Log in
Log in
Log in
Book a Demo
Get Started
675.3K 488.5K 8.4K
Back to Repositories

Testing MuPlugins Detection Components in WPScan Security Scanner

This test suite validates the functionality of the MuPlugins finder component in WPScan, focusing on both passive and aggressive detection methods for WordPress mu-plugins. The tests ensure reliable identification of mu-plugins through HTML content analysis and URL pattern matching.

Test Coverage Overview

The test suite provides comprehensive coverage of the MuPlugins finder functionality with specific focus on passive detection scenarios.

  • Tests various HTML content patterns for mu-plugins detection
  • Validates performance with large URI sets
  • Handles empty content and non-matching scenarios
  • Verifies correct model object creation

Implementation Analysis

The implementation follows RSpec best practices using context-based test organization and shared target setup. The tests utilize stubbed HTTP requests and fixture data to simulate different detection scenarios.

Key patterns include:
  • Subject/let block setup for dependency injection
  • Behavior stubbing for content_dir dependencies
  • Performance validation for large dataset processing

Technical Details

Testing infrastructure leverages:
  • RSpec for behavior-driven testing
  • Web request stubbing via WebMock
  • Fixture-based test data
  • Time-based performance assertions
  • Apache server context simulation

Best Practices Demonstrated

The test suite exemplifies high-quality testing practices through organized test structure and comprehensive scenario coverage.

  • Clear context separation for different test scenarios
  • Proper test isolation and dependency management
  • Performance consideration in test design
  • Effective use of RSpec matchers and expectations

wpscanteam/wpscan

spec/app/finders/interesting_findings/mu_plugins_spec.rb

            
# frozen_string_literal: true

describe WPScan::Finders::InterestingFindings::MuPlugins do
  subject(:finder) { described_class.new(target) }
  let(:target)     { WPScan::Target.new(url).extend(CMSScanner::Target::Server::Apache) }
  let(:url)        { 'http://ex.lo/' }
  let(:fixtures)   { FINDERS_FIXTURES.join('interesting_findings', 'mu_plugins') }

  before do
    expect(target).to receive(:content_dir).at_least(1).and_return('wp-content')
  end

  describe '#passive' do
    before { stub_request(:get, url).to_return(body: body) }

    context 'when no uris' do
      let(:body) { '' }

      its(:passive) { should be nil }
    end

    context 'when a large amount of unrelated uris' do
      let(:body) do
        Array.new(250) { |i| "<a href='#{url}#{i}.html'>Some Link</a><img src='#{url}img-#{i}.png'/>" }.join("\n")
      end

      it 'should not take a while to process the page' do
        time_start = Time.now
        result = finder.passive
        time_end = Time.now

        expect(result).to be nil
        expect(time_end - time_start).to be < 1
      end
    end

    context 'when uris' do
      let(:body) { File.read(fixtures.join(fixture)) }

      context 'when none matching' do
        let(:fixture) { 'no_match.html' }

        its(:passive) { should be nil }
      end

      context 'when matching via href' do
        let(:fixture) { 'match_href.html' }

        its(:passive) { should be_a WPScan::Model::MuPlugins }
      end

      context 'when matching from src' do
        let(:fixture) { 'match_src.html' }

        its(:passive) { should be_a WPScan::Model::MuPlugins }
      end
    end
  end

  describe '#aggressive' do
    xit
  end
end