Sign upLogin

rastating/wordpress-exploit-framework

View on GitHub
Star

Showing 338 of 338 total issues

Unnecessary spacing detected.
Open

        'rastating'  # WPXF module
Severity: Minor
Found in lib/wpxf/modules/exploit/xss/reflected/lightbox_reflected_xss_shell_upload.rb by rubocop

This cop checks for extra/unnecessary whitespace.

Example:

# good if AllowForAlignment is true
name      = "RuboCop"
# Some comment and an empty line

website  += "/bbatsov/rubocop" unless cond
puts        "rubocop"          if     debug

# bad for any configuration
set_app("RuboCop")
website  = "https://github.com/bbatsov/rubocop"

Use each_key instead of keys.each.
Open

          row.keys.each do |col|
Severity: Minor
Found in lib/wpxf/cli/output.rb by rubocop

This cop checks for uses of each_key and each_value Hash methods.

Note: If you have an array of two-element arrays, you can put parentheses around the block arguments to indicate that you're not working with a hash, and suppress RuboCop offenses.

Example:

# bad
hash.keys.each { |k| p k }
hash.values.each { |v| p v }
hash.each { |k, _v| p k }
hash.each { |_k, v| p v }

# good
hash.each_key { |k| p k }
hash.each_value { |v| p v }

Prefer Date or Time over DateTime.
Open

    url_encode("#{DateTime.now.year}\"><script>#{xss_ascii_encoded_include_script}</script>")
Severity: Minor
Found in lib/wpxf/modules/exploit/xss/reflected/spiffy_calendar_reflected_xss_shell_upload.rb by rubocop

This cop checks for uses of DateTime that should be replaced by Date or Time.

Example:

# bad - uses `DateTime` for current time
DateTime.now

# good - uses `Time` for current time
Time.now

# bad - uses `DateTime` for modern date
DateTime.iso8601('2016-06-29')

# good - uses `Date` for modern date
Date.iso8601('2016-06-29')

# good - uses `DateTime` with start argument for historical date
DateTime.iso8601('1751-04-23', Date::ENGLAND)

Unnecessary spacing detected.
Open

        'rastating'  # WPXF module
Severity: Minor
Found in lib/wpxf/modules/exploit/xss/reflected/answer_my_question_reflected_xss_shell_upload.rb by rubocop

This cop checks for extra/unnecessary whitespace.

Example:

# good if AllowForAlignment is true
name      = "RuboCop"
# Some comment and an empty line

website  += "/bbatsov/rubocop" unless cond
puts        "rubocop"          if     debug

# bad for any configuration
set_app("RuboCop")
website  = "https://github.com/bbatsov/rubocop"

Use match? instead of =~ when MatchData is not used.
Open

          next unless input =~ /^#{k}\s+/i
Severity: Minor
Found in lib/wpxf/cli/auto_complete.rb by rubocop

In Ruby 2.4, String#match?, Regexp#match? and Symbol#match? have been added. The methods are faster than match. Because the methods avoid creating a MatchData object or saving backref. So, when MatchData is not used, use match? instead of match.

Example:

# bad
def foo
  if x =~ /re/
    do_something
  end
end

# bad
def foo
  if x.match(/re/)
    do_something
  end
end

# bad
def foo
  if /re/ === x
    do_something
  end
end

# good
def foo
  if x.match?(/re/)
    do_something
  end
end

# good
def foo
  if x =~ /re/
    do_something(Regexp.last_match)
  end
end

# good
def foo
  if x.match(/re/)
    do_something($~)
  end
end

# good
def foo
  if /re/ === x
    do_something($~)
  end
end

Avoid comma after the last item of an array.
Open

      ),
Severity: Minor
Found in lib/wpxf/modules/exploit/xss/reflected/impress_listings_reflected_xss_shell_upload.rb by rubocop

This cop checks for trailing comma in array and hash literals.

Example: EnforcedStyleForMultiline: consistent_comma

# bad
a = [1, 2,]

# good
a = [
  1, 2,
  3,
]

# good
a = [
  1,
  2,
]

Example: EnforcedStyleForMultiline: comma

# bad
a = [1, 2,]

# good
a = [
  1,
  2,
]

Example: EnforcedStyleForMultiline: no_comma (default)

# bad
a = [1, 2,]

# good
a = [
  1,
  2
]

Align .map with .where on line 68.
Open

                                .map { |m| { path: m.path, title: m.name } }
Severity: Minor
Found in lib/wpxf/cli/help.rb by rubocop

This cop checks the indentation of the method name part in method calls that span more than one line.

