Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[SITE-1500] Remove wpscan and "secure" command #161

Merged
merged 5 commits into from
Aug 14, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 0 additions & 1 deletion .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,6 @@ jobs:
runs-on: ubuntu-latest
env:
# GITHUB_CONTEXT: ${{ toJson(github) }}
PANTHEON_WPVULNDB_API_TOKEN: ${{ secrets.PANTHEON_WPVULNDB_API_TOKEN }}
WP_CLI_BIN_DIR: /tmp/wp-cli-phar
DB_NAME: pantheon
DB_USER: pantheon
Expand Down
1 change: 0 additions & 1 deletion .github/workflows/validate.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,6 @@ jobs:

env:
# GITHUB_CONTEXT: ${{ toJson(github) }}
PANTHEON_WPVULNDB_API_TOKEN: ${{ secrets.PANTHEON_WPVULNDB_API_TOKEN }}
WP_CLI_BIN_DIR: /tmp/wp-cli-phar
DB_NAME: pantheon
DB_USER: pantheon
Expand Down
12 changes: 3 additions & 9 deletions CHECKS.md
Original file line number Diff line number Diff line change
Expand Up @@ -41,12 +41,6 @@ The message method receives a [\Pantheon\Messsenger](php/pantheon/messenger.php)
**Check:** \Pantheon\Checks\Sessions;
This check does a ```preg_match``` on each file passed to the run() method for the regex ```.*(session_start|SESSION).*```

### Secure
**Check:** [\Pantheon\Check\Insecure](php/pantheon/checks/insecure.php)
This check looks for insecure code by running ````preg_match("#.*(eval|base64_decode)\(.*#:", $filecontent)```. This regex can be improved but the theory here is that ```eval``` and ```base64_decode``` are insecure because the first is discouraged even by PHP because it executes arbitrary code. The second isn't necessarily insecure by itself but is often combined with eploits to obfuscate the malicious code. ```base64_decode``` can also sometimes lead to php segfaults [ **This check is not currently used in the Pantheon dashboard ** ]

**Check:** [\Pantheon\Check\Exploited](php/pantheon/checks/exploited.php) This check attempts to find actual exploits by running ```'.*eval\(.*base64_decode\(.*';```. The goal here is to find instance of ```eval``` operating on decoded base64, which is almost certainly a bad idea. This regex should be refined because now it technically could alert when it finds the two functions on the same page but not necessary in the right order, leading to a false positive.

## Regular Checkers

### General
Expand All @@ -68,16 +62,16 @@ This check runs the following db checks

### Cron
**Cron:** [\Pantheon\Checks\Cron](php/commands/checks/cron.php)
This check simple examines whether ```DISABLE_WP_CRON``` evaluates ```true``` to see if cron has been disabled. ( We should probably also curl the ```wp-cron.php?doing_wp_cron``` and ensure we get a 200 ). Some hosts disable the default WP_Cron functionality, substituting a system cron, because the HTTP base WP_Cron can sometimes have race conditions develop causing what might be referred to as "runaway cron", in which HTTP multiple requests trigger the cron a small amount of time causing a spike in PHP/MySQL resource consumption. This check also dumps the scheduled tasks into a table using ```get_option('cron')```.
This check simple examines whether ```DISABLE_WP_CRON``` evaluates ```true``` to see if cron has been disabled. ( We should probably also curl the ```wp-cron.php?doing_wp_cron``` and ensure we get a 200 ). Some hosts disable the default WP_Cron functionality, substituting a system cron, because the HTTP base WP_Cron can sometimes have race conditions develop causing what might be referred to as "runaway cron", in which HTTP multiple requests trigger the cron a small amount of time causing a spike in PHP/MySQL resource consumption. This check also dumps the scheduled tasks into a table using ```get_option('cron')```.

### object-cache
**objectcache** [\Pantheon\Checks\Cron](php/commands/checks/objectcache.php)
Checks is the ```wp-content/object-cache.php``` exists to determine whether object caching is in use. Checks that the ```global $redis_server``` variable is not empty to determine whether redis is being used.

### Plugins
**plugins** [\Pantheon\Checks\Plugins](php/commands/checks/plugins.php)
Checks all plugins against the wpscan.com database we license. Alerts 'error' if a vulnerability is found and links to the wpvulndb.com page for more info. Also checks for available updates and alerts 'warning' if plugins needing an update are found.
Checks for available updates and alerts 'warning' if plugins needing an update are found.

