Upgraded Ruby to 2.7.0-preview1 and Rails to 6.0.0 - fixed 1 spec

2019-09-09 15:13:29 -04:00
parent 0dcadc065f
commit 23d145129d
12 changed files with 87 additions and 59 deletions
@@ -1 +1 @@
-2.6.4
+2.7.0-preview1
@@ -1,6 +1,7 @@
 language: ruby
 rvm:
  - "2.6.4"
+  - "2.7.0-preview1"

 before_install:
  - "phantomjs --version"
@@ -1,4 +1,4 @@
-FROM ruby:2.6.2
+FROM ruby:2.7.0-preview1
 RUN apt-get update -qq && apt-get install -y build-essential libpq-dev nodejs
 RUN mkdir /myapp
 WORKDIR /myapp
@@ -2,9 +2,9 @@
 source "https://rubygems.org"

 #don't upgrade
-gem "rails", "5.1.7"
+gem "rails", "6.0.0"

-ruby "2.6.4"
+ruby "2.7.0"

 gem "aruba"
 gem "bcrypt"
@@ -1,46 +1,63 @@
 GEM
  remote: https://rubygems.org/
  specs:
-    actioncable (5.1.7)
-      actionpack (= 5.1.7)
+    actioncable (6.0.0)
+      actionpack (= 6.0.0)
      nio4r (~> 2.0)
-      websocket-driver (~> 0.6.1)
-    actionmailer (5.1.7)
-      actionpack (= 5.1.7)
-      actionview (= 5.1.7)
-      activejob (= 5.1.7)
+      websocket-driver (>= 0.6.1)
+    actionmailbox (6.0.0)
+      actionpack (= 6.0.0)
+      activejob (= 6.0.0)
+      activerecord (= 6.0.0)
+      activestorage (= 6.0.0)
+      activesupport (= 6.0.0)
+      mail (>= 2.7.1)
+    actionmailer (6.0.0)
+      actionpack (= 6.0.0)
+      actionview (= 6.0.0)
+      activejob (= 6.0.0)
      mail (~> 2.5, >= 2.5.4)
      rails-dom-testing (~> 2.0)
-    actionpack (5.1.7)
-      actionview (= 5.1.7)
-      activesupport (= 5.1.7)
+    actionpack (6.0.0)
+      actionview (= 6.0.0)
+      activesupport (= 6.0.0)
      rack (~> 2.0)
      rack-test (>= 0.6.3)
      rails-dom-testing (~> 2.0)
-      rails-html-sanitizer (~> 1.0, >= 1.0.2)
-    actionview (5.1.7)
-      activesupport (= 5.1.7)
+      rails-html-sanitizer (~> 1.0, >= 1.2.0)
+    actiontext (6.0.0)
+      actionpack (= 6.0.0)
+      activerecord (= 6.0.0)
+      activestorage (= 6.0.0)
+      activesupport (= 6.0.0)
+      nokogiri (>= 1.8.5)
+    actionview (6.0.0)
+      activesupport (= 6.0.0)
      builder (~> 3.1)
      erubi (~> 1.4)
      rails-dom-testing (~> 2.0)
-      rails-html-sanitizer (~> 1.0, >= 1.0.3)
-    activejob (5.1.7)
-      activesupport (= 5.1.7)
+      rails-html-sanitizer (~> 1.1, >= 1.2.0)
+    activejob (6.0.0)
+      activesupport (= 6.0.0)
      globalid (>= 0.3.6)
-    activemodel (5.1.7)
-      activesupport (= 5.1.7)
-    activerecord (5.1.7)
-      activemodel (= 5.1.7)
-      activesupport (= 5.1.7)
-      arel (~> 8.0)
-    activesupport (5.1.7)
+    activemodel (6.0.0)
+      activesupport (= 6.0.0)
+    activerecord (6.0.0)
+      activemodel (= 6.0.0)
+      activesupport (= 6.0.0)
+    activestorage (6.0.0)
+      actionpack (= 6.0.0)
+      activejob (= 6.0.0)
+      activerecord (= 6.0.0)
+      marcel (~> 0.3.1)
+    activesupport (6.0.0)
      concurrent-ruby (~> 1.0, >= 1.0.2)
      i18n (>= 0.7, < 2)
      minitest (~> 5.1)
      tzinfo (~> 1.1)
+      zeitwerk (~> 2.1, >= 2.1.8)
    addressable (2.7.0)
      public_suffix (>= 2.0.2, < 5.0)
-    arel (8.0.0)
