site-inspector 1.0.2 → 3.2.0

data/spec/checks/site_inspector_endpoint_dns_spec.rb

@@ -0,0 +1,184 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+require 'dnsruby'
+
+describe SiteInspector::Endpoint::Dns do
+  subject do
+    stub_request(:head, 'http://github.com/').to_return(status: 200)
+    endpoint = SiteInspector::Endpoint.new('http://github.com')
+    described_class.new(endpoint)
+  end
+
+  it 'inits the resolver' do
+    expect(described_class.resolver.class).to eql(Dnsruby::Resolver)
+  end
+
+  # NOTE: these tests makes external calls
+  context 'live tests' do
+    it 'runs the query' do
+      expect(subject.query).not_to be_empty
+    end
+
+    context 'resolv' do
+      it 'returns the IP' do
+        expect(subject.ip).to include('140.82.')
+      end
+
+      it 'returns the hostname' do
+        expect(subject.hostname.sld).to eql('github')
+      end
+    end
+  end
+
+  context 'stubbed tests' do
+    before do
+      record = Dnsruby::RR.create type: 'A', address: '1.2.3.4', name: 'test'
+      allow(subject).to receive(:records) { [record] }
+      allow(subject).to receive(:query).and_return([])
+    end
+
+    it 'returns the records' do
+      expect(subject.records.count).to be(1)
+      expect(subject.records.first.class).to eql(Dnsruby::RR::IN::A)
+    end
+
+    it 'knows if a record exists' do
+      expect(subject.has_record?('A')).to be(true)
+      expect(subject.has_record?('CNAME')).to be(false)
+    end
+
+    it 'knows if a domain supports dnssec' do
+      expect(subject.dnssec?).to be(false)
+
+      # via https://github.com/alexdalitz/dnsruby/blob/master/test/tc_dnskey.rb
+      input = 'example.com. 86400 IN DNSKEY 256 3 5 ( AQPSKmynfzW4kyBv015MUG2DeIQ3' \
+        'Cbl+BBZH4b/0PY1kxkmvHjcZc8no' \
+        'kfzj31GajIQKY+5CptLr3buXA10h' \
+        'WqTkF7H6RfoRqXQeogmMHfpftf6z' \
+        'Mv1LyBUgia7za6ZEzOJBOztyvhjL' \
+        '742iU/TpPSEDhm2SNKLijfUppn1U' \
+        'aNvv4w==  )'
+
+      record = Dnsruby::RR.create input
+      allow(subject).to receive(:records) { [record] }
+
+      expect(subject.dnssec?).to be(true)
+    end
+
+    it 'knows if a domain supports ipv6' do
+      expect(subject.ipv6?).to be(false)
+
+      input = {
+        type: 'AAAA',
+        name: 'test',
+        address: '102:304:506:708:90a:b0c:d0e:ff10'
+      }
+      record = Dnsruby::RR.create input
+      allow(subject).to receive(:records) { [record] }
+
+      expect(subject.ipv6?).to be(true)
+    end
+
+    it "knows it's not a localhost address" do
+      expect(subject.localhost?).to be(false)
+    end
+
+    context 'hostname detection' do
+      it 'lists cnames' do
+        records = []
+
+        records.push Dnsruby::RR.create(
+          type: 'CNAME',
+          domainname: 'example.com',
+          name: 'example'
+        )
+
+        records.push Dnsruby::RR.create(
+          type: 'CNAME',
+          domainname: 'github.com',
+          name: 'github'
+        )
+
+        allow(subject).to receive(:records) { records }
+
+        expect(subject.cnames.count).to be(2)
+        expect(subject.cnames.first.sld).to eql('example')
+      end
+
+      it "knows when a domain doesn't have a cdn" do
+        expect(subject.cdn?).to be(false)
+      end
+
+      it 'detects CDNs' do
+        records = [Dnsruby::RR.create(
+          type: 'CNAME',
+          domainname: 'foo.cloudfront.net',
+          name: 'example'
+        )]
+        allow(subject).to receive(:records) { records }
+
+        expect(subject.send(:detect_by_hostname, 'cdn')).to be(:cloudfront)
+        expect(subject.cdn).to be(:cloudfront)
+        expect(subject.cdn?).to be(true)
+      end
+
+      it 'builds that path to a data file' do
+        path = subject.send(:data_path, 'foo')
+        expected = File.expand_path '../../lib/data/foo.yml', File.dirname(__FILE__)
+        expect(path).to eql(expected)
+      end
+
+      it 'loads data files' do
+        data = subject.send(:load_data, 'cdn')
+        expect(data.keys).to include('cloudfront')
+      end
+
+      it "knows when a domain isn't cloud" do
+        expect(subject.cloud?).to be(false)
+      end
+
+      it 'detects cloud providers' do
+        records = [Dnsruby::RR.create(
+          type: 'CNAME',
+          domainname: 'foo.herokuapp.com',
+          name: 'example'
+        )]
+        allow(subject).to receive(:records) { records }
+
+        expect(subject.send(:detect_by_hostname, 'cloud')).to be(:heroku)
+        expect(subject.cloud_provider).to be(:heroku)
+        expect(subject.cloud?).to be(true)
+      end
+
+      it "knows when a domain doesn't have google apps" do
+        expect(subject.google_apps?).to be(false)
+      end
+
+      it 'knows when a domain is using google apps' do
+        records = [Dnsruby::RR.create(
+          type: 'MX',
+          exchange: 'mx1.google.com',
+          name: 'example',
+          preference: 10
+        )]
+        allow(subject).to receive(:records) { records }
+        expect(subject.google_apps?).to be(true)
+      end
+    end
+  end
+
+  context 'localhost' do
+    before do
+      allow(subject).to receive(:ip).and_return('127.0.0.1')
+    end
+
+    it "knows it's a localhost address" do
+      expect(subject.localhost?).to be(true)
+    end
+
+    it 'returns a LocalhostError' do
+      expect(subject.to_h).to eql(error: SiteInspector::Endpoint::Dns::LocalhostError)
+    end
+  end
+end

