Class: WPScan::Scan

Inherits:

Object

• Object
• WPScan::Scan

Defined in:

lib/wpscan/scan.rb

Overview

Scan

Instance Attribute Summary

• #run_error ⇒ Object readonly

  Returns the value of attribute run_error.

Instance Method Summary

• #aborted_view ⇒ String

  The global view to render when the run is aborted.

• #controllers ⇒ Controllers
• #datastore ⇒ Hash
• #exit_hook ⇒ Object

  Hook to be able to have an exit code returned depending on the findings / errors :nocov:.

• #formatter ⇒ Object

  Used for convenience.

• #initialize {|_self| ... } ⇒ Scan constructor

  A new instance of Scan.

• #mask_sensitive_arguments(args) ⇒ String

  Masks sensitive arguments in the command line to prevent exposing secrets.

• #run ⇒ Object
• #run_error_exit_code ⇒ Integer

  The exit code related to the run_error.

Constructor Details

#initialize {|_self| ... } ⇒ Scan

Returns a new instance of Scan.

Yields:

• (_self)

Yield Parameters:

• _self (WPScan::Scan) —

  the object that the method was called on

# File 'lib/wpscan/scan.rb', line 8

def initialize
  WPScan.start_memory = GetProcessMem.new.bytes

  # Capture the original command line arguments with sensitive data masked
  WPScan.command_line = mask_sensitive_arguments(ARGV)

  controllers << WPScan::Controller::Core.new

  exit_hook

  yield self if block_given?
end

Instance Attribute Details

#run_error ⇒ Object (readonly)

Returns the value of attribute run_error.

# File 'lib/wpscan/scan.rb', line 6

def run_error
  @run_error
end

Instance Method Details

#aborted_view ⇒ String

Returns The global view to render when the run is aborted.

Returns:

• (String) —

  The global view to render when the run is aborted

# File 'lib/wpscan/scan.rb', line 86

def aborted_view
  core = controllers.first
  core.respond_to?(:updating_db?) && core.updating_db? ? '@update_aborted' : '@scan_aborted'
end

#controllers ⇒ Controllers

Returns:

• (Controllers)

# File 'lib/wpscan/scan.rb', line 53

def controllers
  @controllers ||= WPScan::Controllers.new
end

#datastore ⇒ Hash

Returns:

• (Hash)

# File 'lib/wpscan/scan.rb', line 92

def datastore
  controllers.first.datastore
end

#exit_hook ⇒ Object

Hook to be able to have an exit code returned depending on the findings / errors :nocov:

# File 'lib/wpscan/scan.rb', line 99

def exit_hook
  # Avoid hooking the exit when rspec is running, otherwise it will always return 0
  # and Travis won't detect failed builds. Couldn't find a better way, even though
  # some people managed to https://github.com/rspec/rspec-core/pull/410
  return if defined?(RSpec)

  at_exit do
    exit(run_error_exit_code) if run_error

    # The parsed_option[:url] must be checked to avoid raising erros when only -h/-v are given
    exit(WPScan::ExitCode::VULNERABLE) if WPScan::ParsedCli.url && controllers.first.target.vulnerable?
    exit(WPScan::ExitCode::OK)
  end
end

#formatter ⇒ Object

Used for convenience

# File 'lib/wpscan/scan.rb', line 81

def formatter
  controllers.first.formatter
end

#mask_sensitive_arguments(args) ⇒ String

Masks sensitive arguments in the command line to prevent exposing secrets

Parameters:

• args (Array<String>) —

  The command line arguments

Returns:

• (String) —

  The sanitized command line string

# File 'lib/wpscan/scan.rb', line 24

def mask_sensitive_arguments(args)
  # List of sensitive arguments that contain actual secrets (not file paths)
  # File paths like --passwords and --cookie-jar are not masked as they're
  # not secrets themselves, just references to files
  sensitive_args = %w[
    --api-token
    --http-auth
    --proxy-auth
    --cookie-string
    --wp-auth
  ]

  masked_args = args.dup
  args.each_with_index do |arg, index|
    # Check if this argument is sensitive
    if sensitive_args.include?(arg)
      # Mask the next argument (the value)
      masked_args[index + 1] = '[REDACTED]' if index + 1 < args.length
    elsif arg.start_with?('--') && arg.include?('=')
      # Handle --arg=value format
      arg_name = arg.split('=').first
      masked_args[index] = "#{arg_name}=[REDACTED]" if sensitive_args.include?(arg_name)
    end
  end

  masked_args.join(' ')
end

#run ⇒ Object

# File 'lib/wpscan/scan.rb', line 57

def run
  controllers.run
rescue OptParseValidator::NoRequiredOption => e
  @run_error = e

  formatter.output('@usage', msg: e.message)
rescue NoMemoryError, ScriptError, SecurityError, SignalException, StandardError, SystemStackError => e
  @run_error = e

  output_params = {
    reason: e.is_a?(Interrupt) ? 'Canceled by User' : e.message,
    trace: e.backtrace,
    verbose: WPScan::ParsedCli.verbose || run_error_exit_code == WPScan::ExitCode::EXCEPTION
  }

  output_params[:url] = controllers.first.target.url if WPScan::ParsedCli.url

  formatter.output(aborted_view, output_params)
ensure
  formatter.beautify
end

#run_error_exit_code ⇒ Integer

Returns The exit code related to the run_error.

Returns:

• (Integer) —

  The exit code related to the run_error

# File 'lib/wpscan/scan.rb', line 116

def run_error_exit_code
  return WPScan::ExitCode::CLI_OPTION_ERROR if run_error.is_a?(OptParseValidator::Error) ||
                                               run_error.is_a?(OptionParser::ParseError)

  return WPScan::ExitCode::INTERRUPTED if run_error.is_a?(Interrupt)

  return WPScan::ExitCode::ERROR if run_error.is_a?(WPScan::Error::Standard)

  WPScan::ExitCode::EXCEPTION
end