def setUp(self):
self.path_prefix = "wp-content/plugins/"
self.plugin0_readme_file = File(path=self.path_prefix +
"plugin0/readme.txt",
signatures=[FileSignature(hash="1")])
self.plugin0_style_file = File(path=self.path_prefix +
"plugin0/style.css",
signatures=[FileSignature(hash="2")])
self.plugin0_file_list = FileList(
key="plugins/plugin0",
producer="unittest",
files=[self.plugin0_readme_file, self.plugin0_style_file])
self.plugin1_readme_file = File(path=self.path_prefix +
"plugin1/readme.txt",
signatures=[FileSignature(hash="3")])
self.plugin1_style_file = File(path=self.path_prefix +
"plugin1/style.css",
signatures=[FileSignature(hash="4")])
self.plugin1_file_list = FileList(
key="plugins/plugin1",
producer="unittest",
files=[self.plugin1_readme_file, self.plugin1_style_file])
self.plugin_list = FileListGroup(
key="plugins",
producer="unittest",
file_lists=[self.plugin0_file_list, self.plugin1_file_list])
self.target_url = "http://www.example.com"
self.component_finder = ActiveComponentFinder(MagicMock(),
self.target_url)
self.component_finder.file_fetcher = MagicMock()
def test_load_vulnerable_and_popular_components_identification_files(self):
popular_plugin_list = FileListGroup(
key="plugins",
producer="unittest",
file_lists=[
FileList(key="plugins/my-plugin",
producer="unittest",
files=[
File(path=self.path_prefix +
"my-plugin/readme.txt")
])
])
vulnerable_plugin_list = FileListGroup(
key="plugins",
producer="unittest",
file_lists=[
FileList(key="plugins/hack-me-plugin",
producer="unittest",
files=[
File(path=self.path_prefix +
"hack-me-plugin/readme.html")
])
])
file_path = join(dirname(__file__), "samples")
self.component_finder.load_components_identification_file(
file_path, "plugins", True, True)
self.assertIn(
popular_plugin_list.file_lists[0],
self.component_finder.components_file_list_group.file_lists)
self.assertIn(
vulnerable_plugin_list.file_lists[0],
self.component_finder.components_file_list_group.file_lists)
def test_load_components_identification_file_with_different_component_base_key(
self):
path_prefix = "wp-content/themes/"
theme0_readme_file = File(path=path_prefix + "theme0/readme.txt",
signatures=[FileSignature(hash="1")])
theme0_style_file = File(path=path_prefix + "theme0/style.css",
signatures=[FileSignature(hash="2")])
theme0_file_list = FileList(
key="themes/theme0",
producer="unittest",
files=[theme0_readme_file, theme0_style_file])
theme1_readme_file = File(path=path_prefix + "theme1/readme.txt",
signatures=[FileSignature(hash="3")])
theme1_style_file = File(path=path_prefix + "theme1/style.css",
signatures=[FileSignature(hash="4")])
theme1_file_list = FileList(
key="themes/theme1",
producer="unittest",
files=[theme1_readme_file, theme1_style_file])
theme_list = FileListGroup(
key="themes",
producer="unittest",
file_lists=[theme0_file_list, theme1_file_list])
file_path = join(dirname(__file__), "samples")
self.component_finder.load_components_identification_file(
file_path, "themes", False, False)
self.assertEqual(self.component_finder.components_file_list_group,
theme_list)
def setUp(self):
signatures = [FileSignature(hash="hash")]
self.plugin_key = "my-plugin"
self.files_to_fetch = FileList(
key=self.plugin_key,
producer="",
files=[
File(path="wp-content/plugins/my-plugin/script.js",
signatures=signatures),
File(path="wp-content/plugins/my-plugin/style.css",
signatures=signatures),
File(path="wp-content/plugins/my-plugin/readme.txt",
signatures=signatures)
])
def test_write_versions_update_existing_file_list(self):
version_builder_mock = MagicMock()
file_list_schema = MagicMock()
with patch("openwebvulndb.common.storage.VersionBuilder", MagicMock(return_value=version_builder_mock)), \
patch("openwebvulndb.common.storage.FileListSchema", MagicMock(return_value=file_list_schema)):
storage = Storage('/some/path')
file_list = FileList(key="key",
producer="producer",
files=[
File(path="file0",
signatures=[
FileSignature(hash="0",
versions=["1.0"])
])
])
storage._write_to_cache = MagicMock()
storage._read = MagicMock(return_value=file_list)
storage._write = MagicMock()
vlist = VersionList(key="key", producer="producer")
v = vlist.get_version("1.0", create_missing=True)
v.add_signature("file0", "0"),
v = vlist.get_version("1.1", create_missing=True)
v.add_signature("file0", "1")