Example: EnforcedStyle: aligned

# bad
while myvariable
.b
  # do something
end

# good
while myvariable
      .b
  # do something
end

# good
Thing.a
     .b
     .c

Example: EnforcedStyle: indented

# good
while myvariable
  .b

  # do something
end

Example: EnforcedStyle: indentedrelativeto_receiver

# good
while myvariable
        .a
        .b

  # do something
end

# good
myvariable = Thing
               .a
               .b
               .c

Prefer single-quoted strings when you don't need string interpolation or special symbols.
Open

      "admin.php?page=jobman-list-applications"\
Severity: Minor
Found in lib/wpxf/modules/exploit/xss/reflected/job_manager_reflected_xss_shell_upload.rb by rubocop

Checks if uses of quotes match the configured preference.

Example: EnforcedStyle: single_quotes (default)

# bad
"No special symbols"
"No string interpolation"
"Just text"

# good
'No special symbols'
'No string interpolation'
'Just text'
"Wait! What's #{this}!"

Example: EnforcedStyle: double_quotes

# bad
'Just some text'
'No special chars or interpolation'

# good
"Just some text"
"No special chars or interpolation"
"Every string in #{project} uses double_quotes"

Prefer single-quoted strings when you don't need string interpolation or special symbols.
Open

    "%3Cdiv data-il-client-id=%22"
Severity: Minor
Found in lib/wpxf/modules/exploit/xss/reflected/instalinker_reflected_xss_shell_upload.rb by rubocop

Checks if uses of quotes match the configured preference.

Example: EnforcedStyle: single_quotes (default)

# bad
"No special symbols"
"No string interpolation"
"Just text"

# good
'No special symbols'
'No string interpolation'
'Just text'
"Wait! What's #{this}!"

Example: EnforcedStyle: double_quotes

# bad
'Just some text'
'No special chars or interpolation'

# good
"Just some text"
"No special chars or interpolation"
"Every string in #{project} uses double_quotes"

Unnecessary spacing detected.
Open

        'Paul Williams <phyushin[at]phyubox.com>'  # WPXF module
Severity: Minor
Found in lib/wpxf/modules/exploit/xss/reflected/wang_guard_reflected_xss_shell_upload.rb by rubocop

This cop checks for extra/unnecessary whitespace.

Example:

# good if AllowForAlignment is true
name      = "RuboCop"
# Some comment and an empty line

website  += "/bbatsov/rubocop" unless cond
puts        "rubocop"          if     debug

# bad for any configuration
set_app("RuboCop")
website  = "https://github.com/bbatsov/rubocop"

Use safe navigation (&.) instead of checking if an object exists before calling the method.
Open

        context.module.active_workspace = active_workspace if context
Severity: Minor
Found in lib/wpxf/cli/modules.rb by rubocop

This cop transforms usages of a method call safeguarded by a non nil check for the variable whose method is being called to safe navigation (&.).

Configuration option: ConvertCodeThatCanStartToReturnNil The default for this is false. When configured to true, this will check for code in the format !foo.nil? && foo.bar. As it is written, the return of this code is limited to false and whatever the return of the method is. If this is converted to safe navigation, foo&.bar can start returning nil as well as what the method returns.

Example:

# bad
foo.bar if foo
foo.bar(param1, param2) if foo
foo.bar { |e| e.something } if foo
foo.bar(param) { |e| e.something } if foo

foo.bar if !foo.nil?
foo.bar unless !foo
foo.bar unless foo.nil?

foo && foo.bar
foo && foo.bar(param1, param2)
foo && foo.bar { |e| e.something }
foo && foo.bar(param) { |e| e.something }

# good
foo&.bar
foo&.bar(param1, param2)
foo&.bar { |e| e.something }
foo&.bar(param) { |e| e.something }

foo.nil? || foo.bar
!foo || foo.bar

# Methods that `nil` will `respond_to?` should not be converted to
# use safe navigation
foo.to_i if foo

Align .map with .where on line 77.
Open

                                .map { |m| { path: m.path, title: m.name } }
Severity: Minor
Found in lib/wpxf/cli/help.rb by rubocop

This cop checks the indentation of the method name part in method calls that span more than one line.

