Merge branch 'master' of github.com:OWASP/railsgoat into top-10-2013

.gitignore

@@ -7,3 +7,4 @@
 .DS_Store
 /public/data
 *.png
+coverage

Gemfile

@@ -26,6 +26,8 @@ end
 
 gem 'gauntlt'
 
+gem 'simplecov', '0.8.0.pre2', :require => false, :group => :test
+
 group :development, :test do
   gem 'launchy'
   gem 'capybara'

Gemfile.lock

@@ -40,11 +40,11 @@ GEM
       erubis (>= 2.6.6)
     binding_of_caller (0.7.2)
       debug_inspector (>= 0.0.1)
-    brakeman (2.1.2)
+    brakeman (2.2.0)
       erubis (~> 2.6)
       fastercsv (~> 1.5)
       haml (>= 3.0, < 5.0)
-      highline (~> 1.6.19)
+      highline (~> 1.6.20)
       multi_json (~> 1.2)
       ruby2ruby (~> 2.0.5)
       ruby_parser (~> 3.2.2)
@@ -82,6 +82,7 @@ GEM
     database_cleaner (1.0.1)
     debug_inspector (0.0.2)
     diff-lcs (1.2.4)
+    docile (1.1.0)
     dotenv (0.9.0)
     em-websocket (0.5.0)
       eventmachine (>= 0.12.9)
@@ -135,10 +136,11 @@ GEM
     launchy (2.3.0)
       addressable (~> 2.3)
     libv8 (3.16.14.3)
-    listen (2.1.1)
+    listen (2.1.2)
       celluloid (>= 0.15.2)
       rb-fsevent (>= 0.9.3)
       rb-inotify (>= 0.9)
+    lockfile (2.1.0)
     mail (2.5.4)
       mime-types (~> 1.16)
       treetop (~> 1.4.8)
@@ -218,7 +220,13 @@ GEM
       sass (>= 3.1.10)
       tilt (~> 1.3)
     sexp_processor (4.4.0)
-    slim (2.0.1)
+    simplecov (0.8.0.pre2)
+      docile (~> 1.1.0)
+      lockfile (>= 2.1.0)
+      multi_json
+      simplecov-html (~> 0.7.1)
+    simplecov-html (0.7.1)
+    slim (2.0.2)
       temple (~> 0.6.6)
       tilt (>= 1.3.3, < 2.1)
     slop (2.1.0)
@@ -243,9 +251,9 @@ GEM
       polyglot (>= 0.3.1)
     trollop (2.0)
     tzinfo (0.3.38)
-    uglifier (2.2.1)
+    uglifier (2.3.0)
       execjs (>= 0.3.0)
-      multi_json (~> 1.0, >= 1.0.2)
+      json (>= 1.8.0)
     unicorn (4.6.3)
       kgio (~> 2.6)
       rack
@@ -285,6 +293,7 @@ DEPENDENCIES
   rb-fsevent
   rspec-rails
   sass-rails
+  simplecov (= 0.8.0.pre2)
   sqlite3
   therubyracer
   travis-lint

README.md

@@ -49,7 +49,7 @@ Then proceed with browsing the site as normal :thumbsup:
 
 [![Code Climate](https://codeclimate.com/github/OWASP/railsgoat.png)](https://codeclimate.com/github/OWASP/railsgoat)
 
-[![Build Status](https://travis-ci.org/mccabe615/railsgoat.png?branch=master)](https://travis-ci.org/mccabe615/railsgoat)
+[![Build Status](https://travis-ci.org/OWASP/railsgoat.png?branch=master)](https://travis-ci.org/OWASP/railsgoat)
 
 ### License Stuff ###
 

app/models/benefits.rb

@@ -12,7 +12,7 @@ class Benefits < ActiveRecord::Base
  
  def self.make_backup(file, data_path, full_file_name)
     if File.exists?(full_file_name) 
-     system("cp #{full_file_name} #{data_path}/bak#{Time.now.to_i}_#{file.original_filename}")
+      silence_streams(STDERR) { system("cp #{full_file_name} #{data_path}/bak#{Time.now.to_i}_#{file.original_filename}") }
     end  
  end
 
