wpscan 3.8.28 → 4.0.0

data/lib/wpscan/browser/options.rb

@@ -0,0 +1,92 @@
+# frozen_string_literal: true
+
+module WPScan
+  # Options available in the Browser
+  class Browser
+    OPTIONS = %i[
+      cache_ttl
+      cookie_jar
+      cookie_string
+      connect_timeout
+      disable_tls_checks
+      headers
+      http_auth
+      max_threads
+      proxy
+      proxy_auth
+      random_user_agent
+      request_timeout
+      throttle
+      url
+      user_agent
+      user_agents_list
+      vhost
+    ].freeze
+
+    attr_accessor(*OPTIONS)
+
+    # @return [ String ]
+    def default_user_agent
+      "#{NS} v#{WPScan::VERSION}"
+    end
+
+    # @return [ Typhoeus::Hydra ]
+    def hydra
+      @hydra ||= Typhoeus::Hydra.new(max_concurrency: max_threads || 1)
+    end
+
+    # @param [ Hash ] options
+    def load_options(options = {})
+      OPTIONS.each do |sym|
+        send("#{sym}=", options[sym]) if options.key?(sym)
+      end
+    end
+
+    # Set the threads attribute and update hydra accordinly
+    # If the throttle attribute is > 0, max_threads will be forced to 1
+    #
+    # @param [ Integer ] number
+    def max_threads=(number)
+      @max_threads = number.to_i.positive? && throttle.zero? ? number.to_i : 1
+
+      hydra.max_concurrency = @max_threads
+    end
+
+    # @return [ String ] The user agent
+    def user_agent
+      @user_agent ||= random_user_agent ? user_agents.sample : default_user_agent
+    end
+
+    # @return [ Array<String> ]
+    def user_agents
+      return @user_agents if @user_agents
+
+      @user_agents = []
+
+      # The user_agents_list is managed by the CLI options, with the default being
+      # APP_DIR/user_agents.txt
+      File.open(user_agents_list) do |f|
+        f.each do |line|
+          next if line == "\n" || line[0, 1] == '#'
+
+          @user_agents << line.chomp
+        end
+      end
+
+      @user_agents
+    end
+
+    # @param [ value ] The throttle time in milliseconds
+    #
+    # if value > 0, the max_threads will be set to 1
+    def throttle=(value)
+      @throttle = value.to_i.abs / 1000.0
+
+      self.max_threads = 1 if @throttle.positive?
+    end
+
+    def trottle!
+      sleep(throttle) if throttle.positive?
+    end
+  end
+end

data/lib/wpscan/browser.rb

@@ -1,13 +1,98 @@
 # frozen_string_literal: true
 
+require 'wpscan/browser/actions'
+require 'wpscan/browser/options'
+
 module WPScan
-  # Custom Browser
-  class Browser < CMSScanner::Browser
+  # Singleton used to perform HTTP/HTTPS requests to the target.
+  class Browser
     extend Actions
 