data/spec/checks/site_inspector_endpoint_headers_spec.rb

@@ -0,0 +1,65 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe SiteInspector::Endpoint::Headers do
+  subject do
+    stub_request(:head, 'http://example.com/')
+      .to_return(status: 200, headers: { foo: 'bar' })
+    endpoint = SiteInspector::Endpoint.new('http://example.com')
+    described_class.new(endpoint)
+  end
+
+  def stub_header(header, value)
+    allow(subject).to receive(:headers) { { header => value } }
+  end
+
+  it 'parses the headers' do
+    expect(subject.headers.count).to be(1)
+    expect(subject.headers.keys).to include('foo')
+  end
+
+  it 'returns a header' do
+    expect(subject['foo']).to eql('bar')
+    expect(subject.headers['foo']).to eql('bar')
+  end
+
+  it 'knows the server' do
+    stub_header 'server', 'foo'
+    expect(subject.server).to eql('foo')
+  end
+
+  it 'knows if a server has an xss protection header' do
+    stub_header 'x-xss-protection', 'foo'
+    expect(subject.xss_protection).to eql('foo')
+  end
+
+  it 'validates xss-protection' do
+    stub_header 'x-xss-protection', 'foo'
+    expect(subject.xss_protection?).to be(false)
+
+    stub_header 'x-xss-protection', '1; mode=block'
+    expect(subject.xss_protection?).to be(true)
+  end
+
+  it 'checks for clickjack proetection' do
+    expect(subject.click_jacking_protection?).to be(false)
+    stub_header 'x-frame-options', 'foo'
+    expect(subject.click_jacking_protection).to eql('foo')
+    expect(subject.click_jacking_protection?).to be(true)
+  end
+
+  it 'checks for CSP' do
+    expect(subject.content_security_policy?).to be(false)
+    stub_header 'content-security-policy', 'foo'
+    expect(subject.content_security_policy).to eql('foo')
+    expect(subject.content_security_policy?).to be(true)
+  end
+
+  it 'checks for strict-transport-security' do
+    expect(subject.strict_transport_security?).to be(false)
+    stub_header 'strict-transport-security', 'foo'
+    expect(subject.strict_transport_security).to eql('foo')
+    expect(subject.strict_transport_security?).to be(true)
+  end
+end

