Update upstream source from tag 'upstream/0.13.3'
Update to upstream version '0.13.3'
with Debian dir d7c5fd052a6eae2ce6f7a03f0d096075f2e65243
Sophie Brun
3 years ago
| 33 | 33 | Exclude: |
| 34 | 34 | - app/controllers/core/cli_options.rb |
| 35 | 35 | Metrics/ParameterLists: |
| 36 | Max: 6 | |
| 36 | 37 | MaxOptionalParameters: 4 |
| 37 | 38 | Metrics/PerceivedComplexity: |
| 38 | 39 | Max: 9 |
| 8 | 8 | s.platform = Gem::Platform::RUBY |
| 9 | 9 | s.required_ruby_version = '>= 2.5' |
| 10 | 10 | s.authors = ['WPScanTeam'] |
| 11 | s.email = ['[email protected]'] | |
| 11 | s.email = ['[email protected]'] | |
| 12 | 12 | s.summary = 'CMS Scanner Framework (experimental)' |
| 13 | 13 | s.description = 'Framework to provide an easy way to implement CMS Scanners' |
| 14 | 14 | s.homepage = 'https://github.com/wpscanteam/CMSScanner' |
| 20 | 20 | |
| 21 | 21 | s.add_dependency 'get_process_mem', '~> 0.2.5' |
| 22 | 22 | s.add_dependency 'nokogiri', '~> 1.11.0' |
| 23 | s.add_dependency 'opt_parse_validator', '~> 1.9.3' | |
| 23 | s.add_dependency 'opt_parse_validator', '~> 1.9.4' | |
| 24 | 24 | s.add_dependency 'public_suffix', '~> 4.0.3' |
| 25 | 25 | s.add_dependency 'ruby-progressbar', '>= 1.10', '< 1.12' |
| 26 | 26 | s.add_dependency 'typhoeus', '>= 1.3', '< 1.5' |
| 33 | 33 | s.add_development_dependency 'rake', '~> 13.0' |
| 34 | 34 | s.add_development_dependency 'rspec', '~> 3.10.0' |
| 35 | 35 | s.add_development_dependency 'rspec-its', '~> 1.3.0' |
| 36 | s.add_development_dependency 'rubocop', '~> 1.9.1' | |
| 37 | s.add_development_dependency 'rubocop-performance', '~> 1.9.0' | |
| 36 | s.add_development_dependency 'rubocop', '~> 1.11.0' | |
| 37 | s.add_development_dependency 'rubocop-performance', '~> 1.10.0' | |
| 38 | 38 | s.add_development_dependency 'simplecov', '~> 0.21.0' |
| 39 | 39 | s.add_development_dependency 'simplecov-lcov', '~> 0.8.0' |
| 40 | s.add_development_dependency 'webmock', '~> 3.11.0' | |
| 40 | s.add_development_dependency 'webmock', '~> 3.12.0' | |
| 41 | 41 | end |
| 58 | 58 | |
| 59 | 59 | full_res = NS::Browser.get(head_res.effective_url, full_request_params) |
| 60 | 60 | |
| 61 | return unless valid_response_codes.include?(full_res.code) | |
| 62 | ||
| 61 | 63 | return if target.homepage_or_404?(full_res) || |
| 62 | 64 | opts[:exclude_content] && full_res.body&.match(opts[:exclude_content]) |
| 63 | 65 |
| 85 | 85 | |
| 86 | 86 | # @return [ String ] The URL to the metasploit module page |
| 87 | 87 | def msf_url(mod) |
| 88 | "https://www.rapid7.com/db/modules/#{mod.sub(%r{^/}, '')}" | |
| 88 | "https://www.rapid7.com/db/modules/#{mod.sub(%r{^/}, '')}/" | |
| 89 | 89 | end |
| 90 | 90 | |
| 91 | 91 | # @return [ Array<String> ] The Packetstormsecurity IDs |
| 4 | 4 | class Vulnerability |
| 5 | 5 | include References |
| 6 | 6 | |
| 7 | attr_reader :title, :type, :fixed_in, :cvss | |
| 7 | attr_reader :title, :type, :fixed_in, :introduced_in, :cvss | |
| 8 | 8 | |
| 9 | 9 | # @param [ String ] title |
| 10 | 10 | # @param [ Hash ] references |
| 17 | 17 | # @option references [ Array<String> ] :youtube |
| 18 | 18 | # @param [ String ] type |
| 19 | 19 | # @param [ String ] fixed_in |
| 20 | # @param [ String ] introduced_in | |
| 20 | 21 | # @param [ HashSymbol ] cvss |
| 21 | 22 | # @option cvss [ String ] :score |
| 22 | 23 | # @option cvss [ String ] :vector |
| 23 | def initialize(title, references: {}, type: nil, fixed_in: nil, cvss: nil) | |
| 24 | @title = title | |
| 25 | @type = type | |
| 26 | @fixed_in = fixed_in | |
| 27 | @cvss = { score: cvss[:score], vector: cvss[:vector] } if cvss | |
| 24 | def initialize(title, references: {}, type: nil, fixed_in: nil, introduced_in: nil, cvss: nil) | |
| 25 | @title = title | |
| 26 | @type = type | |
| 27 | @fixed_in = fixed_in | |
| 28 | @introduced_in = introduced_in | |
| 29 | @cvss = { score: cvss[:score], vector: cvss[:vector] } if cvss | |