+    def initialize(parsed_options = {})
+      self.throttle = 0
+
+      load_options(parsed_options.dup)
+    end
+
+    private_class_method :new
+
+    # @param [ Hash ] parsed_options
+    #
+    # @return [ Browser ] The instance
+    def self.instance(parsed_options = {})
+      @@instance ||= new(parsed_options)
+    end
+
+    def self.reset
+      @@instance = nil
+    end
+
     # @return [ String ]
     def default_user_agent
       @default_user_agent ||= "WPScan v#{VERSION} (https://wpscan.com/wordpress-security-scanner)"
     end
+
+    # @param [ String ] url
+    # @param [ Hash ] params
+    #
+    # @return [ Typhoeus::Request ]
+    def forge_request(url, params = {})
+      Typhoeus::Request.new(url, request_params(params))
+    end
+
+    # @return [ Hash ] The request params used to connect to the target as well as other systems (e.g. API).
+    def default_connect_request_params
+      params = {}
+
+      if disable_tls_checks
+        # See http://curl.haxx.se/libcurl/c/CURLOPT_SSL_VERIFYHOST.html
+        params[:ssl_verifypeer] = false
+        params[:ssl_verifyhost] = 0
+        # TLSv1.0 and plus, allows to use a protocol potentially lower than the OS default
+        params[:sslversion] = :tlsv1
+      end
+
+      {
+        connecttimeout: :connect_timeout, cache_ttl: :cache_ttl,
+        proxy: :proxy, timeout: :request_timeout
+      }.each do |typhoeus_opt, browser_opt|
+        attr_value = public_send(browser_opt)
+        params[typhoeus_opt] = attr_value unless attr_value.nil?
+      end
+
+      params
+    end
+
+    # @return [ Hash ]
+    # The params are not cached (using @params ||= for example) so they are set accordingly if updated
+    # by a controller / other piece of code.
+    def default_request_params
+      params = default_connect_request_params.merge(
+        headers: { 'User-Agent' => user_agent, 'Referer' => url }.merge(headers || {}),
+        accept_encoding: 'gzip, deflate',
+        method: :get
+      )
+
+      { cookiejar: :cookie_jar, cookiefile: :cookie_jar, cookie: :cookie_string }.each do |typhoeus_opt, browser_opt|
+        attr_value = public_send(browser_opt)
+        params[typhoeus_opt] = attr_value unless attr_value.nil?
+      end
+
+      params[:proxyuserpwd] = "#{proxy_auth[:username]}:#{proxy_auth[:password]}" if proxy_auth
+      params[:userpwd] = "#{http_auth[:username]}:#{http_auth[:password]}" if http_auth
+
+      params[:headers]['Host'] = vhost if vhost
+
+      params
+    end
+
+    # @param [ Hash ] params
+    #
+    # @return [ Hash ]
+    def request_params(params = {})
+      default_request_params.merge(params) do |key, oldval, newval|
+        key == :headers ? oldval.merge(newval) : newval
+      end
+    end
   end
 end

data/lib/wpscan/browser_authenticator.rb

@@ -0,0 +1,64 @@
+# frozen_string_literal: true
+
+require 'ferrum'
+
+module WPScan
+  module BrowserAuthenticator
+    # Characters that, if present in a cookie name or value, would corrupt the
+    # serialized Cookie header. Per RFC 6265 these are forbidden in cookie-octets,
+    # but a noncompliant IdP could still emit them.
+    COOKIE_DELIMITERS = /[;,\s]/
+
+    def self.authenticate(login_url)
+      unless $stdin.tty?
+        raise WPScan::Error::BrowserFailed,
+              'SAML authentication needs an interactive terminal to wait for login, but stdin is not a TTY. ' \
+              'Run wpscan from a real shell when using --expect-saml.'
+      end
+
+      cookies = run_login_session(login_url)
+
+      raise WPScan::Error::SAMLAuthenticationFailed if cookies.nil? || cookies.empty?
+
+      serialize_cookies(cookies)
+    end
+
+    # Drives the interactive browser session and returns the resulting cookie jar.
+    # Translates Ferrum failures into BrowserFailed with a context-specific message.
+    def self.run_login_session(login_url)
+      browser = Ferrum::Browser.new(headless: false)
+
+      puts 'SAML authentication needed. Log in via the browser window that just opened, then press enter.'
+      browser.goto(login_url)
+      gets # Waits for user input
+
+      # Attempt an innocuous command to check if the browser is still responsive
+      browser.current_url
+
+      browser.cookies.all
+    rescue Ferrum::BinaryNotFoundError, Ferrum::EmptyPathError => e
+      raise WPScan::Error::BrowserFailed, chrome_not_found_message(e)
+    rescue Ferrum::Error => e
+      raise WPScan::Error::BrowserFailed,
+            'The browser was closed or failed before SAML authentication could be completed ' \
+            "(#{e.class}: #{e.message})."
+    ensure
+      browser.quit if browser&.process
+    end
+
+    def self.chrome_not_found_message(error)
+      '--expect-saml requires Chrome or Chromium to be installed and available on PATH ' \
+        '(install Chrome / Chromium, or point Ferrum at a binary via BROWSER_PATH). ' \
+        "Underlying error: #{error.message}"
+    end
+
+    def self.serialize_cookies(cookies)
+      cookies.map do |_name, cookie|
+        raise WPScan::Error::SAMLAuthenticationFailed if cookie.name.match?(COOKIE_DELIMITERS) ||
+                                                         cookie.value.to_s.match?(COOKIE_DELIMITERS)
+
+        "#{cookie.name}=#{cookie.value}"
+      end.join('; ')
+    end
+  end
+end

