Giter Club home page Giter Club logo

soter-core's Introduction

soter-core

Soter Core is a simple library for interacting with the WPScan Vulnerability Database API.

It contains the core logic for Soter and Soter Command.

Requirements

This package requires Composer. It should work down to PHP 5.3, however it is only properly tested down to PHP 5.6 since that is now the minimum required version for 10up/WP_Mock.

Installation

composer require ssnepenthe/soter-core

Usage

Depending on your use-case, you should be interacting with either the Api_Client class or the Checker class.

API Client

$client = new Soter_Core\Api_Client(
    new Soter_Core\Cached_Http_Client(
        new Soter_Core\WP_Http_Client( 'Some user agent string' ),
        new Soter_Core\WP_Transient_Cache( 'unique-prefix', HOUR_IN_SECONDS )
    )
);

The API client exposes a ->check() method which can be used to check a Soter_Core\Package instance against the API:

$plugin = new Soter_Core\Package( 'contact-form-7', Soter_Core\Package::TYPE_PLUGIN, '4.9' );
$response = $client->check( $plugin );

$theme = new Soter_Core\Package( 'twentyfifteen', Soter_Core\Package::TYPE_THEME, '1.8' );
$response = $client->check( $theme );

// WordPress "slug" is the version string stripped of periods.
$wordpress = new Soter_Core\Package( '481', Soter_Core\Package::TYPE_WORDPRESS, '4.8.1' );
$response = $client->check( $wordpress );

Responses will be an instance of Soter_Core\Response. You can check package vulnerabilities using the following methods:

->has_vulnerabilities() - Returns a boolean value indicating whether there are any recorded vulnerabilities for a given package.

->get_vulnerabilities() - Returns an instance of Soter_Core\Vulnerabilities representing all vulnerabilities that have ever affected a given package.

->get_vulnerabilities_by_version( string $version = null ) - Returns an instance of Soter_Core\Vulnerabilities representing all vulnerabilities which affect a given package at the given version.

->get_vulnerabilities_for_current_version() - Returns an instance of Soter_Core\Vulnerabilities representing all vulnerabilities which affect a given package at the version checked against the API.

Checker

$checker = new Soter_Core\Checker(
    new Soter_Core\Api_Client(
        new Soter_Core\Cached_Http_Client(
            new Soter_Core\WP_Http_Client( 'Some user agent string' ),
            new Soter_Core\WP_Transient_Cache( 'unique-prefix', HOUR_IN_SECONDS )
        )
    ),
    new Soter_Core\WP_Package_Manager()
);

The following methods are available on a checker instance:

->check_site( array $ignored = array() ) - Checks the current version of all installed packages (plugins, themes and core) and returns an instance of Soter_Core\Vulnerabilities. An optional array of package slugs that should not be checked can be provided.

->check_plugins( array $ignored = array() ) - Checks the current version of all installed plugins and returns an instance of Soter_Core\Vulnerabilities. An optional array of plugin slugs that should not be checked can be provided.

->check_themes( array $ignored = array() ) - Checks the current version of all installed themes and returns an instance of Soter_Core\Vulnerabilities. An optional array of theme slugs that should not be checked can be provided.

->check_wordpress( array $ignored = array() ) - Checks the current version of WordPress and returns an instance of Soter_Core\Vulnerabilities. An optional array of WordPress "slugs" that should not be checked can be provided. Keep in mind that the slug used for WordPress is the version string stripped of periods (e.g. '475' for version 4.7.5).

You can also add any number of callbacks to be run after each package is checked.

Each callback will be called with a Soter_Core\Vulnerabilities instance and a Soter_Core\Response instance.

As a simple example, you might do something like the following to log error responses for debugging purposes:

$checker->add_post_check_callback( function( $vulnerabilities, $response ) {
    if ( ! $response->is_error() ) {
        return;
    }

    // Ex: "Error checking plugin not-a-real-plugin with message: Non-200 status code received"
    $this->logger->debug( 'Error checking {type} {slug} with message: {message}', [
        'message' => $response->error['message'],
        'slug' => $response->get_package()->get_slug(),
        'type' => $response->get_package()->get_type(),
    ] );
} );

soter-core's People

Contributors

ssnepenthe avatar

Watchers

avatar avatar

Forkers

pombredanne inncee81

soter-core's Issues

API response edge cases

Vulnerability 8958: The vulnerability was reported against the bbPress plugin but the fix came from WP core.

Since there is no "fixed in" version on the bbPress API response, this vulnerability will always be returned by the ->vulnerabilities_by_version() method.

Consider dropping unnecessary interfaces

They are really only needed where you might want to create an alternate implementation for use outside of WordPress.

Keepers (and their likely implementations):

  • Package manager interface (wp, composer)
  • Http interface (wp, curl/requests lib?)
  • Cache interface (transients, file, etc)

Add support for v3 of the API

v3 requires an authorization token for all requests.

Not sure if support for v2 should be removed completely or support for both should be maintained...

Consider adding generic event interface

Instead of calling do_action() directly, add a generic event system that can be used outside of WordPress.

Something external like event and event dispatcher interfaces?

Or maybe just methods on the checker instance like add_post_check_callback() and do_post_check_callbacks()?

Consider creating some sort of vulnerability collection class

Ref. ssnepenthe/soter#21.

If do_action() is called with an array containing a single object, that object is passed directly to callbacks instead of the array.

This leads to a situation where a listener can never be certain of the type of $vulnerabilities and must add extra checks.

So - it might be nice to have a collection object that can be used to wrap the array of vulnerabilities.

HTTP errors silently ignored/discarded

The WP_Http_Client class throws an exception in the event of a WP_Error response.

The Api_Client class catches this and converts it to an error Api_Response instance.

The Api_Response class provides a method for checking whether or not there is an error.

However - The Checker class calls $response->get_vulnerabilities_by_version() without checking for errors. In the event of an error, an empty array is returned.

So basically if the HTTP request fails, the checker is unaware and assumes that no vulnerabilities were detected.

$this inside closure

soter-core/src/class-response.php

Lines 229 to 231 in b63bfc5

array_map( function( array $vulnerability ) {
return new Vulnerability( $this->package, $vulnerability );
}, $data['vulnerabilities'] )

Is it even worth pretending to support PHP 5.3 at this point?

WP_Mock@dev-dev is required as a dev dependency - As of the latest commit to soter-core this put us at ~0.2.x which required PHP5.6+. Currently, it would pull ~0.3.x which requires PHP7+.

All that to say that it is unlikely this package will ever be properly tested below PHP5.6 going forward, and maybe not even below 7.0.

Alternatively - consider introducing a tool such as https://github.com/wimg/PHPCompatibility to avoid simple issues such as this in the future.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.