team-alpha/railsgoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #367 from jasnow/master

Browse Source 
LGTM! 👍 thanks @jasnow 🙇
This commit is contained in:
Ken Johnson
2019-09-17 11:34:46 -04:00
committed by GitHub
parent 0dcadc065f 4c86008907
commit 3040a3f28d
12 changed files with 89 additions and 62 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.ruby-version
+1 -1
View File
@@ -1 +1 @@
2.6.4 2.7.0-preview1
.travis.yml
+1 -1
View File
@@ -1,6 +1,6 @@
language: ruby language: ruby
rvm: rvm:
- "2.6.4" - "2.7.0-preview1"
before_install: before_install:
- "phantomjs --version" - "phantomjs --version"
Dockerfile
+1 -1
View File
@@ -1,4 +1,4 @@
FROM ruby:2.6.2 FROM ruby:2.7.0-preview1
RUN apt-get update -qq && apt-get install -y build-essential libpq-dev nodejs RUN apt-get update -qq && apt-get install -y build-essential libpq-dev nodejs
RUN mkdir /myapp RUN mkdir /myapp
WORKDIR /myapp WORKDIR /myapp
Gemfile
+2 -2
View File
@@ -2,9 +2,9 @@
source "https://rubygems.org" source "https://rubygems.org"
#don't upgrade #don't upgrade
gem "rails", "5.1.7" gem "rails", "6.0.0"
ruby "2.6.4" ruby "2.7.0"
gem "aruba" gem "aruba"
gem "bcrypt" gem "bcrypt"
Gemfile.lock
+75 -49
View File
@@ -1,46 +1,63 @@
GEM GEM
remote: https://rubygems.org/ remote: https://rubygems.org/
specs: specs:
actioncable (5.1.7) actioncable (6.0.0)
actionpack (= 5.1.7) actionpack (= 6.0.0)
nio4r (~> 2.0) nio4r (~> 2.0)
websocket-driver (~> 0.6.1) websocket-driver (>= 0.6.1)
actionmailer (5.1.7) actionmailbox (6.0.0)
actionpack (= 5.1.7) actionpack (= 6.0.0)
actionview (= 5.1.7) activejob (= 6.0.0)
activejob (= 5.1.7) activerecord (= 6.0.0)
activestorage (= 6.0.0)
activesupport (= 6.0.0)
mail (>= 2.7.1)
actionmailer (6.0.0)
actionpack (= 6.0.0)
actionview (= 6.0.0)
activejob (= 6.0.0)
mail (~> 2.5, >= 2.5.4) mail (~> 2.5, >= 2.5.4)
rails-dom-testing (~> 2.0) rails-dom-testing (~> 2.0)
actionpack (5.1.7) actionpack (6.0.0)
actionview (= 5.1.7) actionview (= 6.0.0)
activesupport (= 5.1.7) activesupport (= 6.0.0)
rack (~> 2.0) rack (~> 2.0)
rack-test (>= 0.6.3) rack-test (>= 0.6.3)
rails-dom-testing (~> 2.0) rails-dom-testing (~> 2.0)
rails-html-sanitizer (~> 1.0, >= 1.0.2) rails-html-sanitizer (~> 1.0, >= 1.2.0)
actionview (5.1.7) actiontext (6.0.0)
activesupport (= 5.1.7) actionpack (= 6.0.0)
activerecord (= 6.0.0)
activestorage (= 6.0.0)
activesupport (= 6.0.0)
nokogiri (>= 1.8.5)
actionview (6.0.0)
activesupport (= 6.0.0)
builder (~> 3.1) builder (~> 3.1)
erubi (~> 1.4) erubi (~> 1.4)
rails-dom-testing (~> 2.0) rails-dom-testing (~> 2.0)
rails-html-sanitizer (~> 1.0, >= 1.0.3) rails-html-sanitizer (~> 1.1, >= 1.2.0)
activejob (5.1.7) activejob (6.0.0)
activesupport (= 5.1.7) activesupport (= 6.0.0)
globalid (>= 0.3.6) globalid (>= 0.3.6)
activemodel (5.1.7) activemodel (6.0.0)
activesupport (= 5.1.7) activesupport (= 6.0.0)
activerecord (5.1.7) activerecord (6.0.0)
activemodel (= 5.1.7) activemodel (= 6.0.0)
activesupport (= 5.1.7) activesupport (= 6.0.0)