data/lib/wpscan/cache/file_store.rb

@@ -0,0 +1,77 @@
+# frozen_string_literal: true
+
+module WPScan
+  module Cache
+    # Cache Implementation using files
+    class FileStore
+      attr_reader :storage_path, :serializer
+
+      # The serializer must have the 2 methods #load and #dump
+      #   (Marshal and YAML have them)
+      # YAML is Human Readable, contrary to Marshal which store in a binary format
+      # Marshal does not need any "require"
+      #
+      # @param [ String ] storage_path
+      # @param [ Constant ] serializer
+      def initialize(storage_path, serializer = Marshal)
+        @storage_path = File.expand_path(storage_path)
+        @serializer   = serializer
+
+        FileUtils.mkdir_p(@storage_path)
+      end
+
+      # TODO: rename this to clear ?
+      def clean
+        Dir[File.join(storage_path, '*')].each do |f|
+          File.delete(f) unless File.symlink?(f)
+        end
+      end
+
+      # @param [ String ] key
+      #
+      # @return [ Mixed ]
+      def read_entry(key)
+        return if expired_entry?(key)
+
+        serializer.load(File.read(entry_path(key)))
+      rescue StandardError
+        nil
+      end
+
+      # @param [ String ] key
+      # @param [ Mixed ] data_to_store
+      # @param [ Integer ] cache_ttl
+      def write_entry(key, data_to_store, cache_ttl)
+        return unless cache_ttl.to_i.positive?
+
+        File.write(entry_path(key), serializer.dump(data_to_store))
+        File.write(entry_expiration_path(key), Time.now.to_i + cache_ttl)
+      end
+
+      # @param [ String ] key
+      #
+      # @return [ String ] The file path associated to the key
+      def entry_path(key)
+        File.join(storage_path, key)
+      end
+
+      # @param [ String ] key
+      #
+      # @return [ String ] The expiration file path associated to the key
+      def entry_expiration_path(key)
+        "#{entry_path(key)}.expiration"
+      end
+
+      private
+
+      # @param [ String ] key
+      #
+      # @return [ Boolean ]
+      def expired_entry?(key)
+        File.read(entry_expiration_path(key)).to_i <= Time.now.to_i
+      rescue StandardError
+        true
+      end
+    end
+  end
+end

data/lib/wpscan/cache/typhoeus.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+require 'wpscan/cache/file_store'
+
+module WPScan
+  module Cache
+    # Cache implementation for Typhoeus
+    class Typhoeus < FileStore
+      # @param [ Typhoeus::Request ] request
+      #
+      # @return [ Typhoeus::Response ]
+      def get(request)
+        read_entry(request.hash.to_s)
+      end
+
+      # @param [ Typhoeus::Request ] request
+      # @param [ Typhoeus::Response ] response
+      def set(request, response)
+        return if response.timed_out? || response.code&.zero?
+
+        write_entry(request.hash.to_s, response, request.cache_ttl)
+      end
+    end
+  end
+end

