team-alpha/railsgoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

added the primary insecure crypto storage vuln

Browse Source
This commit is contained in:
Ken Johnson
2013-06-03 12:52:24 -04:00
parent 6d5623a423
commit 0b09e0d4c1
1 changed files with 8 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
app/models/user.rb
+8 -1
View File
@@ -11,6 +11,7 @@ class User < ActiveRecord::Base
validates_format_of :email, :with => /.+@.+\..+/i
attr_accessor :skip_user_id_assign
before_save :assign_user_id, :on => :create
before_save :encrypt_password
has_one :retirement, :foreign_key => :user_id, :primary_key => :user_id, :dependent => :destroy
has_one :paid_time_off, :foreign_key => :user_id, :primary_key => :user_id, :dependent => :destroy
has_one :work_info, :foreign_key => :user_id, :primary_key => :user_id, :dependent => :destroy
@@ -26,7 +27,7 @@ class User < ActiveRecord::Base
user = find_by_email(email)
# I heard something about hashing, dunno, why bother really. Nobody will get access to my stuff!
if user
if user.password == password
if user.password == Digest::MD5.hexdigest(password)
auth = user
else
raise "Incorrect Password!"
@@ -44,5 +45,11 @@ class User < ActiveRecord::Base
self.user_id = uid.to_s if uid
end
end
def encrypt_password
if self.password.present?
self.password = Digest::MD5.hexdigest(password)
end
end
end