| 28 | 30 | |
| 29 | 31 | self.references = references |
| 30 | 32 | end |
| 27 | 27 | end |
| 28 | 28 | |
| 29 | 29 | context 'when check_full_response is true' do |
| 30 | let(:opts) { super().merge(check_full_response: true) } | |
| 31 | let(:body) { '' } | |
| 32 | ||
| 33 | before { stub_request(:get, effective_url).to_return(body: body) } | |
| 30 | let(:opts) { super().merge(check_full_response: true) } | |
| 31 | let(:body) { '' } | |
| 32 | let(:status) { 200 } | |
| 33 | ||
| 34 | before { stub_request(:get, effective_url).to_return(body: body, status: status) } | |
| 34 | 35 | |
| 35 | 36 | context 'when the body matches the 404 homepage' do |
| 36 | 37 | it 'returns nil' do |
| 37 | 38 | expect(target).to receive(:homepage_or_404?).and_return(true) |
| 39 | ||
| 40 | expect(finder.maybe_get_full_response(head_res, opts)).to eql nil | |
| 41 | end | |
| 42 | end | |
| 43 | ||
| 44 | context 'when the status is not valid' do | |
| 45 | let(:status) { 404 } | |
| 46 | ||
| 47 | it 'returns nil' do | |
| 48 | allow(target).to receive(:homepage_or_404?).and_return(false) | |
| 38 | 49 | |
| 39 | 50 | expect(finder.maybe_get_full_response(head_res, opts)).to eql nil |
| 40 | 51 | end |
| 8 | 8 | it_behaves_like CMSScanner::References |
| 9 | 9 | |
| 10 | 10 | describe '#new' do |
| 11 | its(:title) { should eql title } | |
| 12 | its(:references) { should eql({}) } | |
| 13 | its(:type) { should eql nil } | |
| 14 | its(:fixed_in) { should eql nil } | |
| 15 | its(:cvss) { should eql nil } | |
| 11 | its(:title) { should eql title } | |
| 12 | its(:references) { should eql({}) } | |
| 13 | its(:type) { should eql nil } | |
| 14 | its(:fixed_in) { should eql nil } | |
| 15 | its(:introduced_in) { should eql nil } | |
| 16 | its(:cvss) { should eql nil } | |
| 16 | 17 | |
| 17 | 18 | context 'when CVSS' do |
| 18 | 19 | let(:cvss) { { score: '5.4', vector: 'spec', y: 'key should not be added' } } |
| 50 | 50 | its(:urls) { should eql %w[single-url] } |
| 51 | 51 | |
| 52 | 52 | its(:msf_modules) { should eql %w[/exploit/yolo] } |
| 53 | its(:msf_urls) { should eql %w[https://www.rapid7.com/db/modules/exploit/yolo] } | |
| 53 | its(:msf_urls) { should eql %w[https://www.rapid7.com/db/modules/exploit/yolo/] } | |
| 54 | 54 | |
| 55 | 55 | its(:packetstorm_ids) { should eq %w[15] } |
| 56 | 56 | its(:packetstorm_urls) { should eql %w[https://packetstormsecurity.com/files/15/] } |
| 65 | 65 | 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-11', |
| 66 | 66 | 'https://www.exploit-db.com/exploits/14/', |
| 67 | 67 | 'single-url', |
| 68 | 'https://www.rapid7.com/db/modules/exploit/yolo', | |
| 68 | 'https://www.rapid7.com/db/modules/exploit/yolo/', | |
| 69 | 69 | 'https://packetstormsecurity.com/files/15/', |
| 70 | 70 | 'https://www.securityfocus.com/bid/16/', |
| 71 | 71 | 'https://www.youtube.com/watch?v=xAAAA' |
| 104 | 104 | |
| 105 | 105 | its(:msf_modules) { should eql %w[/exploit/yolo exploit/aa] } |
| 106 | 106 | its(:msf_urls) do |
| 107 | should eql %w[https://www.rapid7.com/db/modules/exploit/yolo | |
| 108 | https://www.rapid7.com/db/modules/exploit/aa] | |
| 107 | should eql %w[https://www.rapid7.com/db/modules/exploit/yolo/ | |
| 108 | https://www.rapid7.com/db/modules/exploit/aa/] | |
| 109 | 109 | end |
| 110 | 110 | |
| 111 | 111 | its(:packetstorm_ids) { should eq %w[50 51] } |
| 130 | 130 | 'https://www.exploit-db.com/exploits/41/', |
| 131 | 131 | 'single-url', |
| 132 | 132 | 'another-url', |
| 133 | 'https://www.rapid7.com/db/modules/exploit/yolo', | |
| 134 | 'https://www.rapid7.com/db/modules/exploit/aa', | |
| 133 | 'https://www.rapid7.com/db/modules/exploit/yolo/', | |
| 134 | 'https://www.rapid7.com/db/modules/exploit/aa/', | |
| 135 | 135 | 'https://packetstormsecurity.com/files/50/', |
| 136 | 136 | 'https://packetstormsecurity.com/files/51/', |
| 137 | 137 | 'https://www.securityfocus.com/bid/60/', |