data/spec/checks/site_inspector_endpoint_hsts_spec.rb

@@ -0,0 +1,92 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe SiteInspector::Endpoint::Hsts do
+  subject do
+    headers = { 'strict-transport-security' => 'max-age=31536000; includeSubDomains;' }
+    stub_request(:head, 'http://example.com/')
+      .to_return(status: 200, headers: headers)
+    endpoint = SiteInspector::Endpoint.new('http://example.com')
+    described_class.new(endpoint)
+  end
+
+  def stub_header(value)
+    allow(subject).to receive(:header) { value }
+  end
+
+  it 'returns the headers' do
+    expect(subject.send(:headers).class).to eql(SiteInspector::Endpoint::Headers)
+  end
+
+  it 'returns the HSTS header' do
+    expect(subject.send(:header)).to eql('max-age=31536000; includeSubDomains;')
+  end
+
+  it 'parses the directives' do
+    expect(subject.send(:directives).count).to be(2)
+    expect(subject.send(:directives).first).to eql('max-age=31536000')
+    expect(subject.send(:directives).last).to eql('includeSubDomains')
+  end
+
+  it 'parses pairs' do
+    expect(subject.send(:pairs).keys).to include(:"max-age")
+    expect(subject.send(:pairs)[:"max-age"]).to eql('31536000')
+  end
+
+  it 'knows if the header is valid' do
+    expect(subject.valid?).to be(true)
+
+    allow(subject).to receive(:pairs).and_return(['fo o' => 'bar'])
+    expect(subject.valid?).to be(false)
+
+    allow(subject).to receive(:pairs).and_return(["fo'o" => 'bar'])
+    expect(subject.valid?).to be(false)
+  end
+
+  it 'knows the max age' do
+    expect(subject.max_age).to be(31_536_000)
+  end
+
+  it 'knows if subdomains are included' do
+    expect(subject.include_subdomains?).to be(true)
+    allow(subject).to receive(:pairs).and_return(foo: 'bar')
+    expect(subject.include_subdomains?).to be(false)
+  end
+
+  it "knows if it's preloaded" do
+    expect(subject.preload?).to be(false)
+    allow(subject).to receive(:pairs).and_return(preload: nil)
+    expect(subject.preload?).to be(true)
+  end
+
+  it "knows if it's enabled" do
+    expect(subject.enabled?).to be(true)
+
+    allow(subject).to receive(:pairs).and_return("max-age": 0)
+    expect(subject.preload?).to be(false)
+
+    allow(subject).to receive(:pairs).and_return(foo: 'bar')
+    expect(subject.preload?).to be(false)
+  end
+
+  it "knows if it's preload ready" do
+    expect(subject.preload_ready?).to be(false)
+
+    pairs = { "max-age": 10_886_401, preload: nil, includesubdomains: nil }
+    allow(subject).to receive(:pairs) { pairs }
+    expect(subject.preload_ready?).to be(true)
+
+    pairs = { "max-age": 10_886_401, includesubdomains: nil }
+    allow(subject).to receive(:pairs) { pairs }
+    expect(subject.preload_ready?).to be(false)
+
+    pairs = { "max-age": 10_886_401, preload: nil, includesubdomains: nil }
+    allow(subject).to receive(:pairs) { pairs }
+    expect(subject.preload_ready?).to be(true)
+
+    pairs = { "max-age": 5, preload: nil, includesubdomains: nil }
+    allow(subject).to receive(:pairs) { pairs }
+    expect(subject.preload_ready?).to be(false)
+  end
+end

data/spec/checks/site_inspector_endpoint_https_spec.rb

@@ -0,0 +1,49 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe SiteInspector::Endpoint::Https do
+  subject do
+    stub_request(:head, 'https://example.com/')
+      .to_return(status: 200)
+    endpoint = SiteInspector::Endpoint.new('https://example.com')
+    allow(endpoint.response).to receive(:return_code).and_return(:ok)
+    described_class.new(endpoint)
+  end
+
+  it 'knows the scheme' do
+    expect(subject.send(:scheme)).to eql('https')
+  end
+
+  it 'knows if the scheme is https' do
+    expect(subject.scheme?).to be(true)
+    allow(subject).to receive(:scheme).and_return('http')
+    expect(subject.scheme?).to be(false)
+  end
+
+  it "knows if it's valid" do
+    expect(subject.valid?).to be(true)
+  end
+
+  it "knows when there's a bad chain" do
+    expect(subject.bad_chain?).to be(false)
+
+    url = Addressable::URI.parse('https://example.com')
+    response = Typhoeus::Response.new(return_code: :ssl_cacert)
+    response.request = Typhoeus::Request.new(url)
+
+    allow(subject).to receive(:response) { response }
+    expect(subject.bad_chain?).to be(true)
+  end
+
+  it "knows when there's a bad name" do
+    expect(subject.bad_name?).to be(false)
+
+    url = Addressable::URI.parse('https://example.com')
+    response = Typhoeus::Response.new(return_code: :peer_failed_verification)
+    response.request = Typhoeus::Request.new(url)
+
+    allow(subject).to receive(:response) { response }
+    expect(subject.bad_name?).to be(true)
+  end
+end