v.add_signature("file1", "1")
storage.write_versions(vlist)
storage._read.assert_called_once_with(file_list_schema, "key",
"versions.json")
storage._write.assert_called_once_with(file_list_schema, file_list,
"versions.json")
version_builder_mock.update_file_list.assert_called_once_with(
file_list, vlist)
def test_identify_version_not_affected_if_one_file_has_no_common_version_with_others(
self):
login_js_file = File(
path="login.js",
signatures=[FileSignature(hash="11111", versions=["1.0"])])
file_no_common_version = File(
path="test.html",
signatures=[FileSignature(hash="22222", versions=["1.5"])])
self.file_list.files.extend([login_js_file, file_no_common_version])
fetched_login = FetchedFile(path="login.js", hash="11111")
fetched_file_no_common_version = FetchedFile(path="test.html",
hash="22222")
fetched_files = [
fetched_login, self.style_css_fetched_file,
self.readme_fetched_file, fetched_file_no_common_version
]
version = self.version_identification.identify_version(
fetched_files, self.file_list)
self.assertEqual(version, "1.0")
def setUp(self):
self.version_identification = VersionIdentification()
self.readme_fetched_file = FetchedFile(path="readme.html",
hash="12345")
self.style_css_fetched_file = FetchedFile(path="style.css",
hash="09876")
self.readme_1_signature = FileSignature(
hash=self.readme_fetched_file.hash, versions=["1.0"])
self.readme_2_signature = FileSignature(hash="23456", versions=["2.0"])
self.readme_file = File(
path="readme.html",
signatures=[self.readme_1_signature, self.readme_2_signature])
self.style_css_signature = FileSignature(
hash=self.style_css_fetched_file.hash, versions=["1.0", "2.0"])
self.style_css_file = File(path="style.css",
signatures=[self.style_css_signature])
self.file_list = FileList(
key="", producer="", files=[self.readme_file, self.style_css_file])
def test_load_vulnerable_components_identification_file(self):
vulnerable_plugin_list = FileListGroup(
key="vulnerable_plugins",
producer="unittest",
file_lists=[
FileList(key="plugins/hack-me-plugin",
producer="unittest",
files=[
File(path=self.path_prefix +
"hack-me-plugin/readme.html")
])
])
file_path = join(dirname(__file__), "samples")
self.component_finder.load_components_identification_file(
file_path, "plugins", False, True)
self.assertEqual(self.component_finder.components_file_list_group,
vulnerable_plugin_list)
def test_load_popular_components_identification_file(self):
popular_plugin_list = FileListGroup(
key="popular_plugins",
producer="unittest",
file_lists=[
FileList(key="plugins/my-plugin",
producer="unittest",
files=[
File(path=self.path_prefix +
"my-plugin/readme.txt")
])
])
file_path = join(dirname(__file__), "samples")
self.component_finder.load_components_identification_file(
file_path, "plugins", True, False)
self.assertEqual(self.component_finder.components_file_list_group,
popular_plugin_list)
def test_identify_version_find_closest_match_when_one_file_is_missing(
self):
login_js_signature_1 = FileSignature(hash="11111", versions=["1.0"])
login_js_signature_2 = FileSignature(hash="22222", versions=["2.0"])
login_js_file = File(
path="login.js",
signatures=[login_js_signature_1, login_js_signature_2])
file_list = FileList(
producer="unittest",
key="wordpress",
files=[self.readme_file, self.style_css_file, login_js_file])
fetched_login = FetchedFile(path="login.js", hash="11111")
fetched_files = [fetched_login, self.style_css_fetched_file]
version = self.version_identification.identify_version(
fetched_files, file_list)
self.assertEqual(version, "1.0")
def test_import_version_list(self):
file_list = FileList(key="key", producer="producer")
for i in range(10):
file = File(path="file%d" % i)
for j in range(5):
file.signatures.append(FileSignature(hash=j+i, versions=["1.%d" % j]))
file_list.files.append(file)
version_list = self.importer.import_version_list(file_list)
self.assertEqual(version_list.key, file_list.key)
self.assertEqual(version_list.producer, file_list.producer)
self.assertEqual(len(version_list.versions), 5)
for version in version_list.versions:
self.assertEqual(len(version.signatures), 10)
for i in range(10):
self.assertIn("file%d" % i, [signature.path for signature in version.signatures])
signature = version.signatures[i]
self.assertEqual(signature.hash, int(version.version[-1]) + int(signature.path[-1]))