Added missing support for importing Ronin::Vulns::CommandInjection …

…objects.
ronin-rb · Dec 4, 2023 · 83d2b58 · 83d2b58
1 parent 35c54e2
commit 83d2b58
Show file tree

Hide file tree

Showing 2 changed files with 50 additions and 0 deletions.
diff --git a/lib/ronin/vulns/importer.rb b/lib/ronin/vulns/importer.rb
@@ -83,6 +83,10 @@ def self.import(vuln)
           attributes[:sqli_terminate]     = vuln.terminate
         when SSTI
           attributes[:ssti_escape_type] = vuln.escape_type
+        when CommandInjection
+          attributes[:command_injection_escape_quote]    = vuln.escape_quote
+          attributes[:command_injection_escape_operator] = vuln.escape_operator
+          attributes[:command_injection_terminator]      = vuln.terminator
         end
 
         imported_vuln = DB::WebVuln.transaction do

diff --git a/spec/importer_spec.rb b/spec/importer_spec.rb
@@ -4,6 +4,7 @@
 require 'ronin/vulns/rfi'
 require 'ronin/vulns/sqli'
 require 'ronin/vulns/ssti'
+require 'ronin/vulns/command_injection'
 require 'ronin/vulns/open_redirect'
 require 'ronin/vulns/reflected_xss'
 require 'ronin/db'
@@ -233,6 +234,51 @@
       end
     end
 
+    context "when given an Ronin::Vulns::CommandInjection object" do
+      let(:vuln_class) { Ronin::Vulns::CommandInjection }
+
+      include_context "importing common attributes"
+
+      context "when #escape_quote is set on the CommandInjection vuln object" do
+        let(:vuln) do
+          vuln_class.new(url, query_param:  query_param,
+                              escape_quote: "'")
+        end
+
+        it "must set the #command_injection_escape_quote field to the CommandInjection vuln object's #escape_type" do
+          imported_vuln = subject.import(vuln)
+
+          expect(imported_vuln.command_injection_escape_quote).to eq(vuln.escape_quote)
+        end
+      end
+
+      context "when #escape_operator is set on the CommandInjection vuln object" do
+        let(:vuln) do
+          vuln_class.new(url, query_param:     query_param,
+                              escape_operator: ";")
+        end
+
+        it "must set the #command_injection_escape_operator field to the CommandInjection vuln object's #escape_type" do
+          imported_vuln = subject.import(vuln)
+
+          expect(imported_vuln.command_injection_escape_operator).to eq(vuln.escape_operator)
+        end
+      end
+
+      context "when #terminator is set on the CommandInjection vuln object" do
+        let(:vuln) do
+          vuln_class.new(url, query_param: query_param,
+                              terminator:  "#")
+        end
+
+        it "must set the #command_injection_terminator field to the CommandInjection vuln object's #escape_type" do
+          imported_vuln = subject.import(vuln)
+
+          expect(imported_vuln.command_injection_terminator).to eq(vuln.terminator)
+        end
+      end
+    end
+
     context "when given an Ronin::Vulns::OpenRedirect object" do
       let(:vuln_class) { Ronin::Vulns::OpenRedirect }