From 23d145129df3af76bca43e659d5e4370afeb17b6 Mon Sep 17 00:00:00 2001 From: Al Snow Date: Mon, 9 Sep 2019 15:13:29 -0400 Subject: [PATCH 1/4] Upgraded Ruby to 2.7.0-preview1 and Rails to 6.0.0 - fixed 1 spec --- .ruby-version | 2 +- .travis.yml | 1 + Dockerfile | 2 +- Gemfile | 4 +- Gemfile.lock | 120 +++++++++++------- README.md | 6 +- app/controllers/admin_controller.rb | 2 +- app/controllers/users_controller.rb | 2 +- config/application.rb | 2 + config/initializers/secret_token.rb | 1 - .../sensitive_data_exposure.rb | 2 +- spec/vulnerabilities/sql_injection_spec.rb | 2 +- 12 files changed, 87 insertions(+), 59 deletions(-) diff --git a/.ruby-version b/.ruby-version index 2714f53..7ee07b8 100644 --- a/.ruby-version +++ b/.ruby-version @@ -1 +1 @@ -2.6.4 +2.7.0-preview1 diff --git a/.travis.yml b/.travis.yml index ef9b8cf..eabb9f5 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,6 +1,7 @@ language: ruby rvm: - "2.6.4" + - "2.7.0-preview1" before_install: - "phantomjs --version" diff --git a/Dockerfile b/Dockerfile index fa65553..5d3f7c0 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM ruby:2.6.2 +FROM ruby:2.7.0-preview1 RUN apt-get update -qq && apt-get install -y build-essential libpq-dev nodejs RUN mkdir /myapp WORKDIR /myapp diff --git a/Gemfile b/Gemfile index 4927f06..598addf 100644 --- a/Gemfile +++ b/Gemfile @@ -2,9 +2,9 @@ source "https://rubygems.org" #don't upgrade -gem "rails", "5.1.7" +gem "rails", "6.0.0" -ruby "2.6.4" +ruby "2.7.0" gem "aruba" gem "bcrypt" diff --git a/Gemfile.lock b/Gemfile.lock index db56c29..ef70067 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -1,46 +1,63 @@ GEM remote: https://rubygems.org/ specs: - actioncable (5.1.7) - actionpack (= 5.1.7) + actioncable (6.0.0) + actionpack (= 6.0.0) nio4r (~> 2.0) - websocket-driver (~> 0.6.1) - actionmailer (5.1.7) - actionpack (= 5.1.7) - actionview (= 5.1.7) - activejob (= 5.1.7) + websocket-driver (>= 0.6.1) + actionmailbox (6.0.0) + actionpack (= 6.0.0) + activejob (= 6.0.0) + activerecord (= 6.0.0) + activestorage (= 6.0.0) + activesupport (= 6.0.0) + mail (>= 2.7.1) + actionmailer (6.0.0) + actionpack (= 6.0.0) + actionview (= 6.0.0) + activejob (= 6.0.0) mail (~> 2.5, >= 2.5.4) rails-dom-testing (~> 2.0) - actionpack (5.1.7) - actionview (= 5.1.7) - activesupport (= 5.1.7) + actionpack (6.0.0) + actionview (= 6.0.0) + activesupport (= 6.0.0) rack (~> 2.0) rack-test (>= 0.6.3) rails-dom-testing (~> 2.0) - rails-html-sanitizer (~> 1.0, >= 1.0.2) - actionview (5.1.7) - activesupport (= 5.1.7) + rails-html-sanitizer (~> 1.0, >= 1.2.0) + actiontext (6.0.0) + actionpack (= 6.0.0) + activerecord (= 6.0.0) + activestorage (= 6.0.0) + activesupport (= 6.0.0) + nokogiri (>= 1.8.5) + actionview (6.0.0) + activesupport (= 6.0.0) builder (~> 3.1) erubi (~> 1.4) rails-dom-testing (~> 2.0) - rails-html-sanitizer (~> 1.0, >= 1.0.3) - activejob (5.1.7) - activesupport (= 5.1.7) + rails-html-sanitizer (~> 1.1, >= 1.2.0) + activejob (6.0.0) + activesupport (= 6.0.0) globalid (>= 0.3.6) - activemodel (5.1.7) - activesupport (= 5.1.7) - activerecord (5.1.7) - activemodel (= 5.1.7) - activesupport (= 5.1.7) - arel (~> 8.0) - activesupport (5.1.7) + activemodel (6.0.0) + activesupport (= 6.0.0) + activerecord (6.0.0) + activemodel (= 6.0.0) + activesupport (= 6.0.0) + activestorage (6.0.0) + actionpack (= 6.0.0) + activejob (= 6.0.0) + activerecord (= 6.0.0) + marcel (~> 0.3.1) + activesupport (6.0.0) concurrent-ruby (~> 1.0, >= 1.0.2) i18n (>= 0.7, < 2) minitest (~> 5.1) tzinfo (~> 1.1) + zeitwerk (~> 2.1, >= 2.1.8) addressable (2.7.0) public_suffix (>= 2.0.2, < 5.0) - arel (8.0.0) aruba (0.14.11) childprocess (>= 0.6.3, < 3.0.0) contracts (~> 0.9) @@ -73,9 +90,9 @@ GEM rake (< 13.0) cliver (0.3.2) coderay (1.1.2) - coffee-rails (4.2.2) + coffee-rails (5.0.0) coffee-script (>= 2.2.0) - railties (>= 4.0.0) + railties (>= 5.2.0) coffee-script (2.4.1) coffee-script-source execjs @@ -103,6 +120,7 @@ GEM debug_inspector (0.0.3) diff-lcs (1.3) docile (1.3.2) + dotenv (0.7.0) em-websocket (0.5.1) eventmachine (>= 0.12.9) http_parser.rb (~> 0.6.0) @@ -110,8 +128,9 @@ GEM eventmachine (1.2.7) execjs (2.7.0) ffi (1.11.1) - foreman (0.85.0) - thor (~> 0.19.1) + foreman (0.64.0) + dotenv (~> 0.7.0) + thor (>= 0.13.6) formatador (0.2.5) gherkin (5.1.0) globalid (0.4.2) @@ -165,7 +184,10 @@ GEM lumberjack (1.0.13) mail (2.7.1) mini_mime (>= 0.1.1) + marcel (0.3.3) + mimemagic (~> 0.3.2) method_source (0.9.2) + mimemagic (0.3.3) mini_mime (1.0.2) mini_portile2 (2.4.0) minitest (5.11.3) @@ -202,17 +224,20 @@ GEM rack rack-test (1.1.0) rack (>= 1.0, < 3) - rails (5.1.7) - actioncable (= 5.1.7) - actionmailer (= 5.1.7) - actionpack (= 5.1.7) - actionview (= 5.1.7) - activejob (= 5.1.7) - activemodel (= 5.1.7) - activerecord (= 5.1.7) - activesupport (= 5.1.7) + rails (6.0.0) + actioncable (= 6.0.0) + actionmailbox (= 6.0.0) + actionmailer (= 6.0.0) + actionpack (= 6.0.0) + actiontext (= 6.0.0) + actionview (= 6.0.0) + activejob (= 6.0.0) + activemodel (= 6.0.0) + activerecord (= 6.0.0) + activestorage (= 6.0.0) + activesupport (= 6.0.0) bundler (>= 1.3.0) - railties (= 5.1.7) + railties (= 6.0.0) sprockets-rails (>= 2.0.0) rails-dom-testing (2.0.3) activesupport (>= 4.2.0) @@ -220,12 +245,12 @@ GEM rails-html-sanitizer (1.2.0) loofah (~> 2.2, >= 2.2.2) rails-perftest (0.0.7) - railties (5.1.7) - actionpack (= 5.1.7) - activesupport (= 5.1.7) + railties (6.0.0) + actionpack (= 6.0.0) + activesupport (= 6.0.0) method_source rake (>= 0.8.7) - thor (>= 0.18.1, < 2.0) + thor (>= 0.20.3, < 2.0) rainbow (3.0.0) raindrops (0.19.0) rake (12.3.3) @@ -300,7 +325,7 @@ GEM therubyracer (0.12.3) libv8 (~> 3.16.14.15) ref - thor (0.19.4) + thor (0.20.3) thread_safe (0.3.6) tilt (2.0.9) travis-lint (2.0.0) @@ -316,11 +341,12 @@ GEM unicorn (5.5.1) kgio (~> 2.6) raindrops (~> 0.7) - websocket-driver (0.6.5) + websocket-driver (0.7.1) websocket-extensions (>= 0.1.0) websocket-extensions (0.1.4) xpath (3.2.0) nokogiri (~> 1.8) + zeitwerk (2.1.10) PLATFORMS ruby @@ -350,7 +376,7 @@ DEPENDENCIES pry-rails puma rack-livereload - rails (= 5.1.7) + rails (= 6.0.0) rails-perftest rake rb-fsevent @@ -369,7 +395,7 @@ DEPENDENCIES unicorn RUBY VERSION - ruby 2.6.4p104 + ruby 2.7.0p-1 BUNDLED WITH - 1.17.3 + 2.1.0.pre.1 diff --git a/README.md b/README.md index cc3ae38..e3c1556 100755 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # RailsGoat [![Build