Class: WPScan::DB::VulnApi

Inherits:

Object

• Object
• WPScan::DB::VulnApi

Defined in:

lib/wpscan/db/vuln_api.rb

Overview

WPVulnDB API

Constant Summary

NON_ERROR_CODES =

[200, 403].freeze

Class Attribute Summary

• .token ⇒ Object

  Returns the value of attribute token.

Class Method Summary

• .default_request_params ⇒ Hash
• .get(path, params = {}) ⇒ Hash
• .plugin_data(slug) ⇒ Hash
• .status ⇒ Hash
• .theme_data(slug) ⇒ Hash
• .uri ⇒ Addressable::URI
• .wordpress_data(version_number) ⇒ Hash

Class Attribute Details

.token ⇒ Object

Returns the value of attribute token.

# File 'lib/wpscan/db/vuln_api.rb', line 10

def token
  @token
end

Class Method Details

.default_request_params ⇒ Hash

Note:

Those params can not be overriden by CLI options

Returns:

• (Hash)

# File 'lib/wpscan/db/vuln_api.rb', line 75

def self.default_request_params
  @default_request_params ||= begin
    params = Browser.instance.default_request_params.merge(
      headers: {
        'User-Agent' => Browser.instance.default_user_agent,
        'Authorization' => "Token token=#{token}"
      }
    )

    if ParsedCli.proxy_target_only
      params.delete(:proxy)
      params.delete(:proxyuserpwd)
    end

    params
  end
end

.get(path, params = {}) ⇒ Hash

Parameters:

• path (String)
• params (Hash) (defaults to: {})

Returns:

• (Hash)

# File 'lib/wpscan/db/vuln_api.rb', line 22

def self.get(path, params = {})
  return {} unless token
  return {} if path.end_with?('/latest') # Remove this when api/v4 is up

  # Typhoeus.get is used rather than Browser.get to avoid merging irrelevant params from the CLI
  res = Typhoeus.get(uri.join(path), default_request_params.merge(params))

  return {} if [404, 429].include?(res.code)
  return JSON.parse(res.body) if NON_ERROR_CODES.include?(res.code)

  raise Error::HTTP, res
rescue Error::HTTP => e
  retries ||= 0

  if (retries += 1) <= 3
    @default_request_params[:headers]['X-Retry'] = retries

    sleep(1)
    retry
  end

  { 'http_error' => e }
rescue JSON::ParserError => e
  # API returned non-JSON response (HTML, plain text, etc.)
  { 'parse_error' => e }
end

.plugin_data(slug) ⇒ Hash

Returns:

• (Hash)

# File 'lib/wpscan/db/vuln_api.rb', line 50

def self.plugin_data(slug)
  get("plugins/#{slug}")&.dig(slug) || {}
end

.status ⇒ Hash

Returns:

• (Hash)

# File 'lib/wpscan/db/vuln_api.rb', line 65

def self.status
  json = get('status', params: { version: WPScan::VERSION }, cache_ttl: 0)

  json['requests_remaining'] = 'Unlimited' if json['requests_remaining'] == -1

  json
end

.theme_data(slug) ⇒ Hash

Returns:

• (Hash)

# File 'lib/wpscan/db/vuln_api.rb', line 55

def self.theme_data(slug)
  get("themes/#{slug}")&.dig(slug) || {}
end

.uri ⇒ Addressable::URI

Returns:

• (Addressable::URI)

# File 'lib/wpscan/db/vuln_api.rb', line 14

def self.uri
  @uri ||= Addressable::URI.parse('https://wpscan.com/api/v3/')
end

.wordpress_data(version_number) ⇒ Hash

Returns:

• (Hash)

# File 'lib/wpscan/db/vuln_api.rb', line 60

def self.wordpress_data(version_number)
  get("wordpresses/#{version_number.tr('.', '')}")&.dig(version_number) || {}
end