diff --git a/Gemfile b/Gemfile index aede548..795e837 100644 --- a/Gemfile +++ b/Gemfile @@ -41,7 +41,7 @@ group :development, :test, :mysql do gem 'capybara' gem 'database_cleaner' gem 'poltergeist' - gem 'rspec-rails', '2.99.0' # LOCKED DOWN + gem 'rspec-rails' gem 'test-unit' end diff --git a/Gemfile.lock b/Gemfile.lock index da40338..2f431e7 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -249,25 +249,27 @@ GEM ref (2.0.0) responders (2.1.2) railties (>= 4.2.0, < 5.1) - rspec (2.99.0) - rspec-core (~> 2.99.0) - rspec-expectations (~> 2.99.0) - rspec-mocks (~> 2.99.0) - rspec-collection_matchers (1.1.2) - rspec-expectations (>= 2.99.0.beta1) - rspec-core (2.99.2) - rspec-expectations (2.99.2) - diff-lcs (>= 1.1.3, < 2.0) - rspec-mocks (2.99.4) - rspec-rails (2.99.0) - actionpack (>= 3.0) - activemodel (>= 3.0) - activesupport (>= 3.0) - railties (>= 3.0) - rspec-collection_matchers - rspec-core (~> 2.99.0) - rspec-expectations (~> 2.99.0) - rspec-mocks (~> 2.99.0) + rspec (3.4.0) + rspec-core (~> 3.4.0) + rspec-expectations (~> 3.4.0) + rspec-mocks (~> 3.4.0) + rspec-core (3.4.4) + rspec-support (~> 3.4.0) + rspec-expectations (3.4.0) + diff-lcs (>= 1.2.0, < 2.0) + rspec-support (~> 3.4.0) + rspec-mocks (3.4.1) + diff-lcs (>= 1.2.0, < 2.0) + rspec-support (~> 3.4.0) + rspec-rails (3.4.2) + actionpack (>= 3.0, < 4.3) + activesupport (>= 3.0, < 4.3) + railties (>= 3.0, < 4.3) + rspec-core (~> 3.4.0) + rspec-expectations (~> 3.4.0) + rspec-mocks (~> 3.4.0) + rspec-support (~> 3.4.0) + rspec-support (3.4.1) ruby2ruby (2.3.0) ruby_parser (~> 3.1) sexp_processor (~> 4.0) @@ -374,7 +376,7 @@ DEPENDENCIES rake (= 10.5.0) rb-fsevent responders - rspec-rails (= 2.99.0) + rspec-rails sass-rails simplecov sqlite3 diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb index 01b1f31..72934dd 100644 --- a/spec/spec_helper.rb +++ b/spec/spec_helper.rb @@ -7,7 +7,6 @@ SimpleCov.start if ENV["COVERAGE"] require File.expand_path("../../config/environment", __FILE__) require 'rspec/rails' -require 'rspec/autorun' require 'capybara/rails' require 'capybara/poltergeist' require 'database_cleaner' diff --git a/spec/vulnerabilities/broken_auth_spec.rb b/spec/vulnerabilities/broken_auth_spec.rb index 300eb47..df68512 100644 --- a/spec/vulnerabilities/broken_auth_spec.rb +++ b/spec/vulnerabilities/broken_auth_spec.rb @@ -15,7 +15,8 @@ feature 'broken_auth' do within('.actions') do click_on 'Login' end - pending(:if => verifying_fixed?) { find('div#flash_notice').text.should == "#{@normal_user.email}not doesn't exist!" } + pending if verifying_fixed? + expect(find('div#flash_notice').text).to eq("#{@normal_user.email}not doesn't exist!") end scenario 'two' do @@ -27,6 +28,7 @@ feature 'broken_auth' do within('.actions') do click_on 'Login' end - pending(:if => verifying_fixed?) { find('div#flash_notice').text.should == 'Incorrect Password!' } + pending if verifying_fixed? + expect(find('div#flash_notice').text).to eq('Incorrect Password!') end -end \ No newline at end of file +end diff --git a/spec/vulnerabilities/command_injection_spec.rb b/spec/vulnerabilities/command_injection_spec.rb index 31a8939..ba2cc1d 100644 --- a/spec/vulnerabilities/command_injection_spec.rb +++ b/spec/vulnerabilities/command_injection_spec.rb @@ -23,6 +23,7 @@ feature 'command injection' do end click_on 'Start Upload' end - pending(:if => verifying_fixed?) { File.exists?(legit_file).should be_falsey } + pending if verifying_fixed? + expect(File.exists?