More Rails 4.0 upgrade changes

1. Compared existing branch with empty Rails 4.0 project and made changes as needed. 2. Fix find/first warning. 3. Fix sqlite timeout issue. -- config/database.yml -- spec/vulnerabilities/insecure_dor_spec.rb
2014-09-13 13:44:07 -04:00
parent ed5f2796a4
commit 1ea0c2ddbb
28 changed files with 234 additions and 68 deletions
@@ -49,6 +49,8 @@ gem 'sass-rails'
 gem 'coffee-rails'
 gem 'jquery-fileupload-rails'
 gem 'uglifier'
 gem 'turbolinks' # New for Rails 4.0
 # See https://github.com/sstephenson/execjs#readme for more supported runtimes
 # gem 'therubyracer', :platforms => :ruby
@@ -82,3 +84,9 @@ gem 'therubyracer'
 # Add SMTP server support using MailCatcher
 gem 'mailcatcher'
 #For Rails 4.0
 #group :doc do
 #  # bundle exec rake doc:rails generates the API under doc/api.
 #  gem 'sdoc', require: false
 #end
@@ -284,6 +284,8 @@ GEM
      polyglot
      polyglot (>= 0.3.1)
    trollop (2.0)
    turbolinks (2.3.0)
      coffee-rails
    tzinfo (0.3.41)
    uglifier (2.5.3)
      execjs (>= 0.3.0)
@@ -334,5 +336,6 @@ DEPENDENCIES
  sqlite3
  therubyracer
  travis-lint
  turbolinks
  uglifier
  unicorn
@@ -12,6 +12,7 @@
 //
 //= require jquery
 //= require jquery_ujs
 //= require turbolinks
 //= require wysiwyg/wysihtml5-0.3.0.js
 //= require jquery.min.js
 //= require jquery.scrollUp.js
@@ -31,6 +32,7 @@
 //= require jsapi
 //= html5.js
 function rubyCodeFormat() {
@@ -3,7 +3,9 @@ class ApplicationController < ActionController::Base
  helper_method :current_user, :is_admin?, :sanitize_font
  # Our security guy keep talking about sea-surfing, cool story bro.
-  # protect_from_forgery
+  # Prevent CSRF attacks by raising an exception.
  # For APIs, you may want to use :null_session instead.
  #protect_from_forgery with: :exception
  private
@@ -31,7 +31,8 @@ class UsersController < ApplicationController
    # Still an Insecure DoR vulnerability
    #user = User.find(:first, :conditions => ["user_id = ?", "#{params[:user][:user_id]}"])
-    user = User.find(:first, :conditions => "user_id = '#{params[:user][:user_id]}'")
+    #user = User.find(:first, :conditions => "user_id = '#{params[:user][:user_id]}'")
    user = User.where("user_id == '#{params[:user][:user_id]}'").first
    if user
      user.skip_user_id_assign = true
      user.skip_hash_password = true
@@ -2,8 +2,8 @@
 <html>
 <head>
  <title>RailsGoat</title>
-  <%= stylesheet_link_tag    "application", :media => "all" %>
+  <%= stylesheet_link_tag    "application", media: "all", "data-turbolinks-track" => true %>
-  <%= javascript_include_tag "application" %>
+  <%= javascript_include_tag "application", "data-turbolinks-track" => true %>
  <%= csrf_meta_tags %> <!-- <~ What is this for? I hear it helps w/ JS and Sea-surfing.....whatevz -->
  <!-- bootstrap css -->
 <%
@@ -1,4 +1,4 @@
 # This file is used by Rack-based servers to start the application.
 require ::File.expand_path('../config/environment',  __FILE__)
-run Railsgoat::Application
+run Rails.application
@@ -2,6 +2,8 @@ require File.expand_path('../boot', __FILE__)
 require 'rails/all'
