WhatWeb accepts URLs with a URL scheme and no host

urbanadventurer / WhatWeb

Next generation web scanner

https://www.morningstarsecurity.com/research/whatweb

GNU General Public License v2.0

5.56k stars 907 forks source link

WhatWeb accepts URLs with a URL scheme and no host #224

Closed andrericardo closed 6 years ago

andrericardo commented 6 years ago

Just tried to run them locally. Related to #187

 # Running:

F......Invalid custom plugin syntax: :text=>xeyhrdan
...

Finished in 11.849122s, 0.8439 runs/s, 1.8567 assertions/s.

  1) Failure:
WhatWebTest#test_invalid_url [/Users/andre/workspace/WhatWeb/test/unit.rb:31]:
--- expected
+++ actual
@@ -1 +1,2 @@
-""
+"https:// [ Unassigned]
+"

10 runs, 22 assertions, 1 failures, 0 errors, 0 skips
rake aborted!
Command failed with status (1)

Same issue on Travis-CI with the master branch in sync with urbanadventurer\master

https://travis-ci.org/andrericardo/WhatWeb

urbanadventurer commented 6 years ago

The one failure is a known problem. WhatWeb doesn't detect all kinds of invalid URLs yet. Otherwise the tests are running as expected.

urbanadventurer commented 6 years ago

After a gem is implemented we can have much better tests.

bcoles commented 6 years ago

This is a bug. A target URL of https:// should never make it to the scanner, let alone make it all the way through to the logger.

./whatweb https://
https:// ERROR: cannot interpret as DNS name: nil
https:// [ Unassigned]

The bug does not appear in Ruby 1.9, 2.0 or 2.1.6, but appears from 2.2.x onwards.

bcoles commented 6 years ago

Fixed in:

d3d8f3e43acb04ca01faba6d97b2538fdb602b6b
84a5f6e35666b9f3b37bbc4929baed7a4b1bd892