+    def system_which_sloccount
+      # DANGER!!! calling system command
+      # also: danger! not covered by specs
+
+      Open3.capture2("which #{COMMAND_NAME}")
+    end
+
+    def error_log_name
+      "#{COMMAND_NAME}_error.log"
+    end
+
+    def delete_empty_error_log
+      File.delete(error_log_name) if File.zero?(error_log_name)
+    end
+  end
+end

data/lib/pluginscan/reports/vulnerability_report.rb

@@ -0,0 +1,28 @@
+require 'pluginscan/reports/vulnerability_report/advisories_api'
+require 'pluginscan/reports/vulnerability_report/wp_vuln_db_api'
+require 'pluginscan/reports/vulnerability_report/vulnerability_scanner'
+require 'pluginscan/reports/vulnerability_report/vulnerabilities_printer'
+require 'fileutils'
+
+module Pluginscan
+  module Reports
+    module VulnerabilityReport
+      def self.print(plugin_directory, printer, error_printer)
+        plugin_slug = get_plugin_slug(plugin_directory)
+        advisories = VulnerabilityScanner.new.scan(plugin_slug)
+
+        printer.print(advisories, plugin_slug)
+        true
+      rescue WPVulnDB::APIError => e
+        error_printer.print(e.message)
+        false
+      end
+
+      def self.get_plugin_slug(plugin_directory)
+        # Expanding the path handles '.' and '..' etc.
+        full_path = File.expand_path(plugin_directory)
+        full_path.split('/').last
+      end
+    end
+  end
+end

data/lib/pluginscan/reports/vulnerability_report/advisories_api.rb

@@ -0,0 +1,23 @@
+require 'httparty'
+
+module Pluginscan
+  # Responsible for calling an api endpoint
+  # and re-raising ruby errors with more information
+  class AdvisoriesAPI
+    class Error < StandardError; end
+    class ConnectionError < Error; end
+
+    def initialize(api_name:, timeout:)
+      @api_name = api_name
+      @timeout = timeout
+    end
+
+    def get(uri)
+      HTTParty.get(uri, timeout: @timeout)
+    rescue SocketError
+      raise(ConnectionError, "Couldn't connect to #{@api_name} (SocketError)")
+    rescue Net::OpenTimeout
+      raise(ConnectionError, "Connection to #{@api_name} timed out after #{@timeout} seconds")
+    end
+  end
+end

data/lib/pluginscan/reports/vulnerability_report/vulnerabilities_printer.rb

@@ -0,0 +1,55 @@
+module Pluginscan
+  class VulnerabilitiesPrinter < Printer
+    def print(advisories, plugin_slug)
+      raise ArgumentError, "Can't print a nil list of advisories" if advisories.nil?
+
+      print_headline(advisories, plugin_slug)
+
+      advisories.reverse.each do |advisory|
+        print_advisory(advisory)
+      end
+
+      print_blank_line
+    end
+
+    private def print_headline(advisories, plugin_slug)
+      if advisories.any?
+        @output.puts "#{advisories.count} advisories were found for '#{plugin_slug}':".color(:blue)
+      else
+        @output.puts "No advisories were found for '#{plugin_slug}'".color(:blue)
+      end
+    end
+
+    private def print_advisory(advisory)
+      printer = VulnerabilityPrinter.new(@output)
+      printer.print(advisory)
+    end
+  end
+
+  class VulnerabilityPrinter < Printer
+    def print(advisory)
+      title = highlight_version_number(advisory.title)
+      date = format_date(advisory.date)
+      fixed = fixed_data(advisory.fixed_in)
+      @output.puts "  #{date} #{title} #{fixed}"
+      @output.puts "    #{advisory.url}"
+    end
+
+    private def highlight_version_number(title)
+      version_number_regex = '([\<\>\=]+\ )?[\d\.]+'
+      title.gsub(
+        /(?<version>#{version_number_regex})/,
+        '\k<version>'.color(:yellow)
+      )
+    end
+
+    private def format_date(date)
+      date.strftime('%Y-%m-%d').color(:green)
+    end
+
+    private def fixed_data(fixed_version)
+      return "(no fixed version!)".color(:red) if fixed_version.nil?
+      "(fixed in #{fixed_version})".color(:red)
+    end
+  end
+end

data/lib/pluginscan/reports/vulnerability_report/vulnerability_scanner.rb

@@ -0,0 +1,17 @@
+module Pluginscan
+  # Responsible for calling out to an API to see if any advisories
+  # have been published about this plugin
+  class VulnerabilityScanner
+    class Error < StandardError; end
+
+    def initialize(advisories_api = WPVulnDB::API.new, response_handler = WPVulnDB::APIResponseHandler.new)
+      @advisories_api = advisories_api
+      @response_handler = response_handler
+    end
+
+    def scan(plugin_slug)
+      response = @advisories_api.get_plugin_advisories(plugin_slug)
+      @response_handler.call(response, plugin_slug)
+    end
+  end
+end