data/lib/wpscan/controller.rb

@@ -1,10 +1,106 @@
 # frozen_string_literal: true
 
 module WPScan
-  # Needed to load at least the Core controller
-  # Otherwise, the following error will be raised:
-  # `initialize': uninitialized constant WPScan::Controller::Core (NameError)
   module Controller
-    include CMSScanner::Controller
+    # Base Controller
+    class Base
+      include OptParseValidator
+
+      # @return [ Array<OptParseValidator::OptBase> ]
+      def cli_options; end
+
+      def before_scan; end
+
+      def run; end
+
+      def after_scan; end
+
+      def ==(other)
+        self.class == other.class
+      end
+
+      # Reset all the class attributes. Currently only used in specs.
+      def self.reset
+        @@target    = nil
+        @@datastore = nil
+        @@formatter = nil
+      end
+
+      # @return [ Target ]
+      def target
+        @@target ||= WPScan::Target.new(WPScan::ParsedCli.url, WPScan::ParsedCli.options)
+      end
+
+      # @param [ OptParseValidator::OptParser ] parser
+      def self.option_parser=(parser)
+        @@option_parser = parser
+      end
+
+      # @return [ OptParseValidator::OptParser ]
+      def option_parser
+        @@option_parser
+      end
+
+      # @return [ Hash ]
+      def datastore
+        @@datastore ||= {}
+      end
+
+      # @return [ Formatter::Base ]
+      def formatter
+        @@formatter ||= WPScan::Formatter.load(WPScan::ParsedCli.format, datastore[:views])
+      end
+
+      # @see Formatter#output
+      #
+      # @return [ Void ]
+      def output(tpl, vars = {})
+        formatter.output(*tpl_params(tpl, vars))
+      end
+
+      # @see Formatter#render
+      #
+      # @return [ String ]
+      def render(tpl, vars = {})
+        formatter.render(*tpl_params(tpl, vars))
+      end
+
+      # @return [ Boolean ]
+      def user_interaction?
+        formatter.user_interaction? && !WPScan::ParsedCli.output
+      end
+
+      # @return [ Pathname ]
+      def tmp_directory
+        return Pathname.new(ENV['TMPDIR']).join(WPScan.app_name) if ENV['TMPDIR']
+
+        WPScan.user_cache_dir
+      end
+
+      protected
+
+      # @param [ String ] tpl
+      # @param [ Hash ] vars
+      #
+      # @return [ Array<String> ]
+      def tpl_params(tpl, vars)
+        [
+          tpl,
+          instance_variable_values.merge(vars),
+          self.class.name.demodulize.underscore
+        ]
+      end
+
+      # @return [ Hash ] All instance variable keys (and their values) plus the verbose value.
+      def instance_variable_values
+        h = { verbose: WPScan::ParsedCli.verbose }
+        instance_variables.each do |a|
+          s    = a.to_s
+          n    = s[1..s.size]
+          h[n.to_sym] = instance_variable_get(a)
+        end
+        h
+      end
+    end
   end
 end

data/lib/wpscan/controllers.rb

@@ -1,10 +1,85 @@
 # frozen_string_literal: true
 
 module WPScan
-  # Override to set the OptParser's summary width to 45 (instead of 40 from the CMSScanner)
-  class Controllers < CMSScanner::Controllers
+  # Controllers container. Summary width is 45 (wpscan-specific; upstream default was 40).
+  class Controllers < Array
+    attr_reader :option_parser, :running
+
+    # @param [ OptParseValidator::OptParser ] option_parser
     def initialize(option_parser = OptParseValidator::OptParser.new(nil, 45))
-      super(option_parser)
+      @option_parser = option_parser
+
+      register_config_files
+
+      option_parser.config_files.result_key = 'cli_options'
+    end
+
+    # Registers the potential option-file paths with the option_parser.
+    def register_config_files
+      # XDG Base Directory support for configuration
+      # https://specifications.freedesktop.org/basedir/latest/
+      xdg = ENV.fetch('XDG_CONFIG_HOME', nil)
+      xdg = Pathname.new(Dir.home).join('.config') if xdg.nil? || xdg.empty?
+      app = WPScan.app_name
+
+      dirs = [[xdg, app], [Dir.home, ".#{app}"], [Dir.pwd, ".#{app}"]]
+      exts = option_parser.config_files.class.supported_extensions
+
+      dirs.product(exts).each do |(dir, sub), ext|
+        option_parser.config_files << Pathname.new(dir).join(sub, "scan.#{ext}").to_s
+      end
+    end
+
+    # @param [ Controller::Base ] controller
+    #
+    # @return [ Controllers ] self
+    def <<(controller)
+      options = controller.cli_options
+
+      unless include?(controller)
+        option_parser.add(*options) if options
+        super
+      end
+      self
+    end
+
+    # Force the non-colored CLI formatter when ANSI escapes would be
+    # unwanted: writing to a file, piping to another process, or when the
+    # caller has set NO_COLOR (see https://no-color.org). Explicit
+    # --format choices are preserved.
+    def apply_no_colour_default
+      return if WPScan::ParsedCli.options[:format]
+
+      no_color = ENV.fetch('NO_COLOR', nil)
+      return unless WPScan::ParsedCli.output || !$stdout.tty? || (no_color && !no_color.empty?)
+
+      WPScan::ParsedCli.options[:format] = 'cli-no-colour'
+    end
+
+    def run
+      WPScan::ParsedCli.options = option_parser.results
+      first.class.option_parser = option_parser # needed to output help on -h/--hh
+
+      apply_no_colour_default
+      redirect_output_to_file(WPScan::ParsedCli.output) if WPScan::ParsedCli.output
+
+      Timeout.timeout(WPScan::ParsedCli.max_scan_duration, WPScan::Error::MaxScanDurationReached) do
+        each(&:before_scan)
+
+        @running = true
+
+        each(&:run)
+      end
+    ensure
+      # The rescue prevents unfinished requests from raising, which would stop reverse_each from running.
+      # rubocop:disable Style/RescueModifier
+      WPScan::Browser.instance.hydra.abort rescue nil
+      # rubocop:enable Style/RescueModifier
+
+      # Reverse order: app/controllers/core#after_scan finishes the output and must be last.
+      # Guarantees stats are output even on error. after_scan runs only if scan was actually running
+      # (skipped on CLI error, -h/--hh/--version).
+      reverse_each(&:after_scan) if running
     end
   end
 end