@@ -22,4 +22,17 @@ class Benefits < ActiveRecord::Base
   end
 =end 
 
+ def self.silence_streams(*streams)
+   on_hold = streams.collect { |stream| stream.dup }
+   streams.each do |stream|
+     stream.reopen(RUBY_PLATFORM =~ /mswin/ ? 'NUL:' : '/dev/null')
+     stream.sync = true
+   end
+   yield
+ ensure
+   streams.each_with_index do |stream, i|
+     stream.reopen(on_hold[i])
+   end
+ end
+ 
 end

app/views/layouts/tutorial/csrf/_csrf_first.html.erb

@@ -60,7 +60,7 @@
             <div class="accordion-inner">
               <p><b> Cross-Site Request Forgery ATTACK:</b></p>
 				<p class="desc">
-					The application allows users to update their calendar and schedule PTO events (PTO section). Due to the fact CSRF protections are disabled, the AJAX request will send the authenticity token but the application will <b>not</b> validate either it's presence or validity. Create an html page using the code shown below, authenticate as another user, click on it, review the new calendar (change the dates under date_range1). You should see this HTML code will work, even if you hadn't navigated to the PTO section prior to sending it.
+					The application allows users to update their calendar and schedule PTO events (PTO section). Due to the fact CSRF protections are disabled, the AJAX request will send the authenticity token but the application will <b>not</b> validate either its presence or validity. Create an html page using the code shown below, authenticate as another user, click on it, review the new calendar (change the dates under date_range1). You should see this HTML code will work, even if you hadn't navigated to the PTO section prior to sending it.
 				</p>
 			   	<p>
 				 <pre class="ruby">
@@ -84,7 +84,7 @@
 				
 			  <p><b> Cross-Site Request Forgery SOLUTION:</b></p>
 			  <p>
-				 By Default, the protect_from_forgery directive is added under the application_controller.rb at project creation. However, occasionally developers turn it off (comment out) because of issues with JS. There are two separate solutions around the JS problem.
+				 By default, the protect_from_forgery directive is added under the application_controller.rb at project creation. However, occasionally developers turn it off (comment out) because of issues with JS. There are two separate solutions around the JS problem.
 			 </p>
 			 <p>  		
 				 Once protect_from_forgery is added back... 

app/views/layouts/tutorial/redirects/_redirects_first.html.erb

@@ -17,7 +17,8 @@
           <div class="accordion-body in collapse" id="collapseOne" style="height: auto;">
             <div class="accordion-inner">
 	  		 <p class="desc">
-              OWASP Description - Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages.
+              Applications frequently redirect users to other pages, or use internal forwards in a similar manner. Sometimes the target page is specified in an unvalidated parameter, allowing attackers to choose the destination page.
+              Detecting unchecked redirects is easy. Look for redirects where you can set the full URL. Unchecked forwards are harder, because they target internal pages.
   			 </p>
 	  		 <p class="desc">
               Railsgoat allows the redirection to the paths previously requested but for which the user did not have access. Following authentication, the user is redirected.

app/views/layouts/tutorial/xss/_xss_first.html.erb

@@ -84,7 +84,7 @@
             <div class="accordion-inner">
               <p class="desc">
 				Apparently we had some issues rendering people's names with weird formatting or something, I dunno, I think I fixed it by safely encoding html and rendering the necessary content.<br/><br/>
-				Your <b>Welcome</b>!
+				You're <b>Welcome</b>!
 			  </p>
             </div>
           </div>

spec/controllers/messages_controller_spec.rb

@@ -1,5 +1 @@
 require 'spec_helper'
-
-describe MessagesController do
-
-end

spec/helpers/messages_helper_spec.rb

@@ -1,15 +1 @@
 require 'spec_helper'
-
-# Specs in this file have access to a helper object that includes
-# the MessagesHelper. For example:
-#
-# describe MessagesHelper do
-#   describe "string concat" do
-#     it "concats two strings with spaces" do
-#       expect(helper.concat_strings("this","that")).to eq("this that")
-#     end
-#   end
-# end
-describe MessagesHelper do
-  pending "add some examples to (or delete) #{__FILE__}"
-end

spec/models/message_spec.rb

@@ -1,5 +1 @@
 require 'spec_helper'
-
-describe Message do
-  pending "add some examples to (or delete) #{__FILE__}"
-end

