wp-vulnerability-scanner.php

<?php
/**
 * Plugin Name: WP Vulnerability Scanner
 * Plugin URI: https://github.com/10up/wp-vulnerability-scanner
 * Description: WP-CLI command only.
 *              Check WordPress code, installed plugins and themes for vulnerabilities reported by wpvulndb.com.
 * Version: 0.0.2
 * Author: 10up
 * Author URI: http://10up.com
 * License: MIT
 */

if ( ! defined( 'WP_CLI' ) ) {
	return;
}

/**
 * WP Vulnerability Scanner
 */
class Vulnerability_CLI extends WP_CLI_Command {

	/**
	 */
	var $porcelain;

	/**
	 */
	var $test;

	/**
	 */
	var $update_list;
	
	/**
	 */
	var $assoc_args_wordpress;

	/**
	 */
	var $assoc_args_plugin;

	/**
	 */
	var $assoc_args_theme;
	
	/**
	 * Flag for nagios
	 */
	var $nagios_op;
	
	/**
	 * Flag for mail
	 */
	var $mail;

	/**
	 * Check plugins and themes for reported vulnerabilities.
	 *
	 * ## OPTIONS
	 *
	 * [--test]
	 * : Load test plugin/theme data
	 *
	 * [--nagios]
	 * : Output for nagios
	 *
	 * [--mail]
	 * : Mail nagios output if any vulnerability found
	 *
	 * [--format=<format>]
	 * : Accepted values: table, csv, json, count, ids, yaml. Default: table
	 *
	 * ## EXAMPLES
	 *
	 *     wp vuln status
	 *     wp vuln status --not-themes
	 *
	 * @subcommand status
	 */
	function status( $args, $assoc_args ) {

		$this->porcelain = false;
		$this->test      = isset( $assoc_args['test'] );

		$this->nagios_op = isset( $assoc_args['nagios'] );
		$this->mail      = isset( $assoc_args['mail'] ) ? $assoc_args['mail'] : '';
		
		$this->update_list = array();

		// need a copy because it's passed by ref and destroyed in the formatter
		$this->assoc_args_plugin = $assoc_args;
		$this->assoc_args_theme = $assoc_args;
		$this->assoc_args_wordpress = $assoc_args;
		
		global $wp_version;
		
		if( $this->nagios_op ) {
			$this->_do_nagios_op( array( 'wordpress', 'plugin', 'theme' ) );
		}
		
		WP_CLI::log( WP_CLI::colorize( '%GWordPress ' . $wp_version . ' %n' ) );
		$this->_do_wordpress();
		
		WP_CLI::log( WP_CLI::colorize( '%GPlugins%n' ) );
		$this->_do_plugins();
		
		WP_CLI::log( WP_CLI::colorize( '%GThemes%n' ) );
		$this->_do_themes();

	}
	
	/**
	 * Check WordPress core for reported vulnerabilities.
	 *
	 * ## OPTIONS
	 *
	 * [--nagios]
	 * : Output for nagios
	 *
	 * [--mail]
	 * : Mail nagios output if any vulnerability found
	 *
	 * [--format=<format>]
	 * : Accepted values: table, csv, json, count, ids, yaml. Default: table
	 *
	 * ## EXAMPLES
	 *
	 *     wp vuln core-status
	 *
	 * @subcommand core-status
	 */
	function core_status( $args, $assoc_args ) {
		
		$this->porcelain = isset( $assoc_args['porcelain'] );
		$this->test      = isset( $assoc_args['test'] );
		
		$this->nagios_op = isset( $assoc_args['nagios'] );
		$this->mail      = isset( $assoc_args['mail'] ) ? $assoc_args['mail'] : '';
		
		$this->update_list = array();
		
