From 269d5a0075670ca356525647d859039e949f8b53 Mon Sep 17 00:00:00 2001
From: chrismo <chrismo@clabs.org>
Date: Fri, 27 Sep 2013 16:58:33 -0500
Subject: [PATCH] XSS Capybara spec added.

---
 spec/features/command_injection_spec.rb | 15 +++----------
 spec/features/sql_injection_spec.rb     | 13 +++--------
 spec/features/xss_spec.rb               | 30 +++++++++++++++++++++++++
 spec/support/capybara_shared.rb         |  8 +++++++
 spec/support/user_fixture.rb            | 18 +++++++++++++++
 5 files changed, 62 insertions(+), 22 deletions(-)
 create mode 100644 spec/features/xss_spec.rb
 create mode 100644 spec/support/capybara_shared.rb
 create mode 100644 spec/support/user_fixture.rb

diff --git a/spec/features/command_injection_spec.rb b/spec/features/command_injection_spec.rb
index 186524a..e1ef311 100644
--- a/spec/features/command_injection_spec.rb
+++ b/spec/features/command_injection_spec.rb
@@ -3,21 +3,12 @@ require 'tmpdir'
 
 feature 'command injection' do
   before do
-    User.delete_all
-    Rails.application.load_seed
-    @normal_user = User.new(:first_name => 'Joe', :last_name => 'Schmoe',
-                            :email => 'joe@schmoe.com', :password => 'aoeuaoeu', :password_confirmation => 'aoeuaoeu')
-    @normal_user.build_benefits_data
-    @normal_user.save!
+    UserFixture.reset_all_users
+    @normal_user = UserFixture.normal_user
   end
 
   scenario 'injection attack on file upload', :js => true do
-    visit '/'
-    within('.signup') do
-      fill_in 'email', :with => 'joe@schmoe.com'
-      fill_in 'password', :with => 'aoeuaoeu'
-    end
-    click_on 'Login'
+    login(@normal_user)
 
     legit_file = File.join(Rails.root, 'public', 'data', 'legit.txt')
     File.open(legit_file, 'w') { |f| f.puts 'totes legit' }
diff --git a/spec/features/sql_injection_spec.rb b/spec/features/sql_injection_spec.rb
index d689b12..9553fc4 100644
--- a/spec/features/sql_injection_spec.rb
+++ b/spec/features/sql_injection_spec.rb
@@ -2,22 +2,15 @@ require 'spec_helper'
 
 feature 'sql injection' do
   before do
-    User.delete_all
-    Rails.application.load_seed
-    @normal_user = User.create!(:first_name => 'Joe', :last_name => 'Schmoe',
-                                :email => 'joe@schmoe.com', :password => 'aoeuaoeu', :password_confirmation => 'aoeuaoeu')
+    UserFixture.reset_all_users
+    @normal_user = UserFixture.normal_user
     @admin_user = User.where("admin='t'").first
   end
 
   scenario 'injection attack on account_settings' do
     @admin_user.admin.should be_true
 
-    visit '/'
-    within('.signup') do
-      fill_in 'email', :with => 'joe@schmoe.com'
-      fill_in 'password', :with => 'aoeuaoeu'
-    end
-    click_on 'Login'
+    login(@normal_user)
 
     visit "/users/#{@normal_user.user_id}/account_settings"
     within('#account_edit') do
diff --git a/spec/features/xss_spec.rb b/spec/features/xss_spec.rb
new file mode 100644
index 0000000..39735f1
--- /dev/null
+++ b/spec/features/xss_spec.rb
@@ -0,0 +1,30 @@
+require 'spec_helper'
+
+feature 'xss' do
+  before do
+    UserFixture.reset_all_users
+    @normal_user = UserFixture.normal_user
+  end
+
+  scenario 'injection attack on account_settings', :js => true do
+    login @normal_user
+
+    visit "/users/#{@normal_user.user_id}/account_settings"
+    within('#account_edit') do
+      fill_in 'First name', :with => "B<script>$(function() { $('form.button_to input.btn.btn-primary').val('RailsGoat h4x0r3d') } )</script>"
+
+      # password gets screwed up if you don't re-submit - need to fix
+      fill_in 'user_password', :with => @normal_user.clear_password
+      fill_in 'user_password_confirmation', :with => @normal_user.clear_password
+    end
+    click_on 'Submit'
+    save_screenshot('screenshot.post.submit.png')
+
+    visit '/'
+
+    find('form.button_to input.btn.btn-primary').value.should == 'RailsGoat h4x0r3d'
+
+    # might be nice to demonstrate posting cookie contents or somesuch, but
+    # this at least shows the vulnerability still exists.
+  end
+end
\ No newline at end of file
diff --git a/spec/support/capybara_shared.rb b/spec/support/capybara_shared.rb
new file mode 100644
index 0000000..aeeb960
--- /dev/null
+++ b/spec/support/capybara_shared.rb
@@ -0,0 +1,8 @@
+def login(user)
+  visit '/'
+  within('.signup') do
+    fill_in 'email', :with => user.email
+    fill_in 'password', :with => user.clear_password
+  end
+  click_on 'Login'
+end
diff --git a/spec/support/user_fixture.rb b/spec/support/user_fixture.rb
new file mode 100644
index 0000000..8a5f182
--- /dev/null
+++ b/spec/support/user_fixture.rb
@@ -0,0 +1,18 @@
+class UserFixture
+  def self.reset_all_users
+    User.delete_all
+    Rails.application.load_seed
+  end
+
+  def self.normal_user
+    password = 'aoeuaoeu'
+    user = User.new(:first_name => 'Joe', :last_name => 'Schmoe',
+                    :email => 'joe@schmoe.com', :password => password, :password_confirmation => password)
+    def user.clear_password
+      'aoeuaoeu'
+    end
+    user.build_benefits_data
+    user.save!
+    user
+  end
+end
\ No newline at end of file