arel (~> 8.0) activestorage (6.0.0)
activesupport (5.1.7) actionpack (= 6.0.0)
activejob (= 6.0.0)
activerecord (= 6.0.0)
marcel (~> 0.3.1)
activesupport (6.0.0)
concurrent-ruby (~> 1.0, >= 1.0.2) concurrent-ruby (~> 1.0, >= 1.0.2)
i18n (>= 0.7, < 2) i18n (>= 0.7, < 2)
minitest (~> 5.1) minitest (~> 5.1)
tzinfo (~> 1.1) tzinfo (~> 1.1)
zeitwerk (~> 2.1, >= 2.1.8)
addressable (2.7.0) addressable (2.7.0)
public_suffix (>= 2.0.2, < 5.0) public_suffix (>= 2.0.2, < 5.0)
arel (8.0.0)
aruba (0.14.11) aruba (0.14.11)
childprocess (>= 0.6.3, < 3.0.0) childprocess (>= 0.6.3, < 3.0.0)
contracts (~> 0.9) contracts (~> 0.9)
@@ -73,9 +90,9 @@ GEM
rake (< 13.0) rake (< 13.0)
cliver (0.3.2) cliver (0.3.2)
coderay (1.1.2) coderay (1.1.2)
coffee-rails (4.2.2) coffee-rails (5.0.0)
coffee-script (>= 2.2.0) coffee-script (>= 2.2.0)
railties (>= 4.0.0) railties (>= 5.2.0)
coffee-script (2.4.1) coffee-script (2.4.1)
coffee-script-source coffee-script-source
execjs execjs
@@ -103,6 +120,7 @@ GEM
debug_inspector (0.0.3) debug_inspector (0.0.3)
diff-lcs (1.3) diff-lcs (1.3)
docile (1.3.2) docile (1.3.2)
dotenv (0.7.0)
em-websocket (0.5.1) em-websocket (0.5.1)
eventmachine (>= 0.12.9) eventmachine (>= 0.12.9)
http_parser.rb (~> 0.6.0) http_parser.rb (~> 0.6.0)
@@ -110,8 +128,9 @@ GEM
eventmachine (1.2.7) eventmachine (1.2.7)
execjs (2.7.0) execjs (2.7.0)
ffi (1.11.1) ffi (1.11.1)
foreman (0.85.0) foreman (0.64.0)
thor (~> 0.19.1) dotenv (~> 0.7.0)
thor (>= 0.13.6)
formatador (0.2.5) formatador (0.2.5)
gherkin (5.1.0) gherkin (5.1.0)
globalid (0.4.2) globalid (0.4.2)
@@ -165,7 +184,10 @@ GEM
lumberjack (1.0.13) lumberjack (1.0.13)
mail (2.7.1) mail (2.7.1)
mini_mime (>= 0.1.1) mini_mime (>= 0.1.1)
marcel (0.3.3)
mimemagic (~> 0.3.2)
method_source (0.9.2) method_source (0.9.2)
mimemagic (0.3.3)
mini_mime (1.0.2) mini_mime (1.0.2)
mini_portile2 (2.4.0) mini_portile2 (2.4.0)
minitest (5.11.3) minitest (5.11.3)
@@ -180,7 +202,7 @@ GEM
nenv (~> 0.1) nenv (~> 0.1)
shellany (~> 0.0) shellany (~> 0.0)
parallel (1.17.0) parallel (1.17.0)
parser (2.6.4.0) parser (2.6.4.1)
ast (~> 2.4.0) ast (~> 2.4.0)
poltergeist (1.18.1) poltergeist (1.18.1)
capybara (>= 2.1, < 4) capybara (>= 2.1, < 4)
@@ -202,17 +224,20 @@ GEM
rack rack
rack-test (1.1.0) rack-test (1.1.0)
rack (>= 1.0, < 3) rack (>= 1.0, < 3)
rails (5.1.7) rails (6.0.0)
actioncable (= 5.1.7) actioncable (= 6.0.0)
actionmailer (= 5.1.7) actionmailbox (= 6.0.0)
actionpack (= 5.1.7) actionmailer (= 6.0.0)
actionview (= 5.1.7) actionpack (= 6.0.0)
activejob (= 5.1.7) actiontext (= 6.0.0)
activemodel (= 5.1.7) actionview (= 6.0.0)
activerecord (= 5.1.7) activejob (= 6.0.0)
activesupport (= 5.1.7) activemodel (= 6.0.0)
activerecord (= 6.0.0)
activestorage (= 6.0.0)
activesupport (= 6.0.0)
bundler (>= 1.3.0) bundler (>= 1.3.0)
railties (= 5.1.7) railties (= 6.0.0)
sprockets-rails (>= 2.0.0) sprockets-rails (>= 2.0.0)
rails-dom-testing (2.0.3) rails-dom-testing (2.0.3)
