https://github.com/jmhobbs/wordpress-scanner
CLI to scan plugin directories, and an HTTP server to scan zips from Wordpress.org
https://github.com/jmhobbs/wordpress-scanner
experimental security wordpress
Last synced: 10 months ago
JSON representation
CLI to scan plugin directories, and an HTTP server to scan zips from Wordpress.org
- Host: GitHub
- URL: https://github.com/jmhobbs/wordpress-scanner
- Owner: jmhobbs
- Created: 2017-06-29T17:40:09.000Z (over 8 years ago)
- Default Branch: master
- Last Pushed: 2017-10-16T15:10:39.000Z (over 8 years ago)
- Last Synced: 2025-03-27T15:21:20.718Z (11 months ago)
- Topics: experimental, security, wordpress
- Language: Go
- Size: 26.4 KB
- Stars: 8
- Watchers: 2
- Forks: 3
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
[](https://travis-ci.org/jmhobbs/wordpress-scanner) [](https://codecov.io/gh/jmhobbs/wordpress-scanner)
This is an experimental server which downloads plugins from WordPress.org on demand, and hashes their contents.
The idea is that a client could check the hashes against their existing files to quickly check if the plugin has been hacked or otherwise corrupted.
# Endpoints
* `GET /plugin/{name}/{version}` - Get hashes for a plugin from wordpress.org
* `POST /plugin/{name}/{version}/diff` - Compare a client hash against a wordpress.org hash
* `GET /plugin` - List of plugins we have hashed versions of
* `GET /plugin/{name}` - List of versions we have hashed
# Binary Encoding
I wrote a custom binary encoding of the Scan struct for storage and wire xfer. A scan of bbpress 2.3 (PHP files only) compares as such:
| Bytes | JSON | Binary |
|---------|-------|--------|
| Plain | 11684 | 7973 |
| gzipped | 2153 | 1985 |
You don't gain much after gzip, but it's still interesting, and decoding should be faster than JSON.
If we move to a prefix tree, I think we could easily go even smaller.
# Ideas
* https://github.com/d4l3k/messagediff - Diff the output of client/server
* Optionally use protobufs
* Make sure gzip is on
* HTTP/2?
* TLS & Auth
* Use a tree structure (radix tree?) and binary encoding for xfer
* Hash at the directory level (sorted filenames + hashes)