pluginscan 0.9.0

data/spec/support/acceptance_helpers.rb

@@ -0,0 +1,68 @@
+require 'support/process_helpers'
+
+# helper methods and constants which are only relevant to acceptance specs
+module AcceptanceHelpers
+  def stub_sloccount(system_sloccount = fake_system_sloccount)
+    allow(SLOCCountScanner::SystemSLOCCount).to receive(:instance)
+      .and_return system_sloccount
+  end
+
+  def fake_system_sloccount
+    instance_double('SystemSLOCCount').tap do |fake|
+      allow(fake).to receive(:available?)
+        .and_return true
+      allow(fake).to receive(:call)
+        .and_return [double('result'), failed_process_status]
+    end
+  end
+
+  def stub_cloc(result: "", which_result: which_success('cloc'), process_status: successful_process_status)
+    fake_system_cloc = instance_double(
+      SystemCloc,
+      call: [result, process_status],
+      which: which_result
+    )
+    fake_system_cloc_klass = class_double(SystemCloc, new: fake_system_cloc)
+    stub_const('SystemCloc', fake_system_cloc_klass)
+  end
+
+  def stub_vuln_check
+    stub_request(:get, Regexp.new('https://wpvulndb.com/api/v2/plugins/'))
+      .with(headers: { 'Accept' => '*/*', 'Accept-Encoding' => 'gzip;q=1.0,deflate;q=0.6,identity;q=0.3', 'User-Agent' => 'Ruby' })
+      .to_return(status: 404, body: "The page you were looking for doesn't exist (404).", headers: {})
+  end
+
+  def coloured_red(string)
+    coloured(RED_START, string)
+  end
+
+  def coloured_green(string)
+    coloured(GREEN_START, string)
+  end
+
+  def coloured_yellow(string)
+    coloured(YELLOW_START, string)
+  end
+
+  def coloured_cyan(string)
+    coloured(CYAN_START, string)
+  end
+
+  def coloured(colour, string)
+    "#{colour_regexp(colour)}#{string}#{colour_regexp(COLOUR_END)}"
+  end
+
+  # Colour codes show up when running specs from the command line,
+  # but not when capturing to a file - e.g when running from vim
+  # so these need to be optional - hence the '?'
+  def colour_regexp(colour_code)
+    "(#{Regexp.escape colour_code})?"
+  end
+
+  # ANSI colour codes:
+  RED_START   = "\e[31m".freeze
+  GREEN_START = "\e[32m".freeze
+  YELLOW_START = "\e[33m".freeze
+  CYAN_START  = "\e[36m".freeze
+  COLOUR_END  = "\e[0m".freeze
+end

data/spec/support/file_helpers.rb

@@ -0,0 +1,35 @@
+require 'fileutils'
+
+module FileHelpers
+  def setup_tempdir(name = 'tmp')
+    FileUtils.rm_rf(name)
+    FileUtils.mkdir(name)
+  end
+
+  def add_non_php_file(tempdir = 'tmp')
+    FileUtils.touch("#{tempdir}/file#{rand(999)}.html")
+  end
+
+  def add_php_file(base_path = 'tmp', contents = nil, name = nil)
+    name ||= "file#{rand(999)}.php"
+    path = "#{base_path}/#{name}"
+    create_file(path, contents)
+    path
+  end
+
+  def create_file(path, contents)
+    return create_empty_file(path) unless contents
+
+    file = File.new(path, 'w')
+    file.write(contents)
+    file.close
+  end
+
+  def create_empty_file(path)
+    FileUtils.touch(path)
+  end
+
+  def add_directory(tempdir = 'tmp', name = 'foo')
+    FileUtils.mkdir("#{tempdir}/#{name}")
+  end
+end

data/spec/support/heredoc_helper.rb

@@ -0,0 +1,7 @@
+# Monkeypatch to remove indentation from the beginning of heredoc strings used in specs
+# so that we can include them in our code in a more readable way
+class String
+  def heredoc_unindent
+    gsub(/^#{ scan(/^\s*/).min_by(&:length) }/, "")
+  end
+end