    aruba (0.14.11)
      childprocess (>= 0.6.3, < 3.0.0)
      contracts (~> 0.9)
@@ -73,9 +90,9 @@ GEM
      rake (< 13.0)
    cliver (0.3.2)
    coderay (1.1.2)
-    coffee-rails (4.2.2)
+    coffee-rails (5.0.0)
      coffee-script (>= 2.2.0)
-      railties (>= 4.0.0)
+      railties (>= 5.2.0)
    coffee-script (2.4.1)
      coffee-script-source
      execjs
@@ -103,6 +120,7 @@ GEM
    debug_inspector (0.0.3)
    diff-lcs (1.3)
    docile (1.3.2)
+    dotenv (0.7.0)
    em-websocket (0.5.1)
      eventmachine (>= 0.12.9)
      http_parser.rb (~> 0.6.0)
@@ -110,8 +128,9 @@ GEM
    eventmachine (1.2.7)
    execjs (2.7.0)
    ffi (1.11.1)
-    foreman (0.85.0)
-      thor (~> 0.19.1)
+    foreman (0.64.0)
+      dotenv (~> 0.7.0)
+      thor (>= 0.13.6)
    formatador (0.2.5)
    gherkin (5.1.0)
    globalid (0.4.2)
@@ -165,7 +184,10 @@ GEM
    lumberjack (1.0.13)
    mail (2.7.1)
      mini_mime (>= 0.1.1)
+    marcel (0.3.3)
+      mimemagic (~> 0.3.2)
    method_source (0.9.2)
+    mimemagic (0.3.3)
    mini_mime (1.0.2)
    mini_portile2 (2.4.0)
    minitest (5.11.3)
@@ -202,17 +224,20 @@ GEM
      rack
    rack-test (1.1.0)
      rack (>= 1.0, < 3)
-    rails (5.1.7)
-      actioncable (= 5.1.7)
-      actionmailer (= 5.1.7)
-      actionpack (= 5.1.7)
-      actionview (= 5.1.7)
-      activejob (= 5.1.7)
-      activemodel (= 5.1.7)
-      activerecord (= 5.1.7)
-      activesupport (= 5.1.7)
+    rails (6.0.0)
+      actioncable (= 6.0.0)
+      actionmailbox (= 6.0.0)
+      actionmailer (= 6.0.0)
+      actionpack (= 6.0.0)
+      actiontext (= 6.0.0)
+      actionview (= 6.0.0)
+      activejob (= 6.0.0)
+      activemodel (= 6.0.0)
+      activerecord (= 6.0.0)
+      activestorage (= 6.0.0)
+      activesupport (= 6.0.0)
      bundler (>= 1.3.0)
-      railties (= 5.1.7)
+      railties (= 6.0.0)
      sprockets-rails (>= 2.0.0)
    rails-dom-testing (2.0.3)
      activesupport (>= 4.2.0)
@@ -220,12 +245,12 @@ GEM
    rails-html-sanitizer (1.2.0)
      loofah (~> 2.2, >= 2.2.2)
    rails-perftest (0.0.7)
-    railties (5.1.7)
-      actionpack (= 5.1.7)
-      activesupport (= 5.1.7)
+    railties (6.0.0)
+      actionpack (= 6.0.0)
+      activesupport (= 6.0.0)
      method_source
      rake (>= 0.8.7)
-      thor (>= 0.18.1, < 2.0)
+      thor (>= 0.20.3, < 2.0)
    rainbow (3.0.0)
    raindrops (0.19.0)
    rake (12.3.3)
@@ -300,7 +325,7 @@ GEM
    therubyracer (0.12.3)
      libv8 (~> 3.16.14.15)
      ref
-    thor (0.19.4)
+    thor (0.20.3)
    thread_safe (0.3.6)
    tilt (2.0.9)
    travis-lint (2.0.0)
@@ -316,11 +341,12 @@ GEM
    unicorn (5.5.1)
      kgio (~> 2.6)
      raindrops (~> 0.7)
-    websocket-driver (0.6.5)
+    websocket-driver (0.7.1)
      websocket-extensions (>= 0.1.0)
    websocket-extensions (0.1.4)
    xpath (3.2.0)
      nokogiri (~> 1.8)
+    zeitwerk (2.1.10)

 PLATFORMS
  ruby
@@ -350,7 +376,7 @@ DEPENDENCIES
  pry-rails
  puma
  rack-livereload
-  rails (= 5.1.7)
+  rails (= 6.0.0)
  rails-perftest
  rake
  rb-fsevent
@@ -369,7 +395,7 @@ DEPENDENCIES
  unicorn