Status](https://api.travis-ci.org/OWASP/railsgoat.png?branch=master)](https://travis-ci.org/OWASP/railsgoat) [![Code Climate](https://codeclimate.com/github/OWASP/railsgoat.png)](https://codeclimate.com/github/OWASP/railsgoat) -RailsGoat is a vulnerable version of the Ruby on Rails Framework from versions 3 to 5. It includes vulnerabilities from the OWASP Top 10, as well as some "extras" that the initial project contributors felt worthwhile to share. This project is designed to educate both developers, as well as security professionals. +RailsGoat is a vulnerable version of the Ruby on Rails Framework from versions 3 to 6. It includes vulnerabilities from the OWASP Top 10, as well as some "extras" that the initial project contributors felt worthwhile to share. This project is designed to educate both developers, as well as security professionals. ## Support @@ -18,7 +18,7 @@ After installing the above software, clone this repo: $ git clone git@github.com:OWASP/railsgoat.git ``` -**NOTE: NOT NECESSARY IF YOU WANT TO WORK WITH RAILS 5.** Otherwise, if you wish to use the Rails 3 or 4 versions, you'll need to switch branches: +**NOTE: NOT NECESSARY IF YOU WANT TO WORK WITH RAILS 6.** Otherwise, if you wish to use the Rails 3 or 4 versions, you'll need to switch branches: ```bash $ cd railsgoat @@ -73,7 +73,7 @@ Note: if your container exits with an error, it may be because a server is alrea ``` A server is already running. Check /myapp/tmp/pids/server.pid. => Booting Thin -=> Rails 5.0.1 application starting in development on +=> Rails 6.0.0 application starting in development on http://0.0.0.0:3000 => Run `rails server -h` for more startup options => Ctrl-C to shutdown server diff --git a/app/controllers/admin_controller.rb b/app/controllers/admin_controller.rb index 53615f7..8e1d7a0 100755 --- a/app/controllers/admin_controller.rb +++ b/app/controllers/admin_controller.rb @@ -34,7 +34,7 @@ class AdminController < ApplicationController def update_user user = User.find_by_id(params[:admin_id]) if user - user.update_attributes(params[:user].reject { |k| k == ("password" || "password_confirmation") }) + user.update(params[:user].reject { |k| k == ("password" || "password_confirmation") }) pass = params[:user][:password] user.password = pass if !(pass.blank?) user.save! diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb index cc04a07..3a5e061 100755 --- a/app/controllers/users_controller.rb +++ b/app/controllers/users_controller.rb @@ -29,7 +29,7 @@ class UsersController < ApplicationController user = User.where("id = '#{params[:user][:id]}'")[0] if user - user.update_attributes(user_params_without_password) + user.update(user_params_without_password) if params[:user][:password].present? && (params[:user][:password] == params[:user][:password_confirmation]) user.password = params[:user][:password] end diff --git a/config/application.rb b/config/application.rb index b27f634..ec6f9a8 100755 --- a/config/application.rb +++ b/config/application.rb @@ -55,5 +55,7 @@ module Railsgoat config.assets.version = "1.0" I18n.config.enforce_available_locales = false + + config.action_dispatch.return_only_media_type_on_content_type = false end end diff --git