data/spec/support/process_helpers.rb

@@ -0,0 +1,25 @@
+module ProcessHelpers
+  def successful_process_status
+    process_status_double(true)
+  end
+
+  def failed_process_status
+    process_status_double(false)
+  end
+
+  def process_status_double(success_boolean)
+    instance_double(Process::Status).tap do |status|
+      allow(status).to receive(:success?).and_return success_boolean
+    end
+  end
+
+  def which_success(command)
+    # The kind of response that Open3 will return if `which command` was successful
+    ["/usr/local/bin/#{command}\n", successful_process_status]
+  end
+
+  def which_failure
+    # The kind of response that Open3 will return if `which command` failed
+    ["", failed_process_status]
+  end
+end

data/spec/support/shared_examples_for_issue_checks.rb

@@ -0,0 +1,31 @@
+RSpec.shared_examples "matches lines containing" do |match, example_string, check_index: 0, match_index: 0, ignored: false|
+  context match do
+    context example_string do
+      before(:all) { @scanner = described_class.new(Pluginscan::THE_CHECKS) }
+      let(:file_contents) { example_string }
+      let(:checks_findings) { @scanner.scan(file_contents) }
+      let(:check_findings) { checks_findings[check_index] }
+      let(:finding) do
+        raise "Tried to get findings for the #{check_index}th check matching this line, but only #{checks_findings.count} checks match this line" if check_findings.nil?
+        check_findings.findings[match_index]
+      end
+
+      it "finds a finding which checks_findings #{match}" do
+        expect(checks_findings).to_not be_empty
+        expect(finding.lineno).to  eq 1
+        expect(finding.line).to    eq file_contents
+        expect(finding.match).to   eq match
+        expect(finding.ignored).to eq ignored
+      end
+    end
+  end
+end
+
+RSpec.shared_examples "ignores lines containing" do |match, example_string, check_index: 0, match_index: 0|
+  it_behaves_like "matches lines containing", match, example_string, check_index: check_index, match_index: match_index, ignored: true
+end
+
+RSpec.shared_examples "matches a variable assigned to a superglobal" do |superglobal|
+  example_string = "$value = #{superglobal}['foo']"
+  it_behaves_like "matches lines containing", superglobal, example_string
+end

data/spec/support/vcr_helper.rb

@@ -0,0 +1,6 @@
+require 'vcr'
+
+VCR.configure do |c|
+  c.cassette_library_dir = 'vcr_cassettes'
+  c.hook_into :webmock
+end