 # Require the gems listed in Gemfile, including any gems
 # you've limited to :test, :development, or :production.
 Bundler.require(:default, Rails.env)
 module Railsgoat
@@ -1,4 +1,4 @@
 # Set up gems listed in the Gemfile.
 ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../../Gemfile', __FILE__)
-require 'bundler/setup' if File.exist?(ENV['BUNDLE_GEMFILE'])
+require 'bundler/setup' if File.exists?(ENV['BUNDLE_GEMFILE'])
@@ -7,13 +7,13 @@ development:
  adapter: sqlite3
  database: db/development.sqlite3
  pool: 5
-  timeout: 5000
+  timeout: 15000
 mysql:
  adapter: mysql2
  database: development_railsgoat
  pool: 5
-  timeout: 5000
+  timeout: 15000
  host: localhost
  username: root
  password:
@@ -25,7 +25,7 @@ test:
  adapter: sqlite3
  database: db/test.sqlite3
  pool: 5
-  timeout: 5000
+  timeout: 15000
 production:
  adapter: sqlite3
@@ -9,11 +9,11 @@ Railsgoat::Application.configure do
  # Log error messages when you accidentally call methods on nil.
  config.whiny_nils = true
-  # Show full error reports and disable caching
+  # Show full error reports and disable caching.
  config.consider_all_requests_local       = true
  config.action_controller.perform_caching = false
-  # Don't care if the mailer can't send
+  # Don't care if the mailer can't send.
  config.action_mailer.raise_delivery_errors = false
  # Print deprecation notices to the Rails logger
@@ -32,7 +32,9 @@ Railsgoat::Application.configure do
  # Do not compress assets
  config.assets.compress = false
-  # Expands the lines which load the assets
+  # Debug mode disables concatenation and preprocessing of assets.
  # This option may cause significant delays in view rendering with a large
  # number of complex assets.
  config.assets.debug = true
  # ActionMailer settings for email support
@@ -48,6 +50,9 @@ Railsgoat::Application.configure do
       :ignore => [ %r{dont/modify\.html$} ]
  )
-  # For Rails 4.0+
+  # For Rails 4.0+: Do not eager load code on boot.
  config.eager_load = false
  # For Rails 4.0+: Raise an error on page load if there are pending migrations
  config.active_record.migration_error = :page_load
 end
@@ -1,37 +1,50 @@
 Railsgoat::Application.configure do
  # Settings specified here will take precedence over those in config/application.rb
-  # Code is not reloaded between requests
+  # Code is not reloaded between requests.
  config.cache_classes = true
-  # Full error reports are disabled and caching is turned on
+  # Full error reports are disabled and caching is turned on.
  config.consider_all_requests_local       = false
  config.action_controller.perform_caching = true
-  # Disable Rails's static asset server (Apache or nginx will already do this)
+  # Enable Rack::Cache to put a simple HTTP cache in front of your application
  # Add `rack-cache` to your Gemfile before enabling this.
  # For large-scale production use, consider using a caching
  # reverse proxy like nginx, varnish or squid.
  # config.action_dispatch.rack_cache = true
  # Disable Rails's static asset server (Apache or nginx will already do this).
  config.serve_static_assets = false
  # Compress JavaScripts and CSS
  config.assets.compress = true
-  # Don't fallback to assets pipeline if a precompiled asset is missed
+  # Compress JavaScripts and CSS.
-  config.assets.compile = true
+  config.assets.js_compressor = :uglifier
  # config.assets.css_compressor = :sass
-  # Generate digests for assets URLs
+  # Do not fallback to assets pipeline if a precompiled asset is missed.
  config.assets.compile = true # default is false
  # Generate digests for assets URLs.
  config.assets.digest = true
  # For Rails 4.0+: Version of your assets, change this if you want to expire all your assets.
  config.assets.version = '1.0'
  # Defaults to nil and saved in location specified by config.assets.prefix
  # config.assets.manifest = YOUR_PATH
-  # Specifies the header that your server uses for sending files
+  # Specifies the header that your server uses for sending files.
