pluginscan 0.9.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 3fd3f13b583f2ef96ad68acb954c5f5b14573031
+  data.tar.gz: e5cef407d0b0a09949e55fc7aee1376ca4b0c8a0
+SHA512:
+  metadata.gz: 368bf1737a01983e977ee3020e13ab24cc61c38a2a2c68145e35cf35d26a65c2f796769ac8e4b4f23ffa3ce8385ffdc8367ec1fb787ebdbcf7dcac90f9496f68
+  data.tar.gz: e1896d9b70bb9a9425849525f10b8c910a7370e535bc6e836d788836e5a804e2406e434b86f717e8db42aef97cd52de8e12df58b36e83800ff3467ccaaece3e6

data/.gitignore

@@ -0,0 +1,13 @@
+/vendor
+/.bundle
+/*.gem
+/tmp
+/coverage
+failures.txt
+
+# Generated during development:
+README.html
+sloccount_error.log
+
+# Generated by geminabox
+/pkg

data/.gitlab-ci.yml

@@ -0,0 +1,16 @@
+image: ruby:2.3
+
+before_script:
+  - ruby -v
+  - which ruby
+  - gem install bundler --no-ri --no-rdoc
+  - bundle install --jobs $(nproc) "${FLAGS[@]}"
+
+rspec:
+  script:
+    - apt-get update -qq; apt-get install -y -qq cloc
+    - bundle exec rspec 
+
+rubocop:
+  script:
+    - bundle exec rubocop

data/.rspec

@@ -0,0 +1,3 @@
+--color
+--require spec_helper
+--format Fuubar

data/.rubocop.yml

@@ -0,0 +1,46 @@
+inherit_from: .rubocop_todo.yml
+
+AllCops:
+    TargetRubyVersion: 2.3
+
+Metrics/LineLength:
+    Enabled: false
+
+Style/StringLiterals:
+    Enabled: false
+
+Style/FrozenStringLiteralComment:
+    Enabled: false
+
+Style/TrailingBlankLines:
+    Enabled: false
+
+Style/TrailingCommaInLiteral:
+    EnforcedStyleForMultiline: comma
+
+Style/TrailingCommaInArguments:
+    Enabled: false
+
+Style/AccessModifierIndentation:
+    Enabled: false
+
+Style/SpaceBeforeBlockBraces:
+    Enabled: false
+
+Style/Documentation:
+    Enabled: false
+
+Style/EmptyLines:
+    Enabled: false
+
+Style/Not:
+    Enabled: false
+
+Style/BlockDelimiters:
+    Enabled: false
+
+Style/UnneededPercentQ:
+    Enabled: false
+
+Style/SignalException:
+    Enabled: false

data/.rubocop_todo.yml

@@ -0,0 +1,36 @@
+# This configuration was generated by
+# `rubocop --auto-gen-config`
+# on 2016-11-29 16:12:32 +0000 using RuboCop version 0.45.0.
+# The point is for the user to remove these configuration records
+# one by one as the offenses are removed from the code base.
+# Note that changes in the inspected code, or installation of new
+# versions of RuboCop, may require this file to be generated again.
+
+# Offense count: 1
+# Configuration parameters: CountComments.
+Metrics/BlockLength:
+  Max: 32
+
+# Offense count: 1
+# Configuration parameters: CountComments.
+Metrics/MethodLength:
+  Max: 11
+
+# Offense count: 1
+# Configuration parameters: CountComments.
+Metrics/ModuleLength:
+  Max: 271
+  Exclude:
+    - 'lib/pluginscan/reports/issues_report/issue_checks.rb'
+
+# Offense count: 1
+# Configuration parameters: MinBodyLength.
+Style/GuardClause:
+  Exclude:
+    - 'lib/pluginscan/reports/cloc_report/cloc_scanner.rb'
+
+# Offense count: 1
+# Cop supports --auto-correct.
+Style/MutableConstant:
+  Exclude:
+    - 'spec/pluginscan/cloc_scanner/cloc_spec.rb'