		// need a copy because it's passed by ref and destroyed in the formatter
		$this->assoc_args_wordpress = $assoc_args;
		
		if( $this->nagios_op ) {
			$this->_do_nagios_op( array( 'wordpress' ) );
		}
		
		$this->_do_wordpress();
	}

	/**
	 * Check plugins for reported vulnerabilities.
	 *
	 * ## OPTIONS
	 *
	 * [--porcelain]
	 * : Print only slugs of plugins with updates
	 *
	 * [--test]
	 * : Load test plugin/theme data
	 *
	 * [--nagios]
	 * : Output for nagios
	 *
	 * [--mail]
	 * : Mail nagios output if any vulnerability found
	 *
	 * [--format=<format>]
	 * : Accepted values: table, csv, json, count, ids, yaml. Default: table
	 *
	 * ## EXAMPLES
	 *
	 *     wp vuln plugin-status
	 *
	 * @subcommand plugin-status
	 */
	function plugin_status( $args, $assoc_args ) {

		$this->porcelain = isset( $assoc_args['porcelain'] );
		$this->test      = isset( $assoc_args['test'] );
		
		$this->nagios_op = isset( $assoc_args['nagios'] );
		$this->mail      = isset( $assoc_args['mail'] ) ? $assoc_args['mail'] : '';

		$this->update_list = array();

		// need a copy because it's passed by ref and destroyed in the formatter
		$this->assoc_args_plugin = $assoc_args;
		
		if( $this->nagios_op ) {
			$this->_do_nagios_op( array( 'plugin' ) );
		}
		
		$this->_do_plugins();

	}

	/**
	 * Check themes for reported vulnerabilities.
	 *
	 * ## OPTIONS
	 *
	 * [--porcelain]
	 * : Print only slugs of themes with updates
	 *
	 * [--test]
	 * : Load test theme/theme data
	 *
	 * [--nagios]
	 * : Output for nagios
	 *
	 * [--format=<format>]
	 * : Accepted values: table, csv, json, count, ids, yaml. Default: table
	 *
	 * ## EXAMPLES
	 *
	 *     wp vuln theme-status
	 *
	 * @subcommand theme-status
	 */
	function theme_status( $args, $assoc_args ) {

		$this->porcelain = isset( $assoc_args['porcelain'] );
		$this->test      = isset( $assoc_args['test'] );
		
		$this->nagios_op = isset( $assoc_args['nagios'] );

		$this->update_list = array();

		// need a copy because it's passed by ref and destroyed in the formatter
		$this->assoc_args_theme = $assoc_args;
		
		if( $this->nagios_op ) {
			$this->_do_nagios_op( array( 'theme' ) );
		}
		
		$this->_do_themes();

	}

	/**
	 * Check any given theme.
	 *
	 * ## OPTIONS
	 *
	 * [<slug>...]
	 * : theme slug to check
	 *
	 * [--version]
	 * : Version if other than latest. Only applies if one slug provided
	 *
	 * [--format=<format>]
	 * : Accepted values: table, csv, json, count, ids, yaml. Default: table
	 *
	 * ## EXAMPLES
	 *
	 *     wp vuln theme-check
	 *
	 * @subcommand theme-check
	 */
	function theme_check( $args, $assoc_args ) {

		if ( count( $args ) > 1 ) {
			$version = 0;
		} else {
			$version = isset( $assoc_args['version'] ) ? $assoc_args['version'] : 0;

		}

		$display = array();
		foreach( $args as $slug ) {
			$status = $this->_check_status( $slug, $version, 'theme' );
			$display = array_merge ( $display, $status );
		}

		$formatter = new \WP_CLI\Formatter( $assoc_args, array(
			'name',
			'installed version',
			'status',
			'fix'
		), 'themes' );
		$formatter->display_items( $display );

	}

	/**
	 * Check any given plugin.
	 *
	 * ## OPTIONS
	 *
	 * [<slug>...]
	 * : plugin slug to check
	 *
	 * [--version]
	 * : Version if other than latest. Only applies if one slug provided
	 *
	 * [--format=<format>]
	 * : Accepted values: table, csv, json, count, ids, yaml. Default: table
	 *
	 * ## EXAMPLES
	 *
	 *     wp vuln plugin-check
	 *
	 * @subcommand plugin-check
	 */
	function plugin_check( $args, $assoc_args ) {

		if ( count( $args ) > 1 ) {
			$version = 0;
		} else {
			$version = isset( $assoc_args['version'] ) ? $assoc_args['version'] : 0;

		}

		$display = array();
		foreach( $args as $slug ) {
			$status = $this->_check_status( $slug, $version, 'plugin' );
			$display = array_merge ( $display, $status );
		}