data/vcr_cassettes/wpvulndb/relevanssi.yml

@@ -0,0 +1,78 @@
+---
+http_interactions:
+- request:
+    method: get
+    uri: https://wpvulndb.com/api/v2/plugins/relevanssi
+    body:
+      encoding: US-ASCII
+      string: ''
+    headers:
+      Accept-Encoding:
+      - gzip;q=1.0,deflate;q=0.6,identity;q=0.3
+      Accept:
+      - "*/*"
+      User-Agent:
+      - Ruby
+  response:
+    status:
+      code: 200
+      message: OK
+    headers:
+      Server:
+      - nginx
+      Date:
+      - Mon, 23 May 2016 13:00:57 GMT
+      Content-Type:
+      - application/json; charset=utf-8
+      Transfer-Encoding:
+      - chunked
+      Connection:
+      - keep-alive
+      Vary:
+      - Accept-Encoding
+      Cache-Control:
+      - max-age=0, private, must-revalidate
+      X-Request-Id:
+      - 8da0a81f-dfe0-493e-bb99-55486456834f
+      Strict-Transport-Security:
+      - max-age=63072000; includeSubDomains; preload
+      X-Frame-Options:
+      - SAMEORIGIN
+      X-Xss-Protection:
+      - 1; mode=block
+      X-Content-Type-Options:
+      - nosniff
+      X-Download-Options:
+      - noopen
+      X-Permitted-Cross-Domain-Policies:
+      - none
+      Content-Security-Policy:
+      - default-src 'self'; child-src 'self' https://rpm.newrelic.com; frame-src 'self'
+        https://rpm.newrelic.com https://www.google.com/recaptcha/; script-src 'self'
+        https://www.google.com/recaptcha/ https://apis.google.com https://www.google.com/recaptcha/
+        https://www.gstatic.com/recaptcha/; img-src 'self' https://ssl.gstatic.com/;
+        style-src 'self' 'unsafe-inline'; upgrade-insecure-requests; block-all-mixed-content;
+        report-uri https://firefart.report-uri.io/r/default/csp/enforce;
+      X-Content-Security-Policy:
+      - default-src 'self'; child-src 'self' https://rpm.newrelic.com; frame-src 'self'
+        https://rpm.newrelic.com https://www.google.com/recaptcha/; script-src 'self'
+        https://www.google.com/recaptcha/ https://apis.google.com https://www.google.com/recaptcha/
+        https://www.gstatic.com/recaptcha/; img-src 'self' https://ssl.gstatic.com/;
+        style-src 'self' 'unsafe-inline'; upgrade-insecure-requests; block-all-mixed-content;
+        report-uri https://firefart.report-uri.io/r/default/csp/enforce;
+      X-Webkit-Csp:
+      - default-src 'self'; child-src 'self' https://rpm.newrelic.com; frame-src 'self'
+        https://rpm.newrelic.com https://www.google.com/recaptcha/; script-src 'self'
+        https://www.google.com/recaptcha/ https://apis.google.com https://www.google.com/recaptcha/
+        https://www.gstatic.com/recaptcha/; img-src 'self' https://ssl.gstatic.com/;
+        style-src 'self' 'unsafe-inline'; upgrade-insecure-requests; block-all-mixed-content;
+        report-uri https://firefart.report-uri.io/r/default/csp/enforce;
+    body:
+      encoding: ASCII-8BIT
+      string: '{"relevanssi":{"latest_version":"3.5.3","last_updated":"2016-04-20T09:39:00.000Z","popular":true,"vulnerabilities":[{"id":6425,"title":"Relevanssi
+        3.2 - Unspecified SQL Injection","created_at":"2014-08-01T10:58:47.000Z","updated_at":"2015-05-15T13:47:47.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/65960/"],"secunia":["56641"]},"vuln_type":"SQLI","fixed_in":"3.3"},{"id":6426,"title":"Relevanssi
+        2.7.2 - Stored XSS Vulnerability","created_at":"2014-08-01T10:58:47.000Z","updated_at":"2015-05-15T13:47:47.000Z","published_date":null,"references":{"secunia":["43461"],"exploitdb":["16233"]},"vuln_type":"XSS","fixed_in":"2.7.3"},{"id":7740,"title":"Relevanssi
+        <= 3.3.7.1 - Cross-Site Scripting (XSS)","created_at":"2015-01-03T11:29:33.000Z","updated_at":"2015-05-15T13:49:13.000Z","published_date":null,"references":{"cve":["2014-9443"],"secunia":["61744"]},"vuln_type":"XSS","fixed_in":"3.3.8"}]}}'
+    http_version: 
+  recorded_at: Mon, 23 May 2016 13:00:57 GMT
+recorded_with: VCR 3.0.3