data/spec/checks/site_inspector_endpoint_sniffer_spec.rb

@@ -0,0 +1,150 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe SiteInspector::Endpoint::Sniffer do
+  def stub_header(header, value)
+    allow(subject.endpoint.headers).to receive(:headers) { { header => value } }
+  end
+
+  def set_cookie(key, value)
+    cookies = [
+      CGI::Cookie.new(
+        'name' => 'foo',
+        'value' => 'bar',
+        'domain' => 'example.com',
+        'path' => '/'
+      ),
+      CGI::Cookie.new(
+        'name' => key,
+        'value' => value,
+        'domain' => 'example.com',
+        'path' => '/'
+      )
+    ].map(&:to_s)
+
+    stub_request(:get, 'http://example.com/')
+      .to_return(status: 200, body: '')
+
+    stub_request(:head, 'http://example.com/')
+      .to_return(status: 200, headers: { 'set-cookie' => cookies })
+  end
+
+  context 'stubbed body' do
+    subject do
+      body = <<-BODY
+        <html>
+          <head>
+            <link rel='stylesheet' href='/wp-content/themes/foo/style.css type='text/css' media='all' />
+          </head>
+          <body>
+            <h1>Some page</h1>
+            <script>
+              jQuery(); googletag.pubads();
+            </script>
+            <script>
+              var _gaq=[['_setAccount','UA-12345678-1'],['_trackPageview']];
+              (function(d,t){var g=d.createElement(t),s=d.getElementsByTagName(t)[0];
+              g.src=('https:'==location.protocol?'//ssl':'//www')+'.google-analytics.com/ga.js';
+              s.parentNode.insertBefore(g,s)}(document,'script'));
+            </script>
+          </body>
+        </html>
+      BODY
+
+      stub_request(:get, 'http://example.com/')
+        .to_return(status: 200, body: body)
+
+      stub_request(:head, 'http://example.com/')
+        .to_return(status: 200)
+      endpoint = SiteInspector::Endpoint.new('http://example.com')
+      described_class.new(endpoint)
+    end
+
+    it 'sniffs' do
+      sniff = subject.send(:sniff, :cms)
+      expect(sniff).to be(:wordpress)
+    end
+
+    it 'detects the CMS' do
+      expect(subject.framework).to be(:wordpress)
+    end
+
+    it 'detects the analytics' do
+      expect(subject.analytics).to be(:google_analytics)
+    end
+
+    it 'detects javascript' do
+      expect(subject.javascript).to be(:jquery)
+    end
+
+    it 'detects advertising' do
+      expect(subject.advertising).to be(:adsense)
+    end
+
+    it 'knows wordpress is open source' do
+      expect(subject.open_source?).to be(true)
+    end
+  end
+
+  context 'no body' do
+    subject do
+      endpoint = SiteInspector::Endpoint.new('http://example.com')
+      described_class.new(endpoint)
+    end
+
+    it "knows when something isn't open source" do
+      set_cookie('foo', 'bar')
+      expect(subject.open_source?).to be(false)
+    end
+
+    it 'detects PHP' do
+      set_cookie('PHPSESSID', '1234')
+      expect(subject.framework).to be(:php)
+      expect(subject.open_source?).to be(true)
+    end
+
+    it 'detects Expression Engine' do
+      set_cookie('exp_csrf_token', '1234')
+      expect(subject.framework).to be(:expression_engine)
+      expect(subject.open_source?).to be(true)
+    end
+
+    it 'detects cowboy' do
+      stub_request(:get, 'http://example.com/')
+        .to_return(status: 200, body: '')
+
+      stub_request(:head, 'http://example.com/')
+        .to_return(status: 200, headers: { 'server' => 'Cowboy' })
+
+      expect(subject.framework).to be(:cowboy)
+      expect(subject.open_source?).to be(true)
+    end
+
+    it 'detects ColdFusion' do
+      cookies = [
+        CGI::Cookie.new(
+          'name' => 'CFID',
+          'value' => '1234',
+          'domain' => 'example.com',
+          'path' => '/'
+        ),
+        CGI::Cookie.new(
+          'name' => 'CFTOKEN',
+          'value' => '5678',
+          'domain' => 'example.com',
+          'path' => '/'
+        )
+      ].map(&:to_s)
+
+      stub_request(:get, 'http://example.com/')
+        .to_return(status: 200, body: '')
+
+      stub_request(:head, 'http://example.com/')
+        .to_return(status: 200, headers: { 'set-cookie' => cookies })
+
+      expect(subject.framework).to be(:coldfusion)
+      expect(subject.open_source?).to be(false)
+    end
+  end
+end