  # config.action_dispatch.x_sendfile_header = "X-Sendfile" # for apache
  # config.action_dispatch.x_sendfile_header = 'X-Accel-Redirect' # for nginx
  # Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
  # config.force_ssl = true
-  # See everything in the log (default is :info)
+  # Set to :debug to see everything in the log.
-  # config.log_level = :debug
+  config.log_level = :info
  # Prepend all log lines with the following tags
  # config.log_tags = [ :subdomain, :uuid ]
@@ -55,16 +68,45 @@ Railsgoat::Application.configure do
  # config.threadsafe!
  # Enable locale fallbacks for I18n (makes lookups for any locale fall back to
-  # the I18n.default_locale when a translation can not be found)
+  # the I18n.default_locale when a translation can not be found).
  config.i18n.fallbacks = true
-  # Send deprecation notices to registered listeners
+  # Send deprecation notices to registered listeners.
  config.active_support.deprecation = :notify
  # Log the query plan for queries taking more than this (works
  # with SQLite, MySQL, and PostgreSQL)
  # config.active_record.auto_explain_threshold_in_seconds = 0.5
-  # For Rails 4.0+
+  # For Rails 4.0+: Eager load code on boot. This eager loads most of
  # Rails and your application in memory, allowing both thread web
  # servers and those relying on copy on write to perform better.
  # Rake tasks automatically ignore this option for performance.
  config.eager_load = true
  # For Rails 4.0+: Use default logging formatter so that PID and timestamp are not suppressed.
  config.log_formatter = ::Logger::Formatter.new
  # For Rails 4.0+: Disable automatic flushing of the log to improve performance.
  # config.autoflush_log = false
  # Prepend all log lines with the following tags.
  # config.log_tags = [ :subdomain, :uuid ]
  # Use a different logger for distributed setups.
  # config.logger = ActiveSupport::TaggedLogging.new(SyslogLogger.new)
  # Use a different cache store in production.
  # config.cache_store = :mem_cache_store
  # Enable serving of images, stylesheets, and JavaScripts from an asset server.
  # config.action_controller.asset_host = "http://assets.example.com"
  # Precompile additional assets.
  # application.js, application.css, and all non-JS/CSS in app/assets folder are already added.
  # config.assets.precompile += %w( search.js )
  # Ignore bad email addresses and do not raise email delivery errors.
  # Set this to true and configure the email server for immediate delivery to raise delivery errors.
  # config.action_mailer.raise_delivery_errors = false
 end
@@ -7,18 +7,18 @@ Railsgoat::Application.configure do
  # and recreated between test runs. Don't rely on the data there!
  config.cache_classes = true
-  # Configure static asset server for tests with Cache-Control for performance
+  # Configure static asset server for tests with Cache-Control for performance.
  config.serve_static_assets = true
  config.static_cache_control = "public, max-age=3600"
-  # Show full error reports and disable caching
+  # Show full error reports and disable caching.
  config.consider_all_requests_local       = true
  config.action_controller.perform_caching = false
-  # Raise exceptions instead of rendering exception templates
+  # Raise exceptions instead of rendering exception templates.
  config.action_dispatch.show_exceptions = false
-  # Disable request forgery protection in test environment
+  # Disable request forgery protection in test environment.
  config.action_controller.allow_forgery_protection    = false
  # Tell Action Mailer not to deliver emails to the real world.
@@ -26,9 +26,12 @@ Railsgoat::Application.configure do
  # ActionMailer::Base.deliveries array.
  config.action_mailer.delivery_method = :test
-  # Print deprecation notices to the stderr
+  # Print deprecation notices to the stderr.