		$formatter = new \WP_CLI\Formatter( $assoc_args, array(
			'name',
			'installed version',
			'status',
			'fix'
		), 'plugins' );
		$formatter->display_items( $display );

	}
	
	/**
	 * Do WordPress core check
	 *
	 * @return void
	 */
	private function _do_wordpress() {
		
		$singular_type = 'wordpress';
		$plural_type = 'wordpresses';
		
		$assoc_args = "assoc_args_{$singular_type}";
		
		$display     = $this->_check_wordpress();
		$update_list = $this->_extract_updatable_items( $display );
		
		// Pretty print
		if ( ! $this->porcelain ) {
			
			$formatter = new \WP_CLI\Formatter( $this->$assoc_args, array(
				'name',
				'installed version',
				'status',
				'fix',
			), $plural_type );
			$formatter->display_items( $display );
		} elseif ( $update_list ) {
			WP_CLI::log( implode( ' ', $update_list ) );
			die;
		}
	}

	/**
	 * Helper. Call worker for plugin tasks
	 *
	 * @return void
	 */
	private function _do_plugins() {
		$this->_do_thing( 'plugin' );
	}

	/**
	 * Helper. Call worker for theme tasks
	 *
	 * @return void
	 */
	private function _do_themes() {
		$this->_do_thing( 'theme' );
	}

	/**
	 * Worker. Do what's needed for plugins/themes
	 * Display table, or if --porcelain, display only updatable slugs
	 *
	 * @param string|array $type The "thing" we're checking
	 *                           If string, it's pluralized with an "s"
	 *                           If array, should be [ single, plural ]
	 *
	 * @return void
	 */
	private function _do_thing( $type ) {
		list( $singular_type, $plural_type ) = $this->_get_slugs( $type );

		$assoc_args = "assoc_args_{$singular_type}";

		$display     = $this->_check_thing( $singular_type );
		$update_list = $this->_extract_updatable_items( $display );

		// Pretty print
		if ( ! $this->porcelain ) {

			$formatter = new \WP_CLI\Formatter( $this->$assoc_args, array(
				'name',
				'installed version',
				'status',
				'fix',
			), $plural_type );
			$formatter->display_items( $display );

			// if plugins need updating, do or tell the user
			if ( $update_list ) {
				// it would be nice to show this, but we'd need to rewrite the unit test
				//              $update_list = implode( ' ', $update_list );
				//              WP_CLI::log( "Run `wp $singular_type update $update_list`" );
			} else {
				WP_CLI::log( 'Nothing to update' );
			}
		} elseif ( $update_list ) {
			WP_CLI::log( implode( ' ', $update_list ) );
			die;
		}
	}

	/**
	 * Worker. Run through checking the status of a plugin/theme
	 *
	 * @param string|array $type The "thing" we're checking
	 *                           If string, it's pluralized with an "s"
	 *                           If array, should be [ single, plural ]
	 *
	 * @return array Statuses for all themes
	 */
	private function _check_thing( $type ) {
		list( $singular_type ) = $this->_get_slugs( $type );

		$list = WP_CLI::launch_self( $singular_type, array( 'list' ), array(
			'format' => 'csv',
			'fields' => 'name,version',
		), true, true );

		$list = $this->parse_list( $list );

		# test list
		if ( isset( $this->test ) && $this->test ) {
			switch ( $type ) {
				case 'plugin':
					$list = array(
						array( 'name' => 'relevant', 'version' => '1.0.2' ),  // fixed vulns
						// array( 'name' => 'wordpress-seo',             'version' => '3.2.5' ),  // no vulns
						// array( 'name' => 'revslider',                 'version' => '1.0.0' ),  // fixed vulns
						// array( 'name' => 'fluid-respnsive-slideshow', 'version' => '2.2.6' ),  // ongoing vulns
					);
					break;
				case 'theme':
					$list = array(
						array( 'name' => 'digital-store', 'version' => '1.3' ),  // fixed vulns
						// array( 'name' => 'twentyten',                 'version' => '1.0.0' ),  // no vulns
						// array( 'name' => 'twentyfifteen',             'version' => '1.0.0' ),  // fixed vulns
						// array( 'name' => 'epic',                      'version' => '1.0.0' ),  // ongoing vulns
					);
					break;
			}
		}
		#/