activesupport (>= 4.2.0) activesupport (>= 4.2.0)
@@ -220,12 +245,12 @@ GEM
rails-html-sanitizer (1.2.0) rails-html-sanitizer (1.2.0)
loofah (~> 2.2, >= 2.2.2) loofah (~> 2.2, >= 2.2.2)
rails-perftest (0.0.7) rails-perftest (0.0.7)
railties (5.1.7) railties (6.0.0)
actionpack (= 5.1.7) actionpack (= 6.0.0)
activesupport (= 5.1.7) activesupport (= 6.0.0)
method_source method_source
rake (>= 0.8.7) rake (>= 0.8.7)
thor (>= 0.18.1, < 2.0) thor (>= 0.20.3, < 2.0)
rainbow (3.0.0) rainbow (3.0.0)
raindrops (0.19.0) raindrops (0.19.0)
rake (12.3.3) rake (12.3.3)
@@ -282,7 +307,7 @@ GEM
sprockets-rails sprockets-rails
tilt tilt
shellany (0.0.1) shellany (0.0.1)
simplecov (0.17.0) simplecov (0.17.1)
docile (~> 1.1) docile (~> 1.1)
json (>= 1.8, < 3) json (>= 1.8, < 3)
simplecov-html (~> 0.10.0) simplecov-html (~> 0.10.0)
@@ -300,7 +325,7 @@ GEM
therubyracer (0.12.3) therubyracer (0.12.3)
libv8 (~> 3.16.14.15) libv8 (~> 3.16.14.15)
ref ref
thor (0.19.4) thor (0.20.3)
thread_safe (0.3.6) thread_safe (0.3.6)
tilt (2.0.9) tilt (2.0.9)
travis-lint (2.0.0) travis-lint (2.0.0)
@@ -316,11 +341,12 @@ GEM
unicorn (5.5.1) unicorn (5.5.1)
kgio (~> 2.6) kgio (~> 2.6)
raindrops (~> 0.7) raindrops (~> 0.7)
websocket-driver (0.6.5) websocket-driver (0.7.1)
websocket-extensions (>= 0.1.0) websocket-extensions (>= 0.1.0)
websocket-extensions (0.1.4) websocket-extensions (0.1.4)
xpath (3.2.0) xpath (3.2.0)
nokogiri (~> 1.8) nokogiri (~> 1.8)
zeitwerk (2.1.10)
PLATFORMS PLATFORMS
ruby ruby
@@ -350,7 +376,7 @@ DEPENDENCIES
pry-rails pry-rails
puma puma
rack-livereload rack-livereload
rails (= 5.1.7) rails (= 6.0.0)
rails-perftest rails-perftest
rake rake
rb-fsevent rb-fsevent
@@ -369,7 +395,7 @@ DEPENDENCIES
unicorn unicorn
RUBY VERSION RUBY VERSION
ruby 2.6.4p104 ruby 2.7.0p-1
BUNDLED WITH BUNDLED WITH
1.17.3 2.1.0.pre.1
README.md
+3 -3
View File
@@ -1,6 +1,6 @@
# RailsGoat [![Build Status](https://api.travis-ci.org/OWASP/railsgoat.png?branch=master)](https://travis-ci.org/OWASP/railsgoat) [![Code Climate](https://codeclimate.com/github/OWASP/railsgoat.png)](https://codeclimate.com/github/OWASP/railsgoat) # RailsGoat [![Build Status](https://api.travis-ci.org/OWASP/railsgoat.png?branch=master)](https://travis-ci.org/OWASP/railsgoat) [![Code Climate](https://codeclimate.com/github/OWASP/railsgoat.png)](https://codeclimate.com/github/OWASP/railsgoat)
RailsGoat is a vulnerable version of the Ruby on Rails Framework from versions 3 to 5. It includes vulnerabilities from the OWASP Top 10, as well as some "extras" that the initial project contributors felt worthwhile to share. This project is designed to educate both developers, as well as security professionals. RailsGoat is a vulnerable version of the Ruby on Rails Framework from versions 3 to 6. It includes vulnerabilities from the OWASP Top 10, as well as some "extras" that the initial project contributors felt worthwhile to share. This project is designed to educate both developers, as well as security professionals.
