require 'acceptance_spec_helper' require 'support/vcr_helper' RSpec.describe Pluginscan::Scanner do describe '.scan' do let(:output) { StringIO.new } describe "Vulnerability Report", type: :file do subject(:scanner) { Pluginscan::Scanner.new(sloccount: false, cloc: false, output: output) } before(:each) { setup_tempdir 'tmp' } it "displays a message when no vulnerabilities were found" do stub_request(:get, "https://wpvulndb.com/api/v2/plugins/relevanssi") .with(headers: { 'Accept' => '*/*', 'Accept-Encoding' => 'gzip;q=1.0,deflate;q=0.6,identity;q=0.3', 'User-Agent' => 'Ruby' }) .to_return(status: 404, body: "The page you were looking for doesn't exist (404).", headers: {}) add_directory 'tmp', 'relevanssi' scanner.scan 'tmp/relevanssi' expect(output.string).to match(/No advisories were found for 'relevanssi'/) end it "displays a message when vulnerabilities were found" do add_directory 'tmp', 'relevanssi' VCR.use_cassette('wpvulndb/relevanssi') do scanner.scan 'tmp/relevanssi' end expect(output.string).to match(/3 advisories were found for 'relevanssi':/) expect(output.string).to match(/#{coloured_green('2015-01-03')} Relevanssi #{coloured_yellow(Regexp.escape('<= 3.3.7.1'))} - Cross-Site Scripting \(XSS\) #{coloured_red(Regexp.escape('(fixed in 3.3.8)'))}/) expect(output.string).to match(/#{Regexp.escape('https://wpvulndb.com/vulnerabilities/774')}/) expect(output.string).to match(/#{coloured_green('2014-08-01')} Relevanssi #{coloured_yellow(Regexp.escape('2.7.2'))} - Stored XSS Vulnerability #{coloured_red(Regexp.escape('(fixed in 2.7.3)'))}/) expect(output.string).to match(/#{Regexp.escape('https://wpvulndb.com/vulnerabilities/6426')}/) expect(output.string).to match(/#{coloured_green('2014-08-01')} Relevanssi #{coloured_yellow(Regexp.escape('3.2'))} - Unspecified SQL Injection #{coloured_red(Regexp.escape('(fixed in 3.3)'))}/) expect(output.string).to match(/#{Regexp.escape('https://wpvulndb.com/vulnerabilities/6425')}/) end it "shows an error if access was denied" do blocked_page = "\n\n\n \n Access denied\n \n\n\n\n

Access denied

Your IP was blocked because of suspicious acitivity.

If you think your IP should not be blocked, please contact us at team [at] wpvulndb [.] com

\n\n\n" stub_request(:get, 'https://wpvulndb.com/api/v2/plugins/my_plugin') .with(headers: { 'Accept' => '*/*', 'Accept-Encoding' => 'gzip;q=1.0,deflate;q=0.6,identity;q=0.3', 'User-Agent' => 'Ruby' }) .to_return(status: 403, body: blocked_page, headers: {}) add_directory 'tmp', 'my_plugin' scanner.scan 'tmp/my_plugin' expect(output.string).to match(/#{Regexp.escape("We got blocked by wpvulndb for suspicious activity :( Contact team@wpvulndb.com")}/) end end end end