		$data = array();

		foreach ( $list as $thing ) {

			$status = $this->_check_status( $thing['name'], $thing['version'], $singular_type );

			$data = array_merge( $data, $status );

		}

		return $data;

	}
	
	/**
	 * Worker for WordPress vulnerability checks
	 *
	 * @return array
	 */
	private function _check_wordpress() {
		$singular_type = 'wordpress';
		$plural_type = 'wordpresses';
		
		global $wp_version;
		
		$version = str_replace( '.', '', $wp_version );
		$url = "https://wpvulndb.com/api/v1/{$plural_type}/{$version}";
		
		$key = 'vuln_check-' . md5( $url );
		
		if ( ! ( $response = get_transient( $key ) ) ) {
			$response = wp_remote_get( $url );
			set_transient( $key, $response, HOUR_IN_SECONDS );
		} else {
			WP_CLI::debug( "Use response cache for $url" );
		}
		
		$code = wp_remote_retrieve_response_code( $response );
		$body = wp_remote_retrieve_body( $response );
		
		$assoc_args = "assoc_args_{$singular_type}";
		
		$table_format = false;
		if ( ! isset( $this->{$assoc_args}['format'] ) || 'table' == $this->{$assoc_args}['format'] ) {
			$table_format = true;
		}
		
		$report = array();
		
		if ( 404 == $code ) {
			$report[] = array(
				'title' => "No reported vulnerabilities for WordPress " . $wp_version,
				'fix'   => 'n/a',
			);
		} else {
			
			// let's analyse the report!
			$vulndb = json_decode( $body );
			
			$vulnerabilities = $vulndb->$singular_type->vulnerabilities;
			
			if( is_array( $vulnerabilities ) ) {
				foreach ( $vulnerabilities as $k => $vuln ) {
					
					// vulnerability that hasn't been fixed :(
					if ( ! isset( $vuln->fixed_in ) ) {
						
						$report[] = array(
							'title'  => $vuln->title,
							'fix'    => 'Not fixed',
							'action' => 'watch',
						);
						
						// vuln version, fix available
					} elseif ( version_compare( $wp_version, $vuln->fixed_in, '<' ) ) {
						
						$report[] = array(
							'title'  => $vuln->title,
							'fix'    => "Fixed in {$vuln->fixed_in}",
							'action' => 'update',
						);
						
						// if installed plugin version is greater than a fixed version,
						//    unset that vuln entry, we don't need it
					} else {
						
						// This leaves us with an array of relevant vulns
						// not currently used :/
						unset( $vulnerabilities[ $k ] );
					}
				}
			}
			
			$total = count( $report );
			if ( $total <= 0 ) {
				$report[] = array(
					'title' => "No vulnerabilities reported for this version of WordPress",
					'fix'   => 'n/a',
				);
			}
		}
		
		$data = array();
		
		foreach ( $report as $index => $stat ) {
			if ( ! isset( $stat['action'] ) ) {
				$stat['action'] = '';
			}
			
			$name = ( $table_format && 0 != $index ? '' : 'WordPress' );
			
			if ( $table_format ) {
				switch ( $stat['action'] ) {
					case 'update' :
						$name = WP_CLI::colorize( "%r$name%n" );
						break;
					case 'watch' :
						$name = WP_CLI::colorize( "%y$name%n" );
						break;
					default;
				}
			}
			
			// these keys must match the column headings in the formatter (extras ok)
			$data[]    = array(
				'name'              => $name,
				'slug'              => 'wordpress',
				'installed version' => $wp_version,
				'status'            => $stat['title'],
				'fix'               => $stat['fix'],
				'action'            => isset( $stat['action'] ) ? $stat['action'] : '',
			);
		}
		
		return $data;
		