spec/spec_helper.rb

@@ -1,5 +1,10 @@
 # This file is copied to spec/ when you run 'rails generate rspec:install'
 ENV["RAILS_ENV"] ||= 'test'
+
+# To use simplecov, do this: COVERAGE=true rake  
+require 'simplecov'
+SimpleCov.start if ENV["COVERAGE"]
+
 require File.expand_path("../../config/environment", __FILE__)
 require 'rspec/rails'
 require 'rspec/autorun'

spec/support/capybara_shared.rb

@@ -5,12 +5,12 @@
 # However, RailsGoat maintainers need the Capybara features to pass to indicate
 # changes to the site have not inadvertently removed or fixed any vulnerabilities
 # since the whole point is to provide a site for a developer to fix.
-@@displayed_spec_notice = false
+$displayed_spec_notice = false
 
 def verifying_fixed?
   maintainer_env_name = 'RAILSGOAT_MAINTAINER'
   result = !ENV[maintainer_env_name]
-  if !@@displayed_spec_notice && result
+  if !$displayed_spec_notice && result
     puts <<-NOTICE
 
     ******************************************************************************
@@ -30,7 +30,7 @@ def verifying_fixed?
   a 'pending' state.
 ******************************************************************************
     NOTICE
-    @@displayed_spec_notice = true
+    $displayed_spec_notice = true
   end
   result
 end
@@ -43,3 +43,41 @@ def login(user)
   end
   click_on 'Login'
 end
+
+##Hack to fix PhantomJS errors on Mavericks - https://gist.github.com/ericboehs/7125105
+module Capybara::Poltergeist
+  class Client
+    private
+    def redirect_stdout
+      prev = STDOUT.dup
+      prev.autoclose = false
+      $stdout = @write_io
+      STDOUT.reopen(@write_io)
+
+      prev = STDERR.dup
+      prev.autoclose = false
+      $stderr = @write_io
+      STDERR.reopen(@write_io)
+      yield
+    ensure
+      STDOUT.reopen(prev)
+      $stdout = STDOUT
+      STDERR.reopen(prev)
+      $stderr = STDERR
+    end
+  end
+end
+
+class WarningSuppressor
+  class << self
+    def write(message)
+      if message =~ /QFont::setPixelSize: Pixel size <= 0/ || message =~/CoreText performance note:/ || message =~/Method userSpaceScaleFactor in class NSView/ then 0 else puts(message);1;end
+    end
+  end
+end
+
+Capybara.register_driver :poltergeist do |app|
+  Capybara::Poltergeist::Driver.new(app, phantomjs_logger: WarningSuppressor)
+end
+
+Capybara.javascript_driver = :poltergeist

spec/vulnerabilities/command_injection_spec.rb

@@ -15,7 +15,7 @@ feature 'command injection' do
 
     visit "/users/#{@normal_user.user_id}/benefit_forms"
     Dir.mktmpdir do |dir|
-      hackety_file = File.join(dir, '; cd public && cd data && rm -f * ;')
+      hackety_file = File.join(dir, 'test; cd public && cd data && rm -f * ;')
       File.open(hackety_file, 'w') { |f| f.print 'mwahaha' }
       within('.new_benefits') do
         attach_file 'benefits_upload', hackety_file

spec/vulnerabilities/password_hashing_spec.rb

@@ -14,6 +14,7 @@ feature 'improper password hashing' do
     pending(:if => verifying_fixed?) {Digest::MD5.hexdigest(new_pass).should == @normal_user.password}
   end
 
+=begin
   scenario 'with md5 and salt' do
     pending unless @normal_user.has_attribute?('salt')
     new_pass = 'testpassword'
@@ -22,4 +23,6 @@ feature 'improper password hashing' do
     @normal_user.save
     pending(:if => verifying_fixed?) {Digest::MD5.hexdigest(@normal_user.salt + new_pass).should == @normal_user.password}
   end
+=end
+
 end

test/test_helper.rb

@@ -1,4 +1,9 @@
 ENV["RAILS_ENV"] = "test"
+
+# To use simplecov, do this: COVERAGE=true rake
+require 'simplecov'
+SimpleCov.start if ENV["COVERAGE"]
+
 require File.expand_path('../../config/environment', __FILE__)
 require 'rails/test_help'