  config.active_support.deprecation = :stderr
  # For Rails 4.0+
  # Do not eager load code on boot. This avoids loading your whole application
  # just for the purpose of running a single test. If you are using a tool that
  # preloads Rails for running tests, you may have to set it to true.
  config.eager_load = false
 end
@@ -5,7 +5,7 @@
 # Enable parameter wrapping for JSON. You can disable this by setting :format to an empty array.
 ActiveSupport.on_load(:action_controller) do
-  wrap_parameters format: [:json]
+  wrap_parameters format: [:json] if respond_to?(:wrap_parameters)
 end
 # Disable root element in JSON by default.
@@ -2,17 +2,48 @@
 <html>
 <head>
  <title>The page you were looking for doesn't exist (404)</title>
-  <style type="text/css">
+  <style>
-    body { background-color: #fff; color: #666; text-align: center; font-family: arial, sans-serif; }
+  body {
-    div.dialog {
+    background-color: #EFEFEF;
-      width: 25em;
+    color: #2E2F30;
-      padding: 0 4em;
+    text-align: center;
-      margin: 4em auto 0 auto;
+    font-family: arial, sans-serif;
-      border: 1px solid #ccc;
+  }
-      border-right-color: #999;
+
-      border-bottom-color: #999;
+  div.dialog {
-    }
+    width: 25em;
-    h1 { font-size: 100%; color: #f00; line-height: 1.5em; }
+    margin: 4em auto 0 auto;
    border: 1px solid #CCC;
    border-right-color: #999;
    border-left-color: #999;
    border-bottom-color: #BBB;
    border-top: #B00100 solid 4px;
    border-top-left-radius: 9px;
    border-top-right-radius: 9px;
    background-color: white;
    padding: 7px 4em 0 4em;
  }
  h1 {
    font-size: 100%;
    color: #730E15;
    line-height: 1.5em;
  }
  body > p {
    width: 33em;
    margin: 0 auto 1em;
    padding: 1em 0;
    background-color: #F7F7F7;
    border: 1px solid #CCC;
    border-right-color: #999;
    border-bottom-color: #999;
    border-bottom-left-radius: 4px;
    border-bottom-right-radius: 4px;
    border-top-color: #DADADA;
    color: #666;
    box-shadow:0 3px 8px rgba(50, 50, 50, 0.17);
  }
  </style>
 </head>
@@ -22,5 +53,6 @@
    <h1>The page you were looking for doesn't exist.</h1>
    <p>You may have mistyped the address or the page may have moved.</p>
  </div>
  <p>If you are the application owner check the logs for more information.</p>
 </body>
 </html>
@@ -2,17 +2,48 @@
 <html>
 <head>
  <title>The change you wanted was rejected (422)</title>
-  <style type="text/css">
+  <style>
-    body { background-color: #fff; color: #666; text-align: center; font-family: arial, sans-serif; }
+  body {
-    div.dialog {
+    background-color: #EFEFEF;
-      width: 25em;
+    color: #2E2F30;
-      padding: 0 4em;
+    text-align: center;
-      margin: 4em auto 0 auto;
+    font-family: arial, sans-serif;
-      border: 1px solid #ccc;
+  }
-      border-right-color: #999;
+
-      border-bottom-color: #999;
+  div.dialog {
-    }
+    width: 25em;
-    h1 { font-size: 100%; color: #f00; line-height: 1.5em; }
+    margin: 4em auto 0 auto;
    border: 1px solid #CCC;
    border-right-color: #999;
    border-left-color: #999;
    border-bottom-color: #BBB;
    border-top: #B00100 solid 4px;
    border-top-left-radius: 9px;
    border-top-right-radius: 9px;
    background-color: white;
    padding: 7px 4em 0 4em;
  }
  h1 {
    font-size: 100%;
    color: #730E15;
    line-height: 1.5em;
  }
  body > p {
    width: 33em;
    margin: 0 auto 1em;
    padding: 1em 0;