	}

	/**
	 * Pull updatable items from Formatter-ready array
	 *
	 * @param array $data Formatter-ready data
	 *
	 * @return array Simple array of plugin/theme slugs needing to be updated
	 */
	private function _extract_updatable_items( $data ) {
		$update_list = wp_list_pluck( wp_list_filter( $data, array( 'action' => 'update' ) ), 'action', 'slug' );
		$update_list = array_keys( $update_list );

		return $update_list;
	}

	/**
	 * Check wpvulndb.com for reports
	 * Total how many are relevant
	 *
	 * @param string $slug Installed plugin/theme slug
	 * @param string $version Installed plugin/theme version
	 * @param string|array $type The "thing" we're checking, "plugin" or "theme"
	 *                           If string, it's pluralized with an "s"
	 *                           If array, should be [ single, plural ]
	 *
	 * @return array Data array
	 */
	private function _check_status( $slug, $version, $type ) {
		list( $singular_type, $plural_type ) = $this->_get_slugs( $type );

		$url = "https://wpvulndb.com/api/v1/{$plural_type}/{$slug}";
		$key = 'vuln_check-' . md5( $url );

		if ( ! ( $response = get_transient( $key ) ) ) {
			$response = wp_remote_get( $url );
			set_transient( $key, $response, HOUR_IN_SECONDS );
		} else {
			WP_CLI::debug( "Use response cache for $url" );
		}

		$code = wp_remote_retrieve_response_code( $response );
		$body = wp_remote_retrieve_body( $response );

		$assoc_args = "assoc_args_{$singular_type}";

		$table_format = false;
		if ( ! isset( $this->{$assoc_args}['format'] ) || 'table' == $this->{$assoc_args}['format'] ) {
			$table_format = true;
		}

		$report = array();

		if ( 404 == $code ) {
			$report[] = array(
				'title' => "No vulnerabilities reported for $slug",
				'fix'   => 'n/a',
			);
		} else {

			// let's analyse the report!
			$vulndb = json_decode( $body );
			
			$vulnerabilities = array();
			
			if( isset( $vulndb->$singular_type ) && isset( $vulndb->$singular_type->vulnerabilities ) ) {
				$vulnerabilities = $vulndb->$singular_type->vulnerabilities;
			}
			
			if( is_array( $vulnerabilities ) && ! empty( $vulnerabilities ) ) {
				foreach ( $vulnerabilities as $k => $vuln ) {
					
					// vulnerability that hasn't been fixed :(
					if ( ! isset( $vuln->fixed_in ) ) {
						
						$report[] = array(
							'title'  => $vuln->title,
							'fix'    => 'Not fixed',
							'action' => 'watch',
						);
						
						// vuln version, fix available
					} elseif ( version_compare( $version, $vuln->fixed_in, '<' ) ) {
						
						$report[] = array(
							'title'  => $vuln->title,
							'fix'    => "Fixed in {$vuln->fixed_in}",
							'action' => 'update',
						);
						
						// if installed plugin version is greater than a fixed version,
						//    unset that vuln entry, we don't need it
					} else {
						
						// This leaves us with an array of relevant vulns
						// not currently used :/
						unset( $vulnerabilities[ $k ] );
					}
				}
			}

			$total = count( $report );
			if ( $total <= 0 ) {
				$report[] = array(
					'title' => "No vulnerabilities reported for this version of $slug",
					'fix'   => 'n/a',
				);
			}
		}

		$data = array();

		$last_item = '';
		foreach ( $report as $stat ) {
			if ( ! isset( $stat['action'] ) ) {
				$stat['action'] = '';
			}

			$name = ( $table_format && $slug == $last_item ? '' : $slug );

			if ( $table_format ) {
				switch ( $stat['action'] ) {
					case 'update' :
						$name = WP_CLI::colorize( "%r$name%n" );
						break;
					case 'watch' :
						$name = WP_CLI::colorize( "%y$name%n" );
						break;
					default;
				}
			}

			// these keys must match the column headings in the formatter (extras ok)
			$data[]    = array(
				'name'              => $name,
				'slug'              => $slug,
				'installed version' => $version,
				'status'            => $stat['title'],
				'fix'               => $stat['fix'],
				'action'            => isset( $stat['action'] ) ? $stat['action'] : '',
			);
			$last_item = $slug;
		}

		return $data;