data/lib/wpscan/db/dynamic_finders/base.rb

@@ -4,18 +4,14 @@ module WPScan
   module DB
     module DynamicFinders
       class Base
-        # @return [ String ]
+        # @return [ Pathname ]
         def self.df_file
-          @df_file ||= DB_DIR.join('dynamic_finders.yml').to_s
+          @df_file ||= DB_DIR.join('dynamic_finders.yml')
         end
 
         # @return [ Hash ]
         def self.all_df_data
-          @all_df_data ||= if Gem::Version.new(Psych::VERSION) >= Gem::Version.new('4.0.0')
-                             YAML.safe_load(File.read(df_file), permitted_classes: [Regexp])
-                           else
-                             YAML.safe_load(File.read(df_file), [Regexp])
-                           end
+          @all_df_data ||= YAML.safe_load_file(df_file, permitted_classes: [Regexp])
         end
 
         # @return [ Array<Symbol> ]

data/lib/wpscan/db/dynamic_finders/plugin.rb

@@ -66,7 +66,7 @@ module WPScan
           # What about slugs such as js_composer which will be done as JsComposer, just like js-composer
           constant_name = classify_slug(slug)
 
-          unless version_finder_module.constants.include?(constant_name)
+          unless version_finder_module.const_defined?(constant_name, false)
             version_finder_module.const_set(constant_name, Module.new)
           end
 
@@ -92,7 +92,7 @@ module WPScan
 
             next unless allowed_classes.include?(klass.to_sym)
 
-            created << if mod.constants.include?(finder_class.to_sym)
+            created << if mod.const_defined?(finder_class.to_sym, false)
                          mod.const_get(finder_class.to_sym)
                        else
                          version_finder_super_class(klass).create_child_class(mod, finder_class.to_sym, config)

data/lib/wpscan/db/dynamic_finders/wordpress.rb

@@ -59,7 +59,7 @@ module WPScan
             # So that, when new DF configs are put in the .yml
             # users with old version of WPScan will still be able to scan blogs
             # when updating the DB but not the tool
-            next if version_finder_module.constants.include?(finder_class.to_sym) ||
+            next if version_finder_module.const_defined?(finder_class.to_sym, false) ||
                     !allowed_classes.include?(klass.to_sym)
 
             version_finder_super_class(klass).create_child_class(version_finder_module, finder_class.to_sym, config)

data/lib/wpscan/db/fingerprints.rb

@@ -33,9 +33,9 @@ module WPScan
         unique_fingerprints
       end
 
-      # @return [ String ]
+      # @return [ Pathname ]
       def self.wp_fingerprints_path
-        @wp_fingerprints_path ||= DB_DIR.join('wp_fingerprints.json').to_s
+        @wp_fingerprints_path ||= DB_DIR.join('wp_fingerprints.json')
       end
 
       # @return [ Hash ]