 RUBY VERSION
-   ruby 2.6.4p104
+   ruby 2.7.0p-1

 BUNDLED WITH
-   1.17.3
+   2.1.0.pre.1
@@ -1,6 +1,6 @@
 # RailsGoat [![Build Status](https://api.travis-ci.org/OWASP/railsgoat.png?branch=master)](https://travis-ci.org/OWASP/railsgoat) [![Code Climate](https://codeclimate.com/github/OWASP/railsgoat.png)](https://codeclimate.com/github/OWASP/railsgoat)

-RailsGoat is a vulnerable version of the Ruby on Rails Framework from versions 3 to 5. It includes vulnerabilities from the OWASP Top 10, as well as some "extras" that the initial project contributors felt worthwhile to share. This project is designed to educate both developers, as well as security professionals.
+RailsGoat is a vulnerable version of the Ruby on Rails Framework from versions 3 to 6. It includes vulnerabilities from the OWASP Top 10, as well as some "extras" that the initial project contributors felt worthwhile to share. This project is designed to educate both developers, as well as security professionals.

 ## Support

@@ -18,7 +18,7 @@ After installing the above software, clone this repo:
 $ git clone git@github.com:OWASP/railsgoat.git
 ```

-**NOTE: NOT NECESSARY IF YOU WANT TO WORK WITH RAILS 5.** Otherwise, if you wish to use the Rails 3 or 4 versions, you'll need to switch branches:
+**NOTE: NOT NECESSARY IF YOU WANT TO WORK WITH RAILS 6.** Otherwise, if you wish to use the Rails 3 or 4 versions, you'll need to switch branches:

 ```bash
 $ cd railsgoat
@@ -73,7 +73,7 @@ Note: if your container exits with an error, it may be because a server is alrea
 ```
 A server is already running. Check /myapp/tmp/pids/server.pid.
 => Booting Thin
-=> Rails 5.0.1 application starting in development on
+=> Rails 6.0.0 application starting in development on
 http://0.0.0.0:3000
 => Run `rails server -h` for more startup options
 => Ctrl-C to shutdown server
@@ -34,7 +34,7 @@ class AdminController < ApplicationController
  def update_user
    user = User.find_by_id(params[:admin_id])
    if user
-      user.update_attributes(params[:user].reject { |k| k == ("password" || "password_confirmation") })
+      user.update(params[:user].reject { |k| k == ("password" || "password_confirmation") })
      pass = params[:user][:password]
      user.password = pass if !(pass.blank?)
      user.save!
@@ -29,7 +29,7 @@ class UsersController < ApplicationController
    user = User.where("id = '#{params[:user][:id]}'")[0]

    if user
-      user.update_attributes(user_params_without_password)
+      user.update(user_params_without_password)
      if params[:user][:password].present? && (params[:user][:password] == params[:user][:password_confirmation])
        user.password = params[:user][:password]
      end
@@ -55,5 +55,7 @@ module Railsgoat
    config.assets.version = "1.0"

    I18n.config.enforce_available_locales = false
+
+    config.action_dispatch.return_only_media_type_on_content_type = false
  end
 end
@@ -5,5 +5,4 @@
 # If you change this key, all old signed cookies will become invalid!
 # Make sure the secret is at least 30 characters and all random,
 # no regular words or you'll be exposed to dictionary attacks.
-Railsgoat::Application.config.secret_token = "2f1d90a26236c3245d96f5606c201a780dc9ca687e5ed82b45e211bb5dc84c1870f61ca9e002dad5dd8a149c9792d8f07f31a9575065cca064bd6af44f8750e4"
 Railsgoat::Application.config.secret_key_base = "2f1d90a26236c3245d96f5606c201a780dc9ca687e5ed82b45e211bb5dc84c1870f61ca9e002dad5dd8a149c9792d8f07f31a9575065cca064bd6af44f8750e4"
@@ -7,7 +7,7 @@ feature "sensitive data exposure" do

  before do
    UserFixture.reset_all_users
-    normal_user.work_info.update_attribute(:SSN, user_ssn)
+    normal_user.work_info.update(:SSN, user_ssn)

    pending unless verifying_fixed?
  end
@@ -22,7 +22,7 @@ feature "sql injection" do
      fill_in "user_password_confirmation", with: "hacketyhack"

      # this is a hidden field, so cannot use fill_in to access it.
-      find(:xpath, "//input[@id='user_id']", visible: false).set "8' OR admin='t') --"
+      find(:xpath, "//input[@id='user_id']", visible: false).set "8' OR 1 == 1) --"
    end
    click_on "Submit"