(legit_file)).to be_falsey end end diff --git a/spec/vulnerabilities/csrf_spec.rb b/spec/vulnerabilities/csrf_spec.rb index 8301a48..d31ee8a 100644 --- a/spec/vulnerabilities/csrf_spec.rb +++ b/spec/vulnerabilities/csrf_spec.rb @@ -39,6 +39,7 @@ feature 'csrf' do end end - pending(:if => verifying_fixed?) { @normal_user.reload.paid_time_off.schedule.last.event_name.should == 'Bad Guy' } + pending if verifying_fixed? + expect(@normal_user.reload.paid_time_off.schedule.last.event_name).to eq('Bad Guy') end -end \ No newline at end of file +end diff --git a/spec/vulnerabilities/insecure_dor_spec.rb b/spec/vulnerabilities/insecure_dor_spec.rb index 7e198d8..c723dde 100644 --- a/spec/vulnerabilities/insecure_dor_spec.rb +++ b/spec/vulnerabilities/insecure_dor_spec.rb @@ -13,19 +13,19 @@ feature 'insecure direct object reference' do download_url = first('.widget-body a')[:href] visit download_url.sub(/name=(.*?)&/, 'name=config/database.yml&') - pending(:if => verifying_fixed?) { - page.status_code.should == 200 - page.response_headers['Content-Disposition'].should include('database.yml') - page.response_headers['Content-Length'].should == '709' - } + pending if verifying_fixed? + expect(page.status_code).to eq(200) + expect(page.response_headers['Content-Disposition']).to include('database.yml') + expect(page.response_headers['Content-Length']).to eq('709') end scenario 'attack two' do login(@normal_user) - @normal_user.user_id.should_not == 2 + expect(@normal_user.user_id).not_to eq(2) visit '/users/2/work_info' - pending(:if => verifying_fixed?) { first('td').text.should == 'Jack Mannino' } + pending if verifying_fixed? + expect(first('td').text).to eq('Jack Mannino') end end diff --git a/spec/vulnerabilities/mass_assignment_spec.rb b/spec/vulnerabilities/mass_assignment_spec.rb index bf23aa2..81c5016 100644 --- a/spec/vulnerabilities/mass_assignment_spec.rb +++ b/spec/vulnerabilities/mass_assignment_spec.rb @@ -7,7 +7,7 @@ feature 'mass assignment' do end scenario 'attack one' do - @normal_user.admin.should be_falsey + expect(@normal_user.admin).to be_falsey login(@normal_user) @@ -17,7 +17,8 @@ feature 'mass assignment' do :password_confirmation => @normal_user.clear_password}} page.driver.put "/users/#{@normal_user.user_id}.json", params - pending(:if => verifying_fixed?) { @normal_user.reload.admin.should be_truthy } + pending if verifying_fixed? + expect(@normal_user.reload.admin).to be_truthy end scenario 'attack two' do @@ -29,9 +30,8 @@ feature 'mass assignment' do :password_confirmation => 'foobarewe'}} page.driver.post '/users', params - pending(:if => verifying_fixed?) { - User.last.email.should == 'hackety@h4x0rs.c0m' - User.last.admin.should be_truthy - } + pending if verifying_fixed? + expect(User.last.email).to eq('hackety@h4x0rs.c0m') + expect(User.last.admin).to be_truthy end end diff --git a/spec/vulnerabilities/password_complexity_spec.rb b/spec/vulnerabilities/password_complexity_spec.rb index a92bcbd..6d52bce 100644 --- a/spec/vulnerabilities/password_complexity_spec.rb +++ b/spec/vulnerabilities/password_complexity_spec.rb @@ -16,6 +16,7 @@ feature 'password complexity' do fill_in 'user_password_confirmation', :with => 'password' end click_on 'Submit' - pending(:if => verifying_fixed?) {current_path.should == '/dashboard/home'} + pending if verifying_fixed? + expect(current_path).to eq('/dashboard/home') end -end \ No newline at end of file +end diff --git a/spec/vulnerabilities/password_hashing_spec.rb b/spec/vulnerabilities/password_hashing_spec.rb index 8f3bb02..032e99f 100644 --- a/spec/vulnerabilities/password_hashing_spec.rb +++ b/spec/vulnerabilities/password_hashing_spec.rb @@ -11,7 +11,8 @@ feature 'improper password hashing' do @normal_user.password = new_pass @normal_user.password_confirmation = new_pass @normal_user.save - pending(:if => verifying_fixed?) {Digest::MD5.hexdigest(new_pass).should == @normal_user.password} + pending if verifying_fixed? + expect(Digest::MD5.hexdigest(new_pass)).to eq(@normal_user.password) end =begin @@ -21,8 +22,9 @@ feature 'improper password hashing' do @normal_user.password = new_pass @normal_user.password_confirmation = new_pass @normal_user.save - pending(:if => verifying_fixed?) {Digest::MD5.hexdigest(@normal_user.salt + new_pass).should == @normal_user.password} + pending if verifying_fixed? + expec(Digest::MD5.hexdigest(@normal_user.salt + new_pass))to. eq(@normal_user.password) end =end -end \ No newline at end of file +end diff --git a/spec/vulnerabilities/sensitive_data_exposure.rb b/spec/vulnerabilities/sensitive_data_exposure.rb index bc1e72e..9a0d8bc 100644 --- a/spec/vulnerabilities/sensitive_data_exposure.rb +++ b/spec/vulnerabilities/sensitive_data_exposure.rb @@ -13,6 +13,7 @@ feature 'sensitive data exposure' do login @normal_user visit "/users/#{@normal_user.user_id}/work_info" - pending(:if => verifying_fixed?) { page.source.should include '999-99-9999' } + pending if verifying_fixed? + expect(page.source).to include '999-99-9999' end -end \ No newline at end of file +end diff --git a/spec/vulnerabilities/sql_injection_spec.rb b/spec/vulnerabilities/sql_injection_spec.rb index cde02b8..3a4930e 100644 --- a/spec/vulnerabilities/sql_injection_spec.rb +++ b/spec/vulnerabilities/sql_injection_spec.rb @@ -8,7 +8,7 @@ feature 'sql injection' do end scenario 'attack' do - @admin_user.admin.should be_truthy + expect(@admin_user.admin).to be_truthy login(@normal_user) @@ -23,10 +23,9 @@ feature 'sql injection' do end click_on 'Submit' - pending(:if => verifying_fixed?) { - @admin_user = User.where("admin='t'").first - @admin_user.email.should == 'joe.admin@schmoe.com' - @admin_user.admin.should == true - } + pending if verifying_fixed? + @admin_user = User.where("admin='t'").first + expect(@admin_user.email).to eq('joe.admin@schmoe.com') + expect(@admin_user.admin).to eq(true) end end diff --git a/spec/vulnerabilities/unvalidated_redirects_spec.rb b/spec/vulnerabilities/unvalidated_redirects_spec.rb index 0518a27..d48c26f 100644 --- a/spec/vulnerabilities/unvalidated_redirects_spec.rb +++ b/spec/vulnerabilities/unvalidated_redirects_spec.rb @@ -15,6 +15,7 @@ feature 'unvalidated redirect' do within('.actions') do click_on 'Login' end - pending(:if => verifying_fixed?) { current_url.should == 'http://example.com/do/evil/things' } + pending if verifying_fixed? + expect(current_url).to eq('http://example.com/do/evil/things') end -end \ No newline at end of file +end diff --git a/spec/vulnerabilities/url_access_spec.rb b/spec/vulnerabilities/url_access_spec.rb index 6d71ebe..d65938a 100644 --- a/spec/vulnerabilities/url_access_spec.rb +++ b/spec/vulnerabilities/url_access_spec.rb @@ -10,6 +10,7 @@ feature 'url access' do login @normal_user visit '/admin/1/dashboard' - pending(:if => verifying_fixed?) { current_path.should == '/admin/1/dashboard' } + pending if verifying_fixed? + expect(current_path).to eq('/admin/1/dashboard') end -end \ No newline at end of file +end diff --git a/spec/vulnerabilities/xss_spec.rb b/spec/vulnerabilities/xss_spec.rb index f3fc89f..a6839a6 100644 --- a/spec/vulnerabilities/xss_spec.rb +++ b/spec/vulnerabilities/xss_spec.rb @@ -23,7 +23,8 @@ feature 'xss' do visit "/users/#{@normal_user.user_id}/account_settings" - pending(:if => verifying_fixed?) { find('#submit_button').value.should == 'RailsGoat h4x0r3d' } + pending if verifying_fixed? + expect(find('#submit_button').value).to eq('RailsGoat h4x0r3d') # might be nice to demonstrate posting cookie contents or somesuch, but # this at least shows the vulnerability still exists.