	}

	/**
	 * Get singular and plural slugs for given string or array
	 *
	 * @param string|array $singular_or_array If string, it's pluralized with an "s"
	 *                           If array, should be [ single, plural ]
	 *
	 * @return array
	 */
	private function _get_slugs( $singular_or_array ) {
		if ( is_array( $singular_or_array ) ) {
			$singular_type = $singular_or_array[0];
			$plural_type   = $singular_or_array[1];
		} else {
			$singular_type = $singular_or_array;
			$plural_type   = "{$singular_or_array}s";
		}

		return array( $singular_type, $plural_type );
	}

	/**
	 * Parse list string into item array
	 *
	 * @param string $list
	 *
	 * @return array
	 */
	private function parse_list( $list ) {

		$list    = explode( "\n", $list );
		$newlist = array();

		foreach ( $list as $line ) {
			// skip printed command
			if ( '$ ' === substr( $line, 0, 2 ) ) {
				continue;
			}
			// skip output header
			if ( 'name,version' === $line ) {
				continue;
			}
			// skip output footer
			if ( empty( $line ) ) {
				break;
			}

			$newlist[] = array_combine(
				array( 'name', 'version' ),
				explode( ',', $line )
			);

		}

		return $newlist;

	}
	
	/**
	 * Do nagios output
	 *
	 * @param $things
	 */
	private function _do_nagios_op( $things ) {
		if( ! empty( $things ) && is_array( $things ) ) {
			
			$wp_list = $pl_list = $th_list = 0;
			
			if( in_array( 'wordpress', $things ) ) {
				$wp_vulns = $this->_check_wordpress();
				if( ! empty( $wp_vulns ) && is_array( $wp_vulns ) ) {
					foreach( $wp_vulns as $wp_vuln ) {
						if ( isset( $wp_vuln[ 'fix' ] ) && 'n/a' != $wp_vuln[ 'fix' ] ) {
							$wp_list++;
						}
					}
				}
			}
			if( in_array( 'plugin', $things ) ) {
				$plugins = $this->_check_thing( 'plugin' );
				if( ! empty( $plugins ) && is_array( $plugins ) ) {
					foreach( $plugins as $plugin ) {
						if ( isset( $plugin[ 'fix' ] ) && 'n/a' != $plugin[ 'fix' ] ) {
							$pl_list++;
						}
					}
				}
			}
			if( in_array( 'theme', $things ) ) {
				$themes = $this->_check_thing( 'theme' );
				if( ! empty( $themes ) && is_array( $themes ) ) {
					foreach( $themes as $theme ) {
						if ( isset( $theme[ 'fix' ] ) && 'n/a' != $theme[ 'fix' ] ) {
							$th_list++;
						}
					}
				}
			}
			
			if( empty( $wp_list ) && empty( $pl_list ) && empty( $th_list ) ) {
				WP_CLI::line( 'OK - no vulnerabilities found' );
				exit(0);
			} else {
				$message = sprintf(
					'CRITICAL - %d core, %d plugin and %d theme vulnerabilities found',
					$wp_list,
					$pl_list,
					$th_list
				);
				WP_CLI::line( $message );
				
				//Notify via mail
				if( ! empty( $this->mail ) ) {
					
					$site_url = site_url();
					$headers = array();
					
					/*
					 * In CLI if $_SERVER['SERVER_NAME'] isn't set than it fails to send mail.
					 * Reason being, this property is used to create "From" mail header.
					 * If it's empty, we need to pass that in header.
					 */
					if( empty( $_SERVER['SERVER_NAME'] ) ) {
						$sitename = $site_url;
						if ( substr( $sitename, 0, 8 ) == 'https://' ) {
							$sitename = substr( $sitename, 8 );
						}
						if ( substr( $sitename, 0, 7 ) == 'http://' ) {
							$sitename = substr( $sitename, 7 );
						}
						if ( substr( $sitename, 0, 4 ) == 'www.' ) {
							$sitename = substr( $sitename, 4 );
						}
						
						$from_email = 'wordpress@' . $sitename;
						
						$headers[] = "From:{$from_email}";
					}
					
					$subject = 'Vulnerabilities found in ' . $site_url;
					if( ! wp_mail( $this->mail, $subject, $message, $headers ) ) {
						WP_CLI::line( 'Not able to send mail.' );
					}
				}
				
				exit(2);
			}
		}
	}
}

WP_CLI::add_command( 'vuln', 'Vulnerability_CLI' );