### Themes
**themes** [\Pantheon\Checks\Themes](php/commands/checks/themes.php)
Checks all themes against the wpscan.com database we license. Alerts 'error' if a vulnerability is found and links to the wpvulndb.com page for more info. Also checks for available updates and alerts 'warning' if themes needing an update are found.
Checks for available updates and alerts 'warning' if themes needing an update are found.
7 changes: 2 additions & 5 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,8 +13,6 @@ To use WP Launch Check simply run the ```wp launchcheck <subcommand>``` command

For more information about WP-CLI you can visit [their github page](https://github.com/wp-cli/wp-cli).

WP Launch Check should be considered in "BETA". Many of the checks have still not been tested in the wild. If you experience a problem please open an issue.

## Installing

Installing this package requires WP-CLI v0.23.0 or greater. Update to the latest stable release with `wp cli update`.
Expand All @@ -30,9 +28,8 @@ Below is a summary of the available commands. *Full technical description of eac
* **wp launchcheck database**: Checks related to the databases.
* **wp launchcheck object_cache**: Checks whether object caching is enabled and if on Pantheon whether redis is enabled.
* **wp launchcheck sessions**: Checks for plugins referring to the php session_start() function or the superglobal ```$SESSION``` variable. In either case, if you are on a cloud/distributed platform you will need additional configuration achieve the expected functionality
* **wp launchcheck secure**: Does some rudimentary security checks
* **wp launchcheck plugins**: Checks plugins for updates and known vulnerabilities
* **wp launchcheck themes**: Checks themes for updates and known vulnerabilities
* **wp launchcheck plugins**: Checks plugins for updates
* **wp launchcheck themes**: Checks themes for updates



Expand Down
3 changes: 0 additions & 3 deletions features/bootstrap/FeatureContext.php
Original file line number Diff line number Diff line change
Expand Up @@ -77,9 +77,6 @@ private static function get_process_env_variables() {
if ( $config_path = getenv( 'WP_CLI_CONFIG_PATH' ) ) {
$env['WP_CLI_CONFIG_PATH'] = $config_path;
}
if ( $wpvulndb_api_token = getenv( 'PANTHEON_WPVULNDB_API_TOKEN' ) ) {
$env['PANTHEON_WPVULNDB_API_TOKEN'] = $wpvulndb_api_token;
}
return $env;
}

Expand Down
76 changes: 0 additions & 76 deletions features/exploited.feature

This file was deleted.

29 changes: 0 additions & 29 deletions features/insecure.feature

This file was deleted.

33 changes: 2 additions & 31 deletions php/commands/launchcheck.php
Original file line number Diff line number Diff line change
Expand Up @@ -35,8 +35,6 @@ public function all($args, $assoc_args) {
// WordPress is now loaded, so other checks can run
$searcher = new \Pantheon\Filesearcher( WP_CONTENT_DIR );
$searcher->register( new \Pantheon\Checks\Sessions() );
$searcher->register( new \Pantheon\Checks\Insecure() );
$searcher->register( new \Pantheon\Checks\Exploited() );
$searcher->execute();
$checker->register( new \Pantheon\Checks\Plugins(TRUE));
$checker->register( new \Pantheon\Checks\Themes(TRUE));
Expand Down Expand Up @@ -158,33 +156,7 @@ public function object_cache($args, $assoc_args) {
}

/**
* Checks files for insecure code and checks the wpscan.com/api for known vulnerabilities
*
* ## OPTIONS
*
* [--skip=<regex>]
* : a regular expression matching directories to skip
*
* [--format=<format>]
* : output as json
*
* ## EXAMPLES
*
* wp launchcheck secure --skip=wp-content/themes
*
*/
public function secure($args, $assoc_args) {
$searcher = new \Pantheon\Filesearcher( WP_CONTENT_DIR );
$searcher->register( new \Pantheon\Checks\Insecure() );
$searcher->register( new \Pantheon\Checks\Exploited() );
$searcher->execute();
$format = isset($assoc_args['format']) ? $assoc_args['format'] : 'raw';
\Pantheon\Messenger::emit($format);
}

/**
* Checks plugins for vulnerabilities using the wpscan vulnerability DB
* - https://wpscan.com/api
* Checks plugins for available updates
*
* ## OPTIONS
*
Expand All @@ -208,8 +180,7 @@ public function plugins($args, $assoc_args) {
}

/**
* Checks themes for vulnerabilities using the wpscan vulnerability DB
* - https://wpscan.com/api
* Checks themes for available updates
*
* ## OPTIONS
*
Expand Down
51 changes: 0 additions & 51 deletions php/pantheon/checks/exploited.php

This file was deleted.

52 changes: 0 additions & 52 deletions php/pantheon/checks/insecure.php

This file was deleted.

36 changes: 0 additions & 36 deletions php/pantheon/checks/namespace.php

This file was deleted.

Loading
Loading