1
# frozen_string_literal: true
2

3
module WPScan
4
  module Finders
5
    module Users
6
      # Since WP 4.4, the oembed API can disclose a user
7
      # https://github.com/wpscanteam/wpscan/issues/1049
8
      class OembedApi < CMSScanner::Finders::Finder
9
        # @param [ Hash ] opts
10
        #
11
        # @return [ Array<User> ]
12
        def passive(_opts = {})
13
          # TODO: get the api_url from the Homepage and query it if present,
14
          # then discard the aggressive check if same/similar URL
15
        end
16

17
        # @param [ Hash ] opts
18
        #
19
        # @return [ Array<User> ]
20
        def aggressive(_opts = {})
21
          oembed_data = JSON.parse(Browser.get(api_url).body)
22
          details     = user_details_from_oembed_data(oembed_data)
23

24
          return [] unless details
25

26
          [Model::User.new(details[0],
27
                           found_by: format(found_by_msg, details[1]),
28
                           confidence: details[2],
29
                           interesting_entries: [api_url])]
30
        rescue JSON::ParserError
31
          []
32
        end
33

34
        def user_details_from_oembed_data(oembed_data)
35
          return unless oembed_data
36

37
          oembed_data = oembed_data.first if oembed_data.is_a?(Array)
38

39
          if oembed_data['author_url'] =~ %r{/author/([^/]+)/?\z}
40
            details = [Regexp.last_match[1], 'Author URL', 90]
41
          elsif oembed_data['author_name'] && !oembed_data['author_name'].empty?
42
            details = [oembed_data['author_name'], 'Author Name', 70]
43
          end
44

45
          details
46
        end
47

48
        def found_by_msg
49
          'Oembed API - %s (Aggressive Detection)'
50
        end
51

52
        # @return [ String ] The URL of the API listing the Users
53
        def api_url
54
          @api_url ||= target.url("wp-json/oembed/1.0/embed?url=#{target.url}&format=json")
55
        end
56
      end
57
    end
58
  end
59
end
60

61