diff --git a/.gitignore b/.gitignore index faea331..86eb146 100755 --- a/.gitignore +++ b/.gitignore @@ -10,3 +10,4 @@ coverage .tags /.vagrant +/vendor/ruby diff --git a/.overcommit.yml b/.overcommit.yml new file mode 100644 index 0000000..14fa1d1 --- /dev/null +++ b/.overcommit.yml @@ -0,0 +1,34 @@ +# Use this file to configure the Overcommit hooks you wish to use. This will +# extend the default configuration defined in: +# https://github.com/brigade/overcommit/blob/master/config/default.yml +# +# At the topmost level of this YAML file is a key representing type of hook +# being run (e.g. pre-commit, commit-msg, etc.). Within each type you can +# customize each hook, such as whether to only run it on certain files (via +# `include`), whether to only display output if it fails (via `quiet`), etc. +# +# For a complete list of hooks, see: +# https://github.com/brigade/overcommit/tree/master/lib/overcommit/hook +# +# For a complete list of options that you can use to customize hooks, see: +# https://github.com/brigade/overcommit#configuration +# +# Uncomment the following lines to make the configuration take effect. + +PreCommit: + Rubocop: + enabled: true + on_warn: warn # fail # Treat all warnings as failures + + TrailingWhitespace: + enabled: true + exclude: + - '**/db/structure.sql' # Ignore trailing whitespace in generated files + + PostCheckout: + enabled: true + ALL: # Special hook name that customizes all hooks of this type + quiet: true # Change all post-checkout hooks to only display output on failure + +# IndexTags: +# enabled: true # Generate a tags file with `ctags` each time HEAD changes diff --git a/.ruby-version b/.ruby-version index c5864dc..7e541ae 100644 --- a/.ruby-version +++ b/.ruby-version @@ -1 +1 @@ -2.1.5 \ No newline at end of file +2.2.2 \ No newline at end of file diff --git a/.travis.yml b/.travis.yml index 2a2a6ea..2138832 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,6 +1,6 @@ language: ruby rvm: - - "2.1.5" + - "2.2.2" before_script: rake db:setup before_script: bundle exec rake db:setup env: RAILSGOAT_MAINTAINER=true \ No newline at end of file diff --git a/Gemfile b/Gemfile index e35222e..c78f5cc 100755 --- a/Gemfile +++ b/Gemfile @@ -1,9 +1,9 @@ source 'https://rubygems.org' #don't upgrade -gem 'rails', '3.2.21' +gem 'rails', '4.2.2' -ruby '2.1.5' +ruby '2.2.2' # Bundle edge Rails instead: # gem 'rails', :git => 'git://github.com/rails/rails.git' @@ -40,6 +40,7 @@ group :development, :test, :mysql do gem 'database_cleaner' gem 'poltergeist' gem 'rspec-rails', '2.14.2' + gem 'test-unit' end group :mysql do @@ -48,15 +49,16 @@ end # Gems used only for assets and not required # in production environments by default. -group :assets do - gem 'sass-rails' - gem 'coffee-rails' - gem 'jquery-fileupload-rails' - # See https://github.com/sstephenson/execjs#readme for more supported runtimes - # gem 'therubyracer', :platforms => :ruby +gem 'sass-rails' +gem 'coffee-rails' +gem 'jquery-fileupload-rails' +gem 'uglifier' +gem 'turbolinks' # New for Rails 4.0 - gem 'uglifier' -end +# See https://github.com/sstephenson/execjs#readme for more supported runtimes +# gem 'therubyracer', :platforms => :ruby + +gem 'libv8', '3.16.14.8' # 3.16.14.9 was yanked - temp. fix. gem 'jquery-rails' @@ -88,3 +90,9 @@ gem 'therubyracer' # Add SMTP server support using MailCatcher gem 'mailcatcher' + +#For Rails 4.0 +#group :doc do +# # bundle exec rake doc:rails generates the API under doc/api. +# gem 'sdoc', require: false +#end diff --git a/Gemfile.lock b/Gemfile.lock index d2255fd..7bd6b59 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -1,58 +1,66 @@ GEM remote: https://rubygems.org/ specs: - actionmailer (3.2.21) - actionpack (= 3.2.21) - mail (~> 2.5.4) - actionpack (3.2.21) - activemodel (= 3.2.21) - activesupport (= 3.2.21) - builder (~> 3.0.0) + actionmailer (4.2.2) + actionpack (= 4.2.2) + actionview (= 4.2.2) + activejob (= 4.2.2) + mail (~> 2.5, >= 2.5.4) + rails-dom-testing (~> 1.0, >= 1.0.5) + actionpack (4.2.2) + actionview (= 4.2.2) + activesupport (= 4.2.2) + rack (~> 1.6) + rack-test (~> 0.6.2) + rails-dom-testing (~> 1.0, >= 1.0.5) + rails-html-sanitizer (~> 1.0, >= 1.0.1) + actionview (4.2.2) + activesupport (= 4.2.2) + builder (~> 3.1) erubis (~> 2.7.0) - journey (~> 1.0.4) - rack (~> 1.4.5) - rack-cache (~> 1.2) - rack-test (~> 0.6.1) - sprockets (~> 2.2.1) - activemodel (3.2.21) - activesupport (= 3.2.21) - builder (~> 3.0.0) - activerecord (3.2.21) - activemodel (= 3.2.21) - activesupport (= 3.2.21) - arel (~> 3.0.2) - tzinfo (~> 0.3.29) - activeresource (3.2.21) - activemodel (= 3.2.21) - activesupport (= 3.2.21) - activesupport (3.2.21) - i18n (~> 0.6, >= 0.6.4) - multi_json (~> 1.0) - addressable (2.3.6) - arel (3.0.3) - aruba (0.5.4) + rails-dom-testing (~> 1.0, >= 1.0.5) + rails-html-sanitizer (~> 1.0, >= 1.0.1) + activejob (4.2.2) + activesupport (= 4.2.2) + globalid (>= 0.3.0) + activemodel (4.2.2) + activesupport (= 4.2.2) + builder (~> 3.1) + activerecord (4.2.2) + activemodel (= 4.2.2) + activesupport (= 4.2.2) + arel (~> 6.0) + activesupport (4.2.2) + i18n (~> 0.7) + json (~> 1.7, >= 1.7.7) + minitest (~> 5.1) + thread_safe (~> 0.3, >= 0.3.4) + tzinfo (~> 1.1) + addressable (2.3.8) + arel (6.0.0) + aruba (0.6.2) childprocess (>= 0.3.6) cucumber (>= 1.1.1) rspec-expectations (>= 2.7.0) - bcrypt (3.1.9) - better_errors (2.0.0) + bcrypt (3.1.10) + better_errors (2.1.1) coderay (>= 1.0.0) erubis (>= 2.6.6) rack (>= 0.9.0) binding_of_caller (0.7.2) debug_inspector (>= 0.0.1) - brakeman (3.0.3) + brakeman (3.0.5) erubis (~> 2.6) fastercsv (~> 1.5) haml (>= 3.0, < 5.0) highline (~> 1.6.20) multi_json (~> 1.2) ruby2ruby (~> 2.1.1) - ruby_parser (~> 3.6.2) + ruby_parser (~> 3.7.0) sass (~> 3.0) terminal-table (~> 1.4) - builder (3.0.4) - bundler-audit (0.3.1) + builder (3.2.2) + bundler-audit (0.4.0) bundler (~> 1.2) thor (~> 0.18) capybara (2.4.4) @@ -61,62 +69,65 @@ GEM rack (>= 1.0.0) rack-test (>= 0.5.4) xpath (~> 2.0) - celluloid (0.16.0) - timers (~> 4.0.0) - childprocess (0.5.5) + childprocess (0.5.6) ffi (~> 1.0, >= 1.0.11) cliver (0.3.2) coderay (1.1.0) - coffee-rails (3.2.2) + coffee-rails (4.1.0) coffee-script (>= 2.2.0) - railties (~> 3.2.0) - coffee-script (2.3.0) + railties (>= 4.0.0, < 5.0) + coffee-script (2.4.1) coffee-script-source execjs - coffee-script-source (1.8.0) + coffee-script-source (1.9.1.1) crack (0.3.1) - cucumber (1.3.15) + cucumber (2.0.0) builder (>= 2.1.2) + cucumber-core (~> 1.1.3) diff-lcs (>= 1.1.3) gherkin (~> 2.12) multi_json (>= 1.7.5, < 2.0) - multi_test (>= 0.1.1) - daemons (1.1.9) - database_cleaner (1.3.0) + multi_test (>= 0.1.2) + cucumber-core (1.1.3) + gherkin (~> 2.12.0) + daemons (1.2.3) + database_cleaner (1.4.1) debug_inspector (0.0.2) diff-lcs (1.2.5) docile (1.1.5) - dotenv (1.0.2) em-websocket (0.5.1) eventmachine (>= 0.12.9) http_parser.rb (~> 0.6.0) erubis (2.7.0) - eventmachine (1.0.4) - execjs (2.2.2) + eventmachine (1.0.5) + execjs (2.5.2) fastercsv (1.5.5) - ffi (1.9.6) - foreman (0.76.0) - dotenv (~> 1.0.2) + ffi (1.9.10) + foreman (0.78.0) thor (~> 0.19.1) formatador (0.2.5) - gauntlt (1.0.10) - aruba (= 0.5.4) - cucumber (= 1.3.15) - nokogiri (= 1.6.1) - trollop (~> 2.0) + gauntlt (0.1.4) + aruba + cucumber + nokogiri + trollop gherkin (2.12.2) multi_json (~> 1.3) - guard (2.10.4) + globalid (0.3.5) + activesupport (>= 4.1.0) + guard (2.12.7) formatador (>= 0.2.4) - listen (~> 2.7) + listen (>= 2.7, <= 4.0) lumberjack (~> 1.0) nenv (~> 0.1) + notiffany (~> 0.0) pry (>= 0.9.12) + shellany (~> 0.0) thor (>= 0.18.1) guard-brakeman (0.8.3) brakeman (>= 2.1.1) guard (>= 2.0.0) - guard-compat (1.2.0) + guard-compat (1.2.1) guard-livereload (2.4.0) em-websocket (~> 0.5) guard (~> 2.8) @@ -130,101 +141,106 @@ GEM haml (4.0.6) tilt highline (1.6.21) - hike (1.2.3) - hitimes (1.2.2) http_parser.rb (0.6.0) i18n (0.7.0) - journey (1.0.4) - jquery-fileupload-rails (0.4.1) + jquery-fileupload-rails (0.4.5) actionpack (>= 3.1) railties (>= 3.1) - jquery-rails (3.1.2) - railties (>= 3.0, < 5.0) + sass (>= 3.2) + jquery-rails (4.0.4) + rails-dom-testing (~> 1.0) + railties (>= 4.2.0) thor (>= 0.14, < 2.0) - json (1.8.1) - kgio (2.9.2) + json (1.8.3) + kgio (2.9.3) launchy (2.4.3) addressable (~> 2.3) - libv8 (3.16.14.7) - listen (2.8.4) - celluloid (>= 0.15.2) + libv8 (3.16.14.8) + listen (3.0.1) rb-fsevent (>= 0.9.3) rb-inotify (>= 0.9) + loofah (2.0.2) + nokogiri (>= 1.5.9) lumberjack (1.0.9) - mail (2.5.4) - mime-types (~> 1.16) - treetop (~> 1.4.8) - mailcatcher (0.5.12) - activesupport (~> 3.0) - eventmachine (~> 1.0.0) - haml (>= 3.1, < 5) + mail (2.6.3) + mime-types (>= 1.16, < 3) + mailcatcher (0.6.1) + activesupport (>= 4.0.0, < 5) + eventmachine (~> 1.0.0, <= 