## Support ## Support
@@ -18,7 +18,7 @@ After installing the above software, clone this repo:
$ git clone git@github.com:OWASP/railsgoat.git $ git clone git@github.com:OWASP/railsgoat.git
``` ```
**NOTE: NOT NECESSARY IF YOU WANT TO WORK WITH RAILS 5.** Otherwise, if you wish to use the Rails 3 or 4 versions, you'll need to switch branches: **NOTE: NOT NECESSARY IF YOU WANT TO WORK WITH RAILS 6.** Otherwise, if you wish to use the Rails 3 or 4 versions, you'll need to switch branches:
```bash ```bash
$ cd railsgoat $ cd railsgoat
@@ -73,7 +73,7 @@ Note: if your container exits with an error, it may be because a server is alrea
``` ```
A server is already running. Check /myapp/tmp/pids/server.pid. A server is already running. Check /myapp/tmp/pids/server.pid.
=> Booting Thin => Booting Thin
=> Rails 5.0.1 application starting in development on => Rails 6.0.0 application starting in development on
http://0.0.0.0:3000 http://0.0.0.0:3000
=> Run `rails server -h` for more startup options => Run `rails server -h` for more startup options
=> Ctrl-C to shutdown server => Ctrl-C to shutdown server
app/controllers/admin_controller.rb
+1 -1
View File
@@ -34,7 +34,7 @@ class AdminController < ApplicationController
def update_user def update_user
user = User.find_by_id(params[:admin_id]) user = User.find_by_id(params[:admin_id])
if user if user
user.update_attributes(params[:user].reject { |k| k == ("password" || "password_confirmation") }) user.update(params[:user].reject { |k| k == ("password" || "password_confirmation") })
pass = params[:user][:password] pass = params[:user][:password]
user.password = pass if !(pass.blank?) user.password = pass if !(pass.blank?)
user.save! user.save!
app/controllers/users_controller.rb
+1 -1
View File
@@ -29,7 +29,7 @@ class UsersController < ApplicationController
user = User.where("id = '#{params[:user][:id]}'")[0] user = User.where("id = '#{params[:user][:id]}'")[0]
if user if user
user.update_attributes(user_params_without_password) user.update(user_params_without_password)
if params[:user][:password].present? && (params[:user][:password] == params[:user][:password_confirmation]) if params[:user][:password].present? && (params[:user][:password] == params[:user][:password_confirmation])
user.password = params[:user][:password] user.password = params[:user][:password]
end end
config/application.rb
+2
View File
@@ -55,5 +55,7 @@ module Railsgoat
config.assets.version = "1.0" config.assets.version = "1.0"
I18n.config.enforce_available_locales = false I18n.config.enforce_available_locales = false
config.action_dispatch.return_only_media_type_on_content_type = false
end end
end end
config/initializers/secret_token.rb
-1
View File
@@ -5,5 +5,4 @@
# If you change this key, all old signed cookies will become invalid! # If you change this key, all old signed cookies will become invalid!
# Make sure the secret is at least 30 characters and all random, # Make sure the secret is at least 30 characters and all random,
# no regular words or you'll be exposed to dictionary attacks. # no regular words or you'll be exposed to dictionary attacks.
Railsgoat::Application.config.secret_token = "2f1d90a26236c3245d96f5606c201a780dc9ca687e5ed82b45e211bb5dc84c1870f61ca9e002dad5dd8a149c9792d8f07f31a9575065cca064bd6af44f8750e4"
Railsgoat::Application.config.secret_key_base = "2f1d90a26236c3245d96f5606c201a780dc9ca687e5ed82b45e211bb5dc84c1870f61ca9e002dad5dd8a149c9792d8f07f31a9575065cca064bd6af44f8750e4" Railsgoat::Application.config.secret_key_base = "2f1d90a26236c3245d96f5606c201a780dc9ca687e5ed82b45e211bb5dc84c1870f61ca9e002dad5dd8a149c9792d8f07f31a9575065cca064bd6af44f8750e4"
spec/vulnerabilities/sensitive_data_exposure.rb
+1 -1
View File
@@ -7,7 +7,7 @@ feature "sensitive data exposure" do
before do before do
UserFixture.reset_all_users UserFixture.reset_all_users
normal_user.work_info.update_attribute(:SSN, user_ssn) normal_user.work_info.update(:SSN, user_ssn)
pending unless verifying_fixed? pending unless verifying_fixed?
end end
spec/vulnerabilities/sql_injection_spec.rb
+1 -1
View File
@@ -22,7 +22,7 @@ feature "sql injection" do
fill_in "user_password_confirmation", with: "hacketyhack" fill_in "user_password_confirmation", with: "hacketyhack"
# this is a hidden field, so cannot use fill_in to access it. # this is a hidden field, so cannot use fill_in to access it.
find(:xpath, "//input[@id='user_id']", visible: false).set "8' OR admin='t') --" find(:xpath, "//input[@id='user_id']", visible: false).set "8' OR 1 == 1) --"
end end
click_on "Submit" click_on "Submit"