metadata

@@ -0,0 +1,342 @@
+--- !ruby/object:Gem::Specification
+name: pluginscan
+version: !ruby/object:Gem::Version
+  version: 0.9.0
+platform: ruby
+authors:
+- dxw
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2017-02-10 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rainbow
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: httparty
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '1'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.5'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.5'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 3.4.0
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.4.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 3.4.0
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.4.0
+- !ruby/object:Gem::Dependency
+  name: webmock
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '3'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '3'
+- !ruby/object:Gem::Dependency
+  name: vcr
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '4'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '4'
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '1'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '1'
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '1'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '1'
+- !ruby/object:Gem::Dependency
+  name: fuubar
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2'
+- !ruby/object:Gem::Dependency
+  name: pry
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 10.0.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 10.0.0
+- !ruby/object:Gem::Dependency
+  name: geminabox-release
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.2'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.2.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.2'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.2.0
+description: Scans WordPress plugins for potential issues and vulnerabilities
+email:
+- security@dxw.com
+executables:
+- pluginscan
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".gitlab-ci.yml"
+- ".rspec"
+- ".rubocop.yml"
+- ".rubocop_todo.yml"
+- CHANGELOG.md
+- Gemfile
+- Gemfile.lock
+- README.md
+- Rakefile
+- TODO.md
+- bin/pluginscan
+- lib/file_creator.rb
+- lib/pluginscan.rb
+- lib/pluginscan/error.rb
+- lib/pluginscan/error_printer.rb
+- lib/pluginscan/file_finder.rb
+- lib/pluginscan/printer.rb
+- lib/pluginscan/reports/cloc_report.rb
+- lib/pluginscan/reports/cloc_report/cloc.rb
+- lib/pluginscan/reports/cloc_report/cloc_printer.rb
+- lib/pluginscan/reports/cloc_report/cloc_scanner.rb
+- lib/pluginscan/reports/cloc_report/system_cloc.rb
+- lib/pluginscan/reports/issues_report.rb
+- lib/pluginscan/reports/issues_report/error_list_printer.rb
+- lib/pluginscan/reports/issues_report/issue_checks.rb
+- lib/pluginscan/reports/issues_report/issue_checks/check.rb
+- lib/pluginscan/reports/issues_report/issue_checks/comment_checker.rb
+- lib/pluginscan/reports/issues_report/issue_checks/function_check.rb
+- lib/pluginscan/reports/issues_report/issue_checks/variable_check.rb
+- lib/pluginscan/reports/issues_report/issue_checks/variable_safety_checker.rb
+- lib/pluginscan/reports/issues_report/issues_models/check_findings.rb
+- lib/pluginscan/reports/issues_report/issues_models/issues.rb
+- lib/pluginscan/reports/issues_report/issues_printer.rb
+- lib/pluginscan/reports/issues_report/issues_printer/check_findings_printer.rb
+- lib/pluginscan/reports/issues_report/issues_printer/file_issues_printer.rb
+- lib/pluginscan/reports/issues_report/issues_printer/finding_printer.rb
+- lib/pluginscan/reports/issues_report/issues_printer_factory.rb
+- lib/pluginscan/reports/issues_report/issues_scanner.rb
+- lib/pluginscan/reports/issues_report/issues_scanner/file_issues_scanner.rb
+- lib/pluginscan/reports/issues_report/issues_scanner/line_issues_scanner.rb