a/config/initializers/secret_token.rb b/config/initializers/secret_token.rb index bceabf3..ea411bf 100755 --- a/config/initializers/secret_token.rb +++ b/config/initializers/secret_token.rb @@ -5,5 +5,4 @@ # If you change this key, all old signed cookies will become invalid! # Make sure the secret is at least 30 characters and all random, # no regular words or you'll be exposed to dictionary attacks. -Railsgoat::Application.config.secret_token = "2f1d90a26236c3245d96f5606c201a780dc9ca687e5ed82b45e211bb5dc84c1870f61ca9e002dad5dd8a149c9792d8f07f31a9575065cca064bd6af44f8750e4" Railsgoat::Application.config.secret_key_base = "2f1d90a26236c3245d96f5606c201a780dc9ca687e5ed82b45e211bb5dc84c1870f61ca9e002dad5dd8a149c9792d8f07f31a9575065cca064bd6af44f8750e4" diff --git a/spec/vulnerabilities/sensitive_data_exposure.rb b/spec/vulnerabilities/sensitive_data_exposure.rb index 08cbaf3..9d9380b 100644 --- a/spec/vulnerabilities/sensitive_data_exposure.rb +++ b/spec/vulnerabilities/sensitive_data_exposure.rb @@ -7,7 +7,7 @@ feature "sensitive data exposure" do before do UserFixture.reset_all_users - normal_user.work_info.update_attribute(:SSN, user_ssn) + normal_user.work_info.update(:SSN, user_ssn) pending unless verifying_fixed? end diff --git a/spec/vulnerabilities/sql_injection_spec.rb b/spec/vulnerabilities/sql_injection_spec.rb index dd22d32..3196975 100644 --- a/spec/vulnerabilities/sql_injection_spec.rb +++ b/spec/vulnerabilities/sql_injection_spec.rb @@ -22,7 +22,7 @@ feature "sql injection" do fill_in "user_password_confirmation", with: "hacketyhack" # this is a hidden field, so cannot use fill_in to access it. - find(:xpath, "//input[@id='user_id']", visible: false).set "8' OR admin='t') --" + find(:xpath, "//input[@id='user_id']", visible: false).set "8' OR 1 == 1) --" end click_on "Submit" From 9bb63ee776fa56069aa4d74f3aab692693bb8a30 Mon Sep 17 00:00:00 2001 From: Al Snow Date: Mon, 9 Sep 2019 15:21:54 -0400 Subject: [PATCH 2/4] Fixed .travis.yml build --- .travis.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index eabb9f5..ad132c3 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,6 +1,5 @@ language: ruby rvm: - - "2.6.4" - "2.7.0-preview1" before_install: From d6d51797c8e6dee4fbfda34ead719598dbb07e2e Mon Sep 17 00:00:00 2001 From: Al Snow Date: Wed, 11 Sep 2019 13:16:16 -0400 Subject: [PATCH 3/4] Upgrade parser gem --- Gemfile.lock | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Gemfile.lock b/Gemfile.lock index ef70067..227f69d 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -202,7 +202,7 @@ GEM nenv (~> 0.1) shellany (~> 0.0) parallel (1.17.0) - parser (2.6.4.0) + parser (2.6.4.1) ast (~> 2.4.0) poltergeist (1.18.1) capybara (>= 2.1, < 4) From 4c8600890757ed7731340039dd7bb8c19e6f702d Mon Sep 17 00:00:00 2001 From: Al Snow Date: Mon, 16 Sep 2019 16:56:54 -0400 Subject: [PATCH 4/4] Upgraded simplecov gem --- Gemfile.lock | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Gemfile.lock b/Gemfile.lock index 227f69d..5513c0a 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -307,7 +307,7 @@ GEM sprockets-rails tilt shellany (0.0.1) - simplecov (0.17.0) + simplecov (0.17.1) docile (~> 1.1) json (>= 1.8, < 3) simplecov-html (~> 0.10.0)