markri / wp-sec Goto Github PK

Not an issue but a question for discussion if that's ok.

Using this plugin on a few sites even with caching won't be possible without obtaining an enterprise license the provider.

I have about 35 sites I check daily which causes over 3 times the 250 query limit. I have made enquiries on the pricing but it's a little too expensive for just me to pay.

Has anyone got any ideas about how we could collaborate around this project to get better value than everyone having to buy an enterprise license?

See #19 for history

Summary:
Because 404 responses from wpvulndb are not cached, one might encounter the API rate limit. To prevent this behaviour 404 responses should be cached as well.

Hi I have just run wp-sec check (version 0.0.2) against wp-cli version 2.0.1 on a multisite and the plugin errored out:

Error: Unexpected response from wpvulndb for plugin sunrise.php

Sure enough, wp plugin list now shows dropin plugins as well as 'must-use' in the list thanks to this commit.

example end of plugin output:-

| admin-menu-editor-mu               | must-use       | none      |         |
| advanced-cache.php                 | dropin         | none      |         |
| sunrise.php                        | dropin         | none      |         |
+------------------------------------+----------------+-----------+---------+

Of course, these aren't going to be present on wpvulndb not least because they don't appear to have versions either.

I thought this might be an easy fix but I had a look at the wp plugin list command and can't see how to skip displaying dropin plugins.

EDIT: So I have now added a condition to exclude those plugins with a pull request which has worked fine on my example site.

What went well, and what could be improved? Any documentation changes you'd suggest?

Good day
This is less of a bug report and more of a functionality question. Apologies if I'm using the wrong forum.
We have an enterprise plan with wpvulndb and we're using a bash script to scan for vulnerabilities.
Does the functionality exist inside of wp-sec to mask the API key so that it doesn't show in the process list?
Many thanks

I am having a problem where sometimes I get an error when running the script:-

Error: Couldn't check wpvulndb @ https://wpvulndb.com/api/v2/wordpresses/477 (HTTP code 429)

This is where I am checking once per day and even though I have caching set as true and I am also running a checksum report in between checks. It appears to occur while running wp-sec itself, and happens at much more often that I would like with installations with over 23 plugins (or over 3 themes, not actually sure which)

Is it possible to make this a bit more sophisticated? either to predict and wait when the rate limit is hit or to wait and try again if it is hit? As it stands, it means I am getting more false positives than I would like.

Do you know if wpvulndb have published any info on what the rate limits are? There doesn't seem to be anything on their site.

Here's the error I'm getting:

PHP Warning:  require(/root/.wp-cli/packages/vendor/markri/wp-sec/vendor/autoload.php): failed to open stream: No such file or directory in /root/.wp-cli/packages/vendor/markri/wp-sec/command.php on line 12
PHP Fatal error:  require(): Failed opening required '/root/.wp-cli/packages/vendor/markri/wp-sec/vendor/autoload.php' (include_path='phar:///usr/local/src/wp-cli/bin/wp/vendor/phpunit/php-token-stream:phar:///usr/local/src/wp-cli/bin/wp/vendor/phpunit/phpunit-mock-objects:phar:///usr/local/src/wp-cli/bin/wp/vendor/phpunit/php-code-coverage:phar:///usr/local/src/wp-cli/bin/wp/vendor/phpunit/phpunit:phar:///usr/local/src/wp-cli/bin/wp/vendor/symfony/yaml:.:/usr/share/pear:/usr/share/php') in /root/.wp-cli/packages/vendor/markri/wp-sec/command.php on line 12

This is after doing an update just a moment ago. The previous version of plugin worked just before the update. I can confirm the file /root/.wp-cli/packages/vendor/markri/wp-sec/vendor/autoload.php does not exist. In fact, the directory /root/.wp-cli/packages/vendor/markri/wp-sec/vendor/ does not exist. The package was updated via wp package update.

It might be nice to be able to maintain an 'ignore list' of vulnerabilities to ignore. In particular, 2017-8295 is still present in Wordpress but can and is often mitigated by the Apache configuration. By supplying an ignore list as an argument, it would be possible to have such a site come up clean.

For some reason, checking wordpress 4.8.2 results in the return of two entries of this 2017-8295 CVE.

When getting a cached response from wpvulndb, this happens:

PHP Notice: Undefined variable: url in /usr/local/lib/wp-cli-packages/vendor/markri/wp-sec/command.php on line 225

This adds the variable value with a 'Cached' string.

command-patch.txt

Hello, your plugin is great. I have taken to launching wp-sec with the following:-

php -d memory_limit=512M /usr/local/bin/wp wp-sec check --allow-root --path=/home/$CPUSER/public_html

Unfortunately, for one particular site, I am unable to get a list of plugins

this command passes, with the expected list of plugins:
php -d memory_limit=512M /usr/local/bin/wp plugin list --allow-root --path=/home/$CPUSER/public_html

but this one fails:
/usr/local/bin/wp plugin list --allow-root --path=/home/$CPUSER/public_html

Not even sure if this is a bug but thought I would put it here in case anyone has any suggestions or comments.

If my site has a plugin that is not in the wpvlndb, say advanced-custom-fields-pro, and I run

$ wp wp-sec check --cached --output=json --api=v3 --token=[my_token] --type=plugins

I will get

Error: Unexpected response from wpvulndb for plugin advanced-custom-fields-pro

From the bit of code on line 349 of command.php, it looks like the wpvlndb api used to return a 404 in this case, but that output has changed. Now it is returning

$ curl -H "Authorization: Token token=[my_token]" https://wpvulndb.com/api/v3/plugins/advanced-custom-fields-pro
{"error":"Not found"}

so we need to check for that response as well.

Reference to PR: #5

The JSON output should be tested on available keys, so we can be sure of BC on future updates

So.... funny story..... we at 10up were building a wp-cli vulnerability scanner at the same time you were building this. https://github.com/10up/wp-vulnerability-scanner. Our tools do pretty much the same thing (I've been using both and like the way yours displays some information, but also like how ours can do checks on specific plugin and theme versions). We started a conversation with Daniel Bachhuber about adding our vulnerability scanner to the package index and Daniel is preferring having a canonical solution rather than a bunch of different packages solving the same problem wp-cli/package-index#98. I think that approach makes sense, so I'm wondering if we can collaborate here on a single vulnerability/security wp-cli plugin going forward. Not sure yet what that looks like, but we're committed to maintaining this and I think a combined wp-cli package with the functionality of both of our tools would be a great thing.

Let me know what you think. @tott has been working on this with me and will be joining in the conversation as well.

While running the command, I am getting this error from the core file, maintaince.php

Vulnerabilities:
Error: Unexpected response from wpvulndb for plugin maintenance.php

WP version 5.2.2
wp wp-sec Version: 0.0.2

I have a question about themes, I have noticed that I am getting an error for the theme 'Avada'. The theme has a capitalized first letter, and the wpvulndb entry is:- https://wpvulndb.com/api/v2/themes/Avada

The json on that page lists the theme name as avada. Is this a problem that wp-sec should solve or should I take this up with wpvulndb do you think?

EDIT: In any case the discrepancy causes wp-sec to crash with the following error:-
Error: Unexpected response from wpvulndb for theme Avada