+- lib/pluginscan/reports/issues_report/issues_scanner/utf8_checker.rb
+- lib/pluginscan/reports/sloccount_report.rb
+- lib/pluginscan/reports/sloccount_report/sloccount.rb
+- lib/pluginscan/reports/sloccount_report/sloccount_printer.rb
+- lib/pluginscan/reports/sloccount_report/sloccount_scanner.rb
+- lib/pluginscan/reports/vulnerability_report.rb
+- lib/pluginscan/reports/vulnerability_report/advisories_api.rb
+- lib/pluginscan/reports/vulnerability_report/vulnerabilities_printer.rb
+- lib/pluginscan/reports/vulnerability_report/vulnerability_scanner.rb
+- lib/pluginscan/reports/vulnerability_report/wp_vuln_db_api.rb
+- lib/pluginscan/version.rb
+- pluginscan.gemspec
+- spec/acceptance/cloc_spec.rb
+- spec/acceptance/create_error_list_file_spec.rb
+- spec/acceptance/issues_spec.rb
+- spec/acceptance/pluginscan_spec.rb
+- spec/acceptance/sloccount_spec.rb
+- spec/acceptance/vulnerabilities_spec.rb
+- spec/acceptance_spec_helper.rb
+- spec/checks_examples_spec.rb
+- spec/file_creator_spec.rb
+- spec/pluginscan/cloc_scanner/cloc_scanner_spec.rb
+- spec/pluginscan/cloc_scanner/cloc_spec.rb
+- spec/pluginscan/file_finder_spec.rb
+- spec/pluginscan/issues_scanner/check_findings_spec.rb
+- spec/pluginscan/issues_scanner/error_list_printer_ignores_spec.rb
+- spec/pluginscan/issues_scanner/error_list_printer_spec.rb
+- spec/pluginscan/issues_scanner/file_issues_scanner_spec.rb
+- spec/pluginscan/issues_scanner/issues_printer_factory_spec.rb
+- spec/pluginscan/issues_scanner/issues_spec.rb
+- spec/pluginscan/issues_scanner/variable_check_spec.rb
+- spec/pluginscan/issues_scanner/variable_safety_checker_spec.rb
+- spec/pluginscan/issues_scanner_spec.rb
+- spec/pluginscan/sloccount_scanner/sloccount_scanner_spec.rb
+- spec/pluginscan/sloccount_scanner/sloccount_spec.rb
+- spec/pluginscan/vulnerability_scanner_spec.rb
+- spec/process_spec_helper.rb
+- spec/spec_helper.rb
+- spec/support/acceptance_helpers.rb
+- spec/support/file_helpers.rb
+- spec/support/heredoc_helper.rb
+- spec/support/process_helpers.rb
+- spec/support/shared_examples_for_issue_checks.rb
+- spec/support/vcr_helper.rb
+- vcr_cassettes/wpvulndb/relevanssi.yml
+homepage: https://twinkie.dxw.net/dxw/pluginscan
+licenses: []
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.6.8
+signing_key: 
+specification_version: 4
+summary: Does stuff
+test_files:
+- spec/acceptance/cloc_spec.rb
+- spec/acceptance/create_error_list_file_spec.rb
+- spec/acceptance/issues_spec.rb
+- spec/acceptance/pluginscan_spec.rb
+- spec/acceptance/sloccount_spec.rb
+- spec/acceptance/vulnerabilities_spec.rb
+- spec/acceptance_spec_helper.rb
+- spec/checks_examples_spec.rb
+- spec/file_creator_spec.rb
+- spec/pluginscan/cloc_scanner/cloc_scanner_spec.rb
+- spec/pluginscan/cloc_scanner/cloc_spec.rb
+- spec/pluginscan/file_finder_spec.rb
+- spec/pluginscan/issues_scanner/check_findings_spec.rb
+- spec/pluginscan/issues_scanner/error_list_printer_ignores_spec.rb
+- spec/pluginscan/issues_scanner/error_list_printer_spec.rb
+- spec/pluginscan/issues_scanner/file_issues_scanner_spec.rb
+- spec/pluginscan/issues_scanner/issues_printer_factory_spec.rb
+- spec/pluginscan/issues_scanner/issues_spec.rb
+- spec/pluginscan/issues_scanner/variable_check_spec.rb
+- spec/pluginscan/issues_scanner/variable_safety_checker_spec.rb
+- spec/pluginscan/issues_scanner_spec.rb
+- spec/pluginscan/sloccount_scanner/sloccount_scanner_spec.rb
+- spec/pluginscan/sloccount_scanner/sloccount_spec.rb
+- spec/pluginscan/vulnerability_scanner_spec.rb
+- spec/process_spec_helper.rb
+- spec/spec_helper.rb
+- spec/support/acceptance_helpers.rb
+- spec/support/file_helpers.rb
+- spec/support/heredoc_helper.rb
+- spec/support/process_helpers.rb
+- spec/support/shared_examples_for_issue_checks.rb
+- spec/support/vcr_helper.rb