Example: EnforcedStyle: aligned

# bad
while myvariable
.b
  # do something
end

# good
while myvariable
      .b
  # do something
end

# good
Thing.a
     .b
     .c

Example: EnforcedStyle: indented

# good
while myvariable
  .b

  # do something
end

Example: EnforcedStyle: indentedrelativeto_receiver

# good
while myvariable
        .a
        .b

  # do something
end

# good
myvariable = Thing
               .a
               .b
               .c

Use % instead of %Q.
Open

    %Q|<html><head></head><body>
Severity: Minor
Found in lib/wpxf/modules/exploit/xss/reflected/impress_listings_reflected_xss_shell_upload.rb by rubocop

This cop checks if usage of %() or %Q() matches configuration.

Example: EnforcedStyle: bare_percent (default)

# bad
%Q(He said: "#{greeting}")
%q{She said: 'Hi'}

# good
%(He said: "#{greeting}")
%{She said: 'Hi'}

Example: EnforcedStyle: percent_q

# bad
%|He said: "#{greeting}"|
%/She said: 'Hi'/

# good
%Q|He said: "#{greeting}"|
%q/She said: 'Hi'/

Unnecessary spacing detected.
Open

        'rastating'  # Disclosure + WPXF module
Severity: Minor
Found in lib/wpxf/modules/exploit/xss/reflected/registrationmagic_reflected_xss_shell_upload.rb by rubocop

This cop checks for extra/unnecessary whitespace.

Example:

# good if AllowForAlignment is true
name      = "RuboCop"
# Some comment and an empty line

website  += "/bbatsov/rubocop" unless cond
puts        "rubocop"          if     debug

# bad for any configuration
set_app("RuboCop")
website  = "https://github.com/bbatsov/rubocop"

Redundant return detected.
Open

    return @success
Severity: Minor
Found in lib/wpxf/modules/exploit/xss/reflected/impress_listings_reflected_xss_shell_upload.rb by rubocop

This cop checks for redundant return expressions.

Example:

def test
  return something
end

def test
  one
  two
  three
  return something
end

It should be extended to handle methods whose body is if/else or a case expression with a default branch.

Missing magic comment # frozen_string_literal: true.
Open

class Wpxf::Exploit::PootleButtonReflectedXssShellUpload < Wpxf::Module
Severity: Minor
Found in lib/wpxf/modules/exploit/xss/reflected/pootle_button_reflected_xss_shell_upload.rb by rubocop

This cop is designed to help upgrade to Ruby 3.0. It will add the comment # frozen_string_literal: true to the top of files to enable frozen string literals. Frozen string literals may be default in Ruby 3.0. The comment will be added below a shebang and encoding comment. The frozen string literal comment is only valid in Ruby 2.3+.

Example: EnforcedStyle: when_needed (default)

# The `when_needed` style will add the frozen string literal comment
# to files only when the `TargetRubyVersion` is set to 2.3+.
# bad
module Foo
  # ...
end

# good
# frozen_string_literal: true

module Foo
  # ...
end

Example: EnforcedStyle: always

# The `always` style will always add the frozen string literal comment
# to a file, regardless of the Ruby version or if `freeze` or `<<` are
# called on a string literal.
# bad
module Bar
  # ...
end

# good
# frozen_string_literal: true

module Bar
  # ...
end

Example: EnforcedStyle: never

# The `never` will enforce that the frozen string literal comment does
# not exist in a file.
# bad
# frozen_string_literal: true

module Baz
  # ...
end

# good
module Baz
  # ...
end

Redundant return detected.
Open

      return { type: 'text/html', body: initial_script }
Severity: Minor
Found in lib/wpxf/modules/exploit/xss/reflected/ultimate_csv_importer_reflected_xss_shell_upload.rb by rubocop

This cop checks for redundant return expressions.

Example:

def test
  return something
end

def test
  one
  two
  three
  return something
end

It should be extended to handle methods whose body is if/else or a case expression with a default branch.

Use each_key instead of keys.each.
Open

        data.keys.each do |col|
Severity: Minor
Found in lib/wpxf/cli/output.rb by rubocop

This cop checks for uses of each_key and each_value Hash methods.

Note: If you have an array of two-element arrays, you can put parentheses around the block arguments to indicate that you're not working with a hash, and suppress RuboCop offenses.

Example:

# bad
hash.keys.each { |k| p k }
hash.values.each { |v| p v }
hash.each { |k, _v| p k }
hash.each { |_k, v| p v }

# good
hash.each_key { |k| p k }
hash.each_value { |v| p v }
Severity
Category
Status
Source
Language