    background-color: #F7F7F7;
    border: 1px solid #CCC;
    border-right-color: #999;
    border-bottom-color: #999;
    border-bottom-left-radius: 4px;
    border-bottom-right-radius: 4px;
    border-top-color: #DADADA;
    color: #666;
    box-shadow:0 3px 8px rgba(50, 50, 50, 0.17);
  }
  </style>
 </head>
@@ -22,5 +53,6 @@
    <h1>The change you wanted was rejected.</h1>
    <p>Maybe you tried to change something you didn't have access to.</p>
  </div>
  <p>If you are the application owner check the logs for more information.</p>
 </body>
 </html>
@@ -2,17 +2,48 @@
 <html>
 <head>
  <title>We're sorry, but something went wrong (500)</title>
-  <style type="text/css">
+  <style>
-    body { background-color: #fff; color: #666; text-align: center; font-family: arial, sans-serif; }
+  body {
-    div.dialog {
+    background-color: #EFEFEF;
-      width: 25em;
+    color: #2E2F30;
-      padding: 0 4em;
+    text-align: center;
-      margin: 4em auto 0 auto;
+    font-family: arial, sans-serif;
-      border: 1px solid #ccc;
+  }
-      border-right-color: #999;
+
-      border-bottom-color: #999;
+  div.dialog {
-    }
+    width: 25em;
-    h1 { font-size: 100%; color: #f00; line-height: 1.5em; }
+    margin: 4em auto 0 auto;
    border: 1px solid #CCC;
    border-right-color: #999;
    border-left-color: #999;
    border-bottom-color: #BBB;
    border-top: #B00100 solid 4px;
    border-top-left-radius: 9px;
    border-top-right-radius: 9px;
    background-color: white;
    padding: 7px 4em 0 4em;
  }
  h1 {
    font-size: 100%;
    color: #730E15;
    line-height: 1.5em;
  }
  body > p {
    width: 33em;
    margin: 0 auto 1em;
    padding: 1em 0;
    background-color: #F7F7F7;
    border: 1px solid #CCC;
    border-right-color: #999;
    border-bottom-color: #999;
    border-bottom-left-radius: 4px;
    border-bottom-right-radius: 4px;
    border-top-color: #DADADA;
    color: #666;
    box-shadow:0 3px 8px rgba(50, 50, 50, 0.17);
  }
  </style>
 </head>
@@ -21,5 +52,6 @@
  <div class="dialog">
    <h1>We're sorry, but something went wrong.</h1>
  </div>
  <p>If you are the application owner check the logs for more information.</p>
 </body>
 </html>
@@ -1,5 +1,5 @@
 # See http://www.robotstxt.org/wc/norobots.html for documentation on how to use the robots.txt file
 #
 # To ban all spiders from the entire site uncomment the next two lines:
-# User-Agent: *
+# User-agent: *
 # Disallow: /
@@ -16,7 +16,7 @@ feature 'insecure direct object reference' do
    pending(:if => verifying_fixed?) {
      page.status_code.should == 200
      page.response_headers['Content-Disposition'].should include('database.yml')
-      page.response_headers['Content-Length'].should == '709'
+      page.response_headers['Content-Length'].should == '712'
    }
  end
@@ -28,4 +28,4 @@ feature 'insecure direct object reference' do
    pending(:if => verifying_fixed?) { first('td').text.should == 'Jack Mannino' }
  end
-end
+end
@@ -1,4 +1,4 @@
-ENV["RAILS_ENV"] = "test"
+ENV["RAILS_ENV"] ||= "test"
 # To use simplecov, do this: COVERAGE=true rake
 require 'simplecov'
@@ -8,6 +8,8 @@ require File.expand_path('../../config/environment', __FILE__)
 require 'rails/test_help'
 class ActiveSupport::TestCase
  # Maybe for Rails 4.0: ActiveRecord::Migration.check_pending!
  # Setup all fixtures in test/fixtures/*.(yml|csv) for all tests in alphabetical order.
  #
  # Note: You'll currently still have to declare fixtures explicitly in integration tests