data/lib/pluginscan/reports/vulnerability_report/wp_vuln_db_api.rb

@@ -0,0 +1,77 @@
+module Pluginscan
+  # Responsible for calling the WPVulnDB API
+  module WPVulnDB
+    class APIError < StandardError; end
+    class AccessDeniedError < APIError; end
+    class UnexpectedJSONError < APIError; end
+
+    class API
+      def initialize
+        @api = AdvisoriesAPI.new(api_name: 'wpvulndb', timeout: 10)
+      end
+
+      def get_plugin_advisories(plugin_slug)
+        @api.get(uri(plugin_slug))
+      end
+
+      private
+
+      def uri(plugin_slug)
+        "#{base_uri}/plugins/#{plugin_slug}"
+      end
+
+      def base_uri
+        'https://wpvulndb.com/api/v2'
+      end
+    end
+
+    class APIResponseHandler
+      def call(response, plugin_slug)
+        case response.code
+        when 200
+          DataMapper.new.call(response.parsed_response, plugin_slug)
+        when 404
+          []
+        when 403
+          raise(AccessDeniedError, "We got blocked by wpvulndb for suspicious activity :( Contact team@wpvulndb.com")
+        else
+          raise(APIError, "Something went wrong when calling wpvulndb - got a #{response.code} code: '#{response.body[0..50]}'")
+        end
+      end
+    end
+
+    class DataMapper
+      def call(response_data, plugin_slug)
+        plugin_data = response_data.fetch(plugin_slug) do
+          raise(UnexpectedJSONError, "Couldn't find data for '#{plugin_slug}' in api response")
+        end
+
+        vulns = plugin_data.fetch('vulnerabilities') do
+          raise(UnexpectedJSONError, "Couldn't find a list of vulnerabilities")
+        end
+
+        vulns.map{ |v| Advisory.new(v) }
+      end
+    end
+
+    class Advisory
+      attr_reader :title
+      attr_reader :fixed_in
+
+      def initialize(data)
+        @id = data.fetch('id')
+        @title = data.fetch('title')
+        @created_at = data.fetch('created_at')
+        @fixed_in = data.fetch('fixed_in')
+      end
+
+      def date
+        Date.parse(@created_at)
+      end
+
+      def url
+        "https://wpvulndb.com/vulnerabilities/#{@id}"
+      end
+    end
+  end
+end

data/lib/pluginscan/version.rb

@@ -0,0 +1,3 @@
+module Pluginscan
+  VERSION = "0.9.0".freeze
+end

data/pluginscan.gemspec

@@ -0,0 +1,31 @@
+$LOAD_PATH.push File.expand_path('../lib', __FILE__)
+require 'pluginscan/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "pluginscan"
+  spec.version       = Pluginscan::VERSION
+  spec.authors       = ["dxw"]
+  spec.email         = ["security@dxw.com"]
+  spec.homepage      = "https://twinkie.dxw.net/dxw/pluginscan"
+  spec.description   = %q(Scans WordPress plugins for potential issues and vulnerabilities)
+  spec.summary       = %q(Does stuff)
+
+  spec.files         = `git ls-files`.split($INPUT_RECORD_SEPARATOR)
+  spec.executables   = ['pluginscan']
+  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.require_paths = ["lib"]
+
+  spec.add_dependency "rainbow", "~> 2.0"
+  spec.add_dependency "httparty", "< 1"
+
+  spec.add_development_dependency "bundler", "~> 1.5"
+  spec.add_development_dependency "rspec", "~> 3.4.0", '>= 3.4.0'
+  spec.add_development_dependency "webmock", "< 3"
+  spec.add_development_dependency "vcr", "< 4"
+  spec.add_development_dependency "simplecov", "< 1"
+  spec.add_development_dependency "rubocop", "< 1"
+  spec.add_development_dependency "fuubar", "~> 2"
+  spec.add_development_dependency "pry", "~> 0"
+  spec.add_development_dependency "rake", ">= 10.0.0"
+  spec.add_development_dependency "geminabox-release", "~> 0.2", ">= 0.2.0"
+end

data/spec/acceptance/cloc_spec.rb

@@ -0,0 +1,54 @@
+require 'acceptance_spec_helper'
+require 'support/heredoc_helper'
+
+RSpec.describe Pluginscan::Scanner do
+  before do
+    # these are slow, so don't run them if we don't have to
+    stub_cloc
+    stub_sloccount
+    stub_vuln_check
+  end
+
+  describe '.scan' do
+    let(:output) { StringIO.new }
+
+    describe "CLOC Report", type: [:file, :process] do
+      subject(:scanner) { Pluginscan::Scanner.new(sloccount: false, output: output) }
+      before(:all) { setup_tempdir 'tmp' }
+
+      it "reports on sloc by language" do
+        LanguageCount = Struct.new :language, :sloc, :file_count
+
+        cloc_output = <<-EOS.heredoc_unindent
+          files,language,blank,comment,code,"github.com/AlDanial/cloc v 1.70  T=0.29 s (284.9 files/s, 65539.8 lines/s)"
+          20,PHP,4584,0,6628
+        EOS
+
+        stub_cloc(result: cloc_output)
+
+        php   = coloured_cyan('PHP')
+        count = coloured_red('6628')
+        scanner.scan 'tmp'
+        expect(output.string).to match(/#{php}\s*#{count} lines across 20 files/)
+      end
+
+      it "displays a message when there was no code" do
+        stub_cloc(result: "")
+        scanner.scan 'tmp'
+        expect(output.string).to match(/CLOC didn't find any code/)
+      end
+
+      it "displays a message when cloc was unavailable (doesn't error out)" do
+        stub_cloc(which_result: which_failure)
+        scanner.scan 'tmp'
+        expect(output.string).to match(/The 'cloc' command is unavailable/)
+      end
+
+      it "displays a message when cloc threw an error (doesn't error out)" do
+        stub_cloc(result: "Some nonsense", process_status: failed_process_status)
+        scanner.scan 'tmp'
+        expect(output.string).to match(/Some nonsense/)
+      end
+    end
+  end
+end