def test_module_fake_200(self, warn, mock): """ The workaround implemented to find some modules that return 200 when they are present causes other sites to report many false positives. This is due to the fact that all modules respond with 200 for unknown reasons. In these cases 200 should be ignored as they are fake. """ scanner = Drupal() scanner._general_init(self.test_opts) r_404 = ['supermodule/'] r_403 = ['yep/', 'thisisthere/', 'thisisalsothere/'] r_500 = ['iamtherebuti500/'] r_200 = ['iamtherebuti200/', scanner.not_found_module + "/"] self.respond_several(self.base_url + 'sites/all/modules/%s', { 404: r_404, 403: r_403, 500: r_500, 200: r_200 }) scanner.plugins_base_url = '%ssites/all/modules/%s/' self.mock_controller('drupal', 'enumerate_interesting') result, empty = scanner.enumerate_plugins(self.base_url, scanner.plugins_base_url, ScanningMethod.forbidden) assert len(result) == 4 found_500 = False found_200 = False for res in result: if res['name'] == 'iamtherebuti500': found_500 = True if res['name'] == 'iamtherebuti200': found_200 = True assert found_500 assert not found_200 # 200 should not count as false positive assert warn.called
def test_module_fake_200(self, warn, mock): """ The workaround implemented to find some modules that return 200 when they are present causes other sites to report many false positives. This is due to the fact that all modules respond with 200 for unknown reasons. In these cases 200 should be ignored as they are fake. """ scanner = Drupal() scanner._general_init(self.test_opts) r_404 = ['supermodule/'] r_403 = ['yep/', 'thisisthere/', 'thisisalsothere/'] r_500 = ['iamtherebuti500/'] r_200 = ['iamtherebuti200/', scanner.not_found_module + "/"] self.respond_several(self.base_url + 'sites/all/modules/%s', {404: r_404, 403: r_403, 500: r_500, 200: r_200}) scanner.plugins_base_url = '%ssites/all/modules/%s/' self.mock_controller('drupal', 'enumerate_interesting') result, empty = scanner.enumerate_plugins(self.base_url, scanner.plugins_base_url, ScanningMethod.forbidden) assert len(result) == 4 found_500 = False found_200 = False for res in result: if res['name'] == 'iamtherebuti500': found_500 = True if res['name'] == 'iamtherebuti200': found_200 = True assert found_500 assert not found_200 # 200 should not count as false positive assert warn.called