From e999c0250624b18a96b689e79113f5efdaffaa7b Mon Sep 17 00:00:00 2001 From: Mike McCabe Date: Wed, 9 Oct 2013 12:55:00 -0400 Subject: [PATCH 1/5] adding password hashing spec --- spec/support/capybara_shared.rb | 2 +- spec/vulnerabilities/password_hashing_spec.rb | 26 +++++++++++++++++++ 2 files changed, 27 insertions(+), 1 deletion(-) create mode 100644 spec/vulnerabilities/password_hashing_spec.rb diff --git a/spec/support/capybara_shared.rb b/spec/support/capybara_shared.rb index 6e3657d..2f982f9 100644 --- a/spec/support/capybara_shared.rb +++ b/spec/support/capybara_shared.rb @@ -16,7 +16,7 @@ def verifying_fixed? ****************************************************************************** You are running the RailsGoat Capybara Specs in Training mode. These specs are supposed to fail, indicating vulnerabilities exist. They contain - spoilers, so do not read the code in spec/features if your goal is to + spoilers, so do not read the code in spec/vulnerabilities if your goal is to learn more about patching the vulnerabilities. You should fix the vulnerabilities in the application in order to get these specs to pass**. You can use them to measure your progress. diff --git a/spec/vulnerabilities/password_hashing_spec.rb b/spec/vulnerabilities/password_hashing_spec.rb new file mode 100644 index 0000000..2c2e7a6 --- /dev/null +++ b/spec/vulnerabilities/password_hashing_spec.rb @@ -0,0 +1,26 @@ +require 'spec_helper' + +feature 'improper password hashing' do + before do + UserFixture.reset_all_users + @normal_user = UserFixture.normal_user + end + + scenario 'with just md5' do + new_pass = 'testpassword' + @normal_user.password = new_pass + @normal_user.password_confirmation = new_pass + @normal_user.save + pending(:if => verifying_fixed?) {Digest::MD5.hexdigest(new_pass).should == @normal_user.password} + end + + scenario 'with md5 and salt' do + if @normal_user.has_attribute?('salt') + new_pass = 'testpassword' + @normal_user.password = new_pass + @normal_user.password_confirmation = new_pass + @normal_user.save + pending(:if => verifying_fixed?) {Digest::MD5.hexdigest(@normal_user.salt + new_pass).should == @normal_user.password} + end + end +end \ No newline at end of file From 82387a1f92b50b5a08153c30fd4da7b757e91256 Mon Sep 17 00:00:00 2001 From: Mike McCabe Date: Wed, 9 Oct 2013 13:18:32 -0400 Subject: [PATCH 2/5] updating spec to fail if salt is not defined --- spec/vulnerabilities/password_hashing_spec.rb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/spec/vulnerabilities/password_hashing_spec.rb b/spec/vulnerabilities/password_hashing_spec.rb index 2c2e7a6..2d9ddb0 100644 --- a/spec/vulnerabilities/password_hashing_spec.rb +++ b/spec/vulnerabilities/password_hashing_spec.rb @@ -21,6 +21,9 @@ feature 'improper password hashing' do @normal_user.password_confirmation = new_pass @normal_user.save pending(:if => verifying_fixed?) {Digest::MD5.hexdigest(@normal_user.salt + new_pass).should == @normal_user.password} + else + #fail test if salt attribute not defined + true.should == false end end end \ No newline at end of file From 77a3940530fe854898d26bc329e16fa58d508ce9 Mon Sep 17 00:00:00 2001 From: Mike McCabe Date: Wed, 9 Oct 2013 13:20:30 -0400 Subject: [PATCH 3/5] adding training rake task to ease running training specs --- lib/tasks/traning.rake | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 lib/tasks/traning.rake diff --git a/lib/tasks/traning.rake b/lib/tasks/traning.rake new file mode 100644 index 0000000..2a40c39 --- /dev/null +++ b/lib/tasks/traning.rake @@ -0,0 +1,4 @@ +desc 'run training tests' +task :training do + Rake::Task["spec:vulnerabilities"].invoke +end \ No newline at end of file From 79915519b11a023f40ee9a09ada2eb1b3000f924 Mon Sep 17 00:00:00 2001 From: mccabe615 Date: Wed, 9 Oct 2013 13:25:54 -0400 Subject: [PATCH 4/5] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index b3d2908..850287c 100755 --- a/README.md +++ b/README.md @@ -25,7 +25,7 @@ in the application. To run them, though, you'll first need to [install PhantomJS](https://github.com/jonleighton/poltergeist#installing-phantomjs), which is required by the Poltergeist Capybara driver. Then just rake: - rake + rake training NOTE: As vulnerabilities are fixed in the application, these specs won't change from to passing but to _pending_. From c9231233e5207d0c6a99d0ddf999276cea9e0c28 Mon Sep 17 00:00:00 2001 From: Mike McCabe Date: Wed, 9 Oct 2013 14:23:46 -0400 Subject: [PATCH 5/5] make test go into pending unless salt attribute defined for travis --- spec/vulnerabilities/password_hashing_spec.rb | 16 ++++++---------- 1 file changed, 6 insertions(+), 10 deletions(-) diff --git a/spec/vulnerabilities/password_hashing_spec.rb b/spec/vulnerabilities/password_hashing_spec.rb index 2d9ddb0..077a352 100644 --- a/spec/vulnerabilities/password_hashing_spec.rb +++ b/spec/vulnerabilities/password_hashing_spec.rb @@ -15,15 +15,11 @@ feature 'improper password hashing' do end scenario 'with md5 and salt' do - if @normal_user.has_attribute?('salt') - new_pass = 'testpassword' - @normal_user.password = new_pass - @normal_user.password_confirmation = new_pass - @normal_user.save - pending(:if => verifying_fixed?) {Digest::MD5.hexdigest(@normal_user.salt + new_pass).should == @normal_user.password} - else - #fail test if salt attribute not defined - true.should == false - end + pending unless @normal_user.has_attribute?('salt') + new_pass = 'testpassword' + @normal_user.password = new_pass + @normal_user.password_confirmation = new_pass + @normal_user.save + pending(:if => verifying_fixed?) {Digest::MD5.hexdigest(@normal_user.salt + new_pass).should == @normal_user.password} end end \ No newline at end of file