1
# frozen_string_literal: true
2

3
# All Theme Dynamic Finders returning a Version are tested here.
4
# When adding one to the spec/fixtures/db/dynamic_finder.yml, a few files have
5
# to be edited/created
6
#
7
# - spec/fixtures/dynamic_finder/expected.yml with the expected result/s
8
# - Then, depending on the finder class used: spec/fixtures/dynamic_finder/theme_version/
9
#
10
# Furthermore, the fixtures files _passive_all.html are also used by plugins/themes
11
# finders in spec/app/finders/plugins|themes to check the items existence from the homepage
12
#
13
# In case of a failure, it's recommended to use rspec -e "<Full Description>" while fixing.
14
# e.g: rspec -e "WPScan::Finders::ThemeVersion::Cardealerpress::HeaderPattern#passive"
15
# The -e option can also be used to test all HeaderPattern, for example: rspec -e "::HeaderPattern"
16

17
expected_all = df_expected_all['themes']
18

19
WPScan::DB::DynamicFinders::Theme.versions_finders_configs.each do |slug, configs|
20
  WPScan::DB::DynamicFinders::Theme.create_versions_finders(slug)
21

22
  configs.each do |finder_class, config|
23
    finder_super_class = config['class'] || finder_class
24

25
    # The QueryParameter specs are slow given the huge fixture file
26
    # If someone find a fix for that, please share!
27
    describe df_tested_class_constant('ThemeVersion', finder_class, slug), slow: true do
28
      subject(:finder) { described_class.new(theme) }
29
      let(:theme)      { WPScan::Model::Theme.new(slug, target) }
30
      let(:target)     { WPScan::Target.new('http://wp.lab/') }
31
      let(:fixtures)   { DYNAMIC_FINDERS_FIXTURES.join('theme_version') }
32

33
      let(:expected) do
34
        if expected_all[slug][finder_class].is_a?(Hash)
35
          [expected_all[slug][finder_class]]
36
        else
37
          expected_all[slug][finder_class]
38
        end
39
      end
40

41
      before do
42
        allow(target).to receive(:content_dir).and_return('wp-content')
43

44
        # When creating a theme, the style.css is checked, let's stub that
45
        stub_request(:get, target.url("wp-content/themes/#{slug}/style.css"))
46
      end
47

48
      describe '#passive', slow: true do
49
        before do
50
          if defined?(stubbed_homepage_res)
51
            stub_request(:get, target.url).to_return(stubbed_homepage_res)
52
          else
53
            stub_request(:get, target.url)
54
          end
55

56
          if defined?(stubbed_404_res)
57
            stub_request(:get, ERROR_404_URL_PATTERN).to_return(stubbed_404_res)
58
          else
59
            stub_request(:get, ERROR_404_URL_PATTERN)
60
          end
61
        end
62

63
        if config['path']
64
          context 'when PATH' do
65
            it 'returns nil' do
66
              expect(finder.passive).to eql nil
67
            end
68
          end
69
        else
70
          context 'when no PATH' do
71
            context 'when the version is detected' do
72
              context 'from the homepage' do
73
                let(:ie_url) { target.url }
74
                let(:stubbed_homepage_res) do
75
                  df_stubbed_response(
76
                    fixtures.join("#{finder_super_class.underscore}_passive_all.html"),
77
                    finder_super_class
78
                  )
79
                end
80

81
                it 'returns the expected version/s' do
82
                  found = Array(finder.passive)
83

84
                  expect(found).to_not be_empty
85

86
                  found.each_with_index do |version, index|
87
                    expected_version = expected.at(index)
88
                    expected_ie = expected_version['interesting_entries'].map do |ie|
89
                      ie.gsub("#{target.url},", "#{ie_url},")
90
                    end
91

92
                    expect(version).to be_a WPScan::Model::Version
93
                    expect(version.number).to eql expected_version['number'].to_s
94
                    expect(version.found_by).to eql expected_version['found_by']
95
                    expect(version.interesting_entries).to match_array expected_ie
96

97
                    expect(version.confidence).to eql expected_version['confidence'] if expected_version['confidence']
98
                  end
99
                end
100
              end
101

102
              context 'from the 404' do
103
                let(:ie_url) { target.error_404_url }
104
                let(:stubbed_404_res) do
105
                  df_stubbed_response(
106
                    fixtures.join("#{finder_super_class.underscore}_passive_all.html"),
107
                    finder_super_class
108
                  )
109
                end
110

111
                it 'returns the expected version/s' do
112
                  found = Array(finder.passive)
113

114
                  expect(found).to_not be_empty
115

116
                  found.each_with_index do |version, index|
117
                    expected_version = expected.at(index)
118
                    expected_ie = expected_version['interesting_entries'].map do |ie|
119
                      ie.gsub("#{target.url},", "#{ie_url},")
120
                    end
121

122
                    expect(version).to be_a WPScan::Model::Version
123
                    expect(version.number).to eql expected_version['number'].to_s
124
                    expect(version.found_by).to eql expected_version['found_by']
125
                    expect(version.interesting_entries).to match_array expected_ie
126

127
                    expect(version.confidence).to eql expected_version['confidence'] if expected_version['confidence']
128
                  end
129
                end
130
              end
131
            end
132

133
            context 'when the version is not detected' do
134
              it 'returns nil or an empty array' do
135
                expect(finder.passive).to eql finder_super_class == 'QueryParameter' ? [] : nil
136
              end
137
            end
138
          end
139
        end
140
      end
141

142
      describe '#aggressive' do
143
        let(:fixtures)         { super().join(slug, finder_class.underscore) }
144
        let(:stubbed_response) { { body: 'aa' } }
145

146
        before do
147
          stub_request(:get, theme.url(config['path'])).to_return(stubbed_response) if config['path']
148
        end
149

150
        if config['path']
151
          context 'when the version is detected' do
152
            let(:stubbed_response) do
153
              df_stubbed_response(fixtures.join(config['path']), finder_super_class)
154
            end
155

156
            it 'returns the expected version' do
157
              found = Array(finder.aggressive)
158

159
              expect(found).to_not be_empty
160

161
              found.each_with_index do |version, index|
162
                expected_version = expected.at(index)
163

164
                expect(version).to be_a WPScan::Model::Version
165
                expect(version.number).to eql expected_version['number'].to_s
166
                expect(version.found_by).to eql expected_version['found_by']
167
                expect(version.interesting_entries).to match_array expected_version['interesting_entries']
168

169
                expect(version.confidence).to eql expected_version['confidence'] if expected_version['confidence']
170
              end
171
            end
172
          end
173

174
          context 'when the version is not detected' do
175
            it 'returns nil or an empty array' do
176
              expect(finder.aggressive).to eql finder_super_class == 'QueryParameter' ? [] : nil
177
            end
178
          end
179
        else
180
          it 'returns nil' do
181
            expect(finder.aggressive).to eql nil
182
          end
183
        end
184
      end
185
    end
186
  end
187
end
188

189