1.0.5) mail (~> 2.3) sinatra (~> 1.2) skinny (~> 0.2.3) sqlite3 (~> 1.3) thin (~> 1.5.0) method_source (0.8.2) - mime-types (1.25.1) - mini_portile (0.5.3) - multi_json (1.11.0) - multi_test (0.1.1) - mysql2 (0.3.17) - nenv (0.1.1) - nokogiri (1.6.1) - mini_portile (~> 0.5.0) - poltergeist (1.5.1) + mime-types (2.6.1) + mini_portile (0.6.2) + minitest (5.7.0) + multi_json (1.11.1) + multi_test (0.1.2) + mysql2 (0.3.18) + nenv (0.2.0) + nokogiri (1.6.6.2) + mini_portile (~> 0.6.0) + notiffany (0.0.6) + nenv (~> 0.1) + shellany (~> 0.0) + poltergeist (1.6.0) capybara (~> 2.1) cliver (~> 0.3.1) multi_json (~> 1.0) websocket-driver (>= 0.2.0) - polyglot (0.3.5) powder (0.3.0) thor (>= 0.11.5) + power_assert (0.2.3) pry (0.10.1) coderay (~> 1.1.0) method_source (~> 0.8.1) slop (~> 3.4) - pry-rails (0.3.3) + pry-rails (0.3.4) pry (>= 0.9.10) - rack (1.4.5) - rack-cache (1.2) - rack (>= 0.4) + rack (1.6.4) rack-livereload (0.3.15) rack rack-protection (1.5.3) rack - rack-ssl (1.3.4) - rack - rack-test (0.6.2) + rack-test (0.6.3) rack (>= 1.0) - rails (3.2.21) - actionmailer (= 3.2.21) - actionpack (= 3.2.21) - activerecord (= 3.2.21) - activeresource (= 3.2.21) - activesupport (= 3.2.21) - bundler (~> 1.0) - railties (= 3.2.21) - railties (3.2.21) - actionpack (= 3.2.21) - activesupport (= 3.2.21) - rack-ssl (~> 1.3.2) + rails (4.2.2) + actionmailer (= 4.2.2) + actionpack (= 4.2.2) + actionview (= 4.2.2) + activejob (= 4.2.2) + activemodel (= 4.2.2) + activerecord (= 4.2.2) + activesupport (= 4.2.2) + bundler (>= 1.3.0, < 2.0) + railties (= 4.2.2) + sprockets-rails + rails-deprecated_sanitizer (1.0.3) + activesupport (>= 4.2.0.alpha) + rails-dom-testing (1.0.6) + activesupport (>= 4.2.0.beta, < 5.0) + nokogiri (~> 1.6.0) + rails-deprecated_sanitizer (>= 1.0.1) + rails-html-sanitizer (1.0.2) + loofah (~> 2.0) + railties (4.2.2) + actionpack (= 4.2.2) + activesupport (= 4.2.2) rake (>= 0.8.7) - rdoc (~> 3.4) - thor (>= 0.14.6, < 2.0) - raindrops (0.13.0) + thor (>= 0.18.1, < 2.0) + raindrops (0.14.0) rake (10.4.2) - rb-fsevent (0.9.4) + rb-fsevent (0.9.5) rb-inotify (0.9.5) ffi (>= 0.5.0) - rdoc (3.12.2) - json (~> 1.4) ref (1.0.5) rspec (2.14.1) rspec-core (~> 2.14.0) rspec-expectations (~> 2.14.0) rspec-mocks (~> 2.14.0) - rspec-core (2.14.0) + rspec-core (2.14.8) rspec-expectations (2.14.5) diff-lcs (>= 1.1.3, < 2.0) rspec-mocks (2.14.6) @@ -239,35 +255,41 @@ GEM ruby2ruby (2.1.4) ruby_parser (~> 3.1) sexp_processor (~> 4.0) - ruby_parser (3.6.6) + ruby_parser (3.7.0) sexp_processor (~> 4.1) - sass (3.4.14) - sass-rails (3.2.6) - railties (~> 3.2.0) - sass (>= 3.1.10) - tilt (~> 1.3) + sass (3.4.15) + sass-rails (5.0.3) + railties (>= 4.0.0, < 5.0) + sass (~> 3.1) + sprockets (>= 2.8, < 4.0) + sprockets-rails (>= 2.0, < 4.0) + tilt (~> 1.1) sexp_processor (4.6.0) - simplecov (0.9.1) + shellany (0.0.1) + simplecov (0.10.0) docile (~> 1.1.0) - multi_json (~