def _init_scanner(self):
self.scanner = Drupal()
self.scanner._general_init(self.test_opts)
self.scanner._determine_fake_200_module = self._fake_200_check
m = self.mock_controller('drupal',
'_determine_fake_200_module',
return_value=False)
def test_fix_dereference_bug(self):
'''
test for dereference that made the app fail even though
all tests were passing.
'''
plugins_base_url = 'plugins_base_url'
themes_base_url = 'themes_base_url'
opts_p = {
'url': self.base_url,
'plugins_base_url': plugins_base_url,
'themes_base_url': themes_base_url,
'scanning_method': 'a',
'number': 'a',
'threads': 'a',
'threads_enumerate': None,
'threads_identify': None,
'threads_scan': None,
'verb': 'a',
'enumerate': 'p',
'timeout': 15,
'headers': {}
}
opts_t = dict(opts_p)
opts_t['enumerate'] = 't'
drupal = Drupal()
kwargs_p = drupal._functionality(opts_p)['plugins']['kwargs']
kwargs_t = drupal._functionality(opts_t)['themes']['kwargs']
# these should not be equal
assert not kwargs_p == kwargs_t
def test_module_fake_200(self, warn, mock):
"""
The workaround implemented to find some modules that return 200 when
they are present causes other sites to report many false positives. This
is due to the fact that all modules respond with 200 for unknown
reasons. In these cases 200 should be ignored as they are fake.
"""
scanner = Drupal()
scanner._general_init(self.test_opts)
r_404 = ['supermodule/']
r_403 = ['yep/', 'thisisthere/', 'thisisalsothere/']
r_500 = ['iamtherebuti500/']
r_200 = ['iamtherebuti200/', scanner.not_found_module + "/"]
self.respond_several(self.base_url + 'sites/all/modules/%s', {
404: r_404,
403: r_403,
500: r_500,
200: r_200
})
scanner.plugins_base_url = '%ssites/all/modules/%s/'
self.mock_controller('drupal', 'enumerate_interesting')
result, empty = scanner.enumerate_plugins(self.base_url,
scanner.plugins_base_url,
ScanningMethod.forbidden)
assert len(result) == 4
found_500 = False
found_200 = False
for res in result:
if res['name'] == 'iamtherebuti500':
found_500 = True
if res['name'] == 'iamtherebuti200':
found_200 = True
assert found_500
assert not found_200 # 200 should not count as false positive
assert warn.called
def test_plugins_update_check(self):
drupal = Drupal()
drupal.update_plugins = up = Mock(spec=self.scanner.update_plugins,
return_value=([], []))
today = datetime.today()
yesterday = datetime.today() - timedelta(days=1)
too_long_ago = today - timedelta(days=400)
o = mock_open()
with patch('dscan.plugins.update.open', o, create=True):
with patch('dscan.common.update_api.file_mtime',
return_value=yesterday,
autospec=True):
self.updater.update_plugins(
self.controller_get('drupal')(), 'Drupal')
assert not up.called
with patch('dscan.common.update_api.file_mtime',
return_value=too_long_ago):
self.updater.update_plugins(drupal, 'Drupal')
assert up.called
def test_kali_old_requests_bug(self, warn):
drupal = Drupal()
with patch('requests.adapters', spec_set=["force_attr_error"]):
drupal._general_init(self.test_opts)
assert warn.called
def _init_scanner(self):
self.scanner = Drupal()
self.scanner._general_init(self.test_opts)