data/CHANGELOG.md

@@ -0,0 +1,89 @@
+## NEXT VERSION
+* Add an Advisory report, calling into https://wpvulndb.com/api
+* Add `strlen` to the list of functions which make variable usage safe
+
+## Version 0.8.1
+* (Bugfix): Lines in the error list file are now ignored or not, depending on
+  the option requested
+
+## Version 0.8.0
+* Add a parameter (-e) for outputting a vim-compatible error list to a file, in addition to showing normal output on the terminal
+* Bugfix: Corrected some checks for bad function names which were probably not getting run properly as part of the scan
+* Bugfix: In the main output: count the total number of issues found, not the number of checks
+
+## Version 0.7.2
+* Bugfix: Ignored lines can be hidden in the main issues report
+* When calling pluginscan from the command line, no arguments is interpreted as meaning "run in the current directory" - even if options are passed
+* Add -h as a command line flag to show help
+* Add -v as a command line flag to show the version
+
+## Version 0.7.1
+* Bugfix: source lines with colons (:) in them have those colons escaped
+  (otherwise the lines can't be parsed by vim)
+* Removed the file list printer: it was probably never going to get used
+
+## Version 0.7.0
+* The vim-compatable error list output now displays [IGNORE] on lines we're
+  confident are safe, and respects the -g flag (hide ignores)
+* New Check: Check for use of unreliable indicators of IP addresses - e.g.
+  HTTP\_FORWARDED\_FOR
+* Add 'unserialize()' to the list of functions which constitute php object injection
+
+## Version 0.6.0
+* Allow ignored lines (things which matched but are believed to be safe) to be hidden in the main issues report by passing '-g' on the command line
+
+## Version 0.5.1
+* Bugfix: Command line now calls the library correctly
+
+## Version 0.5.0
+* New Check: Look for inline JavaScript (script tags without src=)
+* New Check: Look for inline CSS (style tags)
+* New Check: Look for HTML event attributes - these can execute JavaScript (e.g. onclick)
+* New Check: Look for parse_str() and extract() - these extract variables from input
+* Bugfix: column numbers are now correctly calculated (for the vim error list
+  formatter)
+
+## Version 0.4.0
+* Add formatters which can print out the list of files and a vim-compatible
+  error list
+* Allow the formatter to be selected from the command line
+* Allow the sloccount and cloc reports to be selectively disabled by passing
+  command line flags (call with -h for full details)
+* Ignore variables and functions which are on commented lines
+* Add 'hardening' to the list of trigger words
+
+## Version 0.3.4
+* Add 'switch' to the list of functions which make superglobals safe (because they check them rather than use them)
+
+## Version 0.3.3
+* Bugfix: '=>' was being treated as a safe infix (it's array assignment)
+* Bugfix: some infixes were getting double-counted - e.g. '==' and '===' - leading to false negatives
+* Changes to how database access lines are ignored
+
+## Version 0.3.2
+* Handle malformed CSVs
+
+## Version 0.3.1
+* Make sure that sloccount and cloc don't prevent execution of the rest of the tool if they blow up
+
+## Version 0.3.0
+* Higlighing of matched terms in the output of line checks
+* Lots of Superglobal false positives are marked as ignores (e.g. when wrapped in an 'isset')
+* More refactoring
+* Added some additional functions to SAFE_FUNCTIONS and SAFE_INFIXES to improve ignore coverage
+
+## Version 0.2.0
+* Add integration with sloccount and cloc
+* Thorough test suite and major refactoring
+
+## Version 0.1.2
+* Added a proper test suite
+* Major refactoring
+* Various minor bugfixes
+
+## Version 0.1.1
+* Significant refactoring for the sake of sanity (but without tests!)
+* Various minor bugfixes
+
+## Version 0.1.0
+Initial version

data/Gemfile

@@ -0,0 +1,4 @@
+# A sample Gemfile
+source 'https://rubygems.org'
+
+gemspec

data/Gemfile.lock

@@ -0,0 +1,90 @@
+PATH
+  remote: .
+  specs:
+    pluginscan (0.9.0)
+      httparty (< 1)
+      rainbow (~> 2.0)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    addressable (2.5.0)
+      public_suffix (~> 2.0, >= 2.0.2)
+    ast (2.3.0)
+    coderay (1.1.1)
+    crack (0.4.3)
+      safe_yaml (~> 1.0.0)
+    diff-lcs (1.2.5)
+    docile (1.1.5)
+    fuubar (2.2.0)
+      rspec-core (~> 3.0)
+      ruby-progressbar (~> 1.4)
+    geminabox-release (0.2.0)
+    hashdiff (0.3.1)
+    httparty (0.14.0)
+      multi_xml (>= 0.5.2)
+    json (2.0.2)
+    method_source (0.8.2)
+    multi_xml (0.5.5)
+    parser (2.3.3.0)
+      ast (~> 2.2)
+    powerpack (0.1.1)
+    pry (0.10.4)
+      coderay (~> 1.1.0)
+      method_source (~> 0.8.1)
+      slop (~> 3.4)
+    public_suffix (2.0.4)
+    rainbow (2.1.0)
+    rake (11.3.0)
+    rspec (3.4.0)
+      rspec-core (~> 3.4.0)
+      rspec-expectations (~> 3.4.0)
+      rspec-mocks (~> 3.4.0)
+    rspec-core (3.4.4)
+      rspec-support (~> 3.4.0)
+    rspec-expectations (3.4.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.4.0)
+    rspec-mocks (3.4.1)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.4.0)
+    rspec-support (3.4.1)
+    rubocop (0.45.0)
+      parser (>= 2.3.1.1, < 3.0)
+      powerpack (~> 0.1)
+      rainbow (>= 1.99.1, < 3.0)
+      ruby-progressbar (~> 1.7)
+      unicode-display_width (~> 1.0, >= 1.0.1)
+    ruby-progressbar (1.8.1)
+    safe_yaml (1.0.4)
+    simplecov (0.12.0)
+      docile (~> 1.1.0)
+      json (>= 1.8, < 3)
+      simplecov-html (~> 0.10.0)
+    simplecov-html (0.10.0)
+    slop (3.6.0)
+    unicode-display_width (1.1.1)
+    vcr (3.0.3)
+    webmock (2.1.0)
+      addressable (>= 2.3.6)
+      crack (>= 0.3.2)
+      hashdiff
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  bundler (~> 1.5)
+  fuubar (~> 2)
+  geminabox-release (~> 0.2, >= 0.2.0)
+  pluginscan!
+  pry (~> 0)
+  rake (>= 10.0.0)
+  rspec (~> 3.4.0, >= 3.4.0)
+  rubocop (< 1)
+  simplecov (< 1)
+  vcr (< 4)
+  webmock (< 3)
+
+BUNDLED WITH
+   1.13.1

data/README.md

@@ -0,0 +1,56 @@
+# pluginscan
+
+Scans WordPress plugins for issues
+
+## Installation
+
+### Installing from geminabox
+
+    % sources -a http://gems.dxw.net/
+    % gem install pluginscan
+
+### Installing from source
+
+You'll need recent versions of Ruby and rubygems
+
+    % gem build pluginscan.gemspec
+    % gem install pluginscan-*.gem
+
+### Optional: install sloccount and cloc
+
+On OSX:
+
+    % brew install sloccount
+    % brew install cloc
+
+On Linux:
+
+    % apt-get install sloccount
+    % apt-get install cloc
+
+## Usage
+
+    % cd /path/to/plugin
+    % pluginscan
+
+Help/documentation:
+
+    % pluginscan -h
+
+
+## Development
+
+### Run the tests
+
+    % bundle install
+    % rspec
+
+### Check style
+
+    % bundle install
+    % rubocop
+
+### Release a new gem version
+
+1. Update version number in `lib/pluginscan/version`
+2. `rake inabox:release`

data/Rakefile

@@ -0,0 +1,2 @@
+require 'geminabox-release'
+GeminaboxRelease.patch(host: 'https://gems.dxw.net')

data/TODO.md

@@ -0,0 +1,8 @@
+# Todo
+
+## Important
+* Check for the presence of things that should definitely be there
+
+## Less important
+* Generate HTML reports
+* If one line matches twice in one group, only show it once

data/bin/pluginscan

@@ -0,0 +1,53 @@
+#!/usr/bin/env ruby
+
+require 'pluginscan'
+require 'pluginscan/version' # TODO: Should this be required in lib/pluginscan?
+require 'optparse'
+require 'file_creator'
+
+options = {}
+OptionParser.new do |opts|
+  opts.banner = "Usage: pluginscan plugin/directory/path [options]"
+
+  opts.on("-s", "--[no-]sloccount", "SLOCCount source lines report (default)") do |s|
+    options[:sloccount] = s
+  end
+  opts.on("-c", "--[no-]cloc", "CLOC source lines report (default)") do |c|
+    options[:cloc] = c
+  end
+  opts.on("-a", "--[no-]advisories", "Advisories report (default)") do |a|
+    options[:advisories] = a
+  end
+  opts.on("-i", "--issues-format FORMAT", [:report, :error_list], "Format of the issues report (report, error_list). Default: 'report'") do |format|
+    options[:issues_format] = format
+  end
+  opts.on("-g", "--[no-]hide-ignores", "Hide/show ignored lines (i.e. matches which are probably safe)") do |g|
+    options[:hide_ignores] = g
+  end
+  opts.on("-e", "--error-list-file FILENAME", "File for outputting the error_list (vim-compatible errorfile)") do |filename|
+    begin
+      options[:error_list_file] = FileCreator.new.create(filename)
+    rescue FileCreator::Error => e
+      puts "[ERROR] Invalid filename: #{e.message}"
+      exit(1)
+    end
+  end
+
+  # These options exit early:
+  opts.on_tail("-v", "--version", "Show gem version") do
+    puts Pluginscan::VERSION
+    exit
+  end
+  opts.on_tail("-h", "--help", "Show this message") do
+    puts opts
+    exit
+  end
+end.parse!
+
+plugin_directory = ARGV[-1] || '.'
+
+if Dir.exist? plugin_directory
+  Pluginscan::Scanner.new(options).scan(plugin_directory)
+else
+  puts "No such file or directory: #{plugin_directory}"
+end

data/lib/file_creator.rb

@@ -0,0 +1,18 @@
+# Responsible for creating a file and creating error messages which we can present back to the user if it failed
+class FileCreator
+  class Error < StandardError; end
+  attr_reader :error
+  def create(file_name)
+    File.new(file_name, 'w')
+  rescue Errno::EACCES
+    raise Error, "You do not have permission to write to that location (#{file_name})"
+  rescue Errno::EISDIR
+    raise Error, "File name is a directory (#{file_name})"
+  rescue Errno::ENOTDIR
+    raise Error, "File name refers to a directory which does not exist (#{file_name})"
+  end
+  # Errno errors handle error numbers returned by the operating system and translate them into rubyish errors
+  # Therefore there may be slightly different errors on different operating systems,
+  # but hopefully the ones we care about are generally applicable: http://ruby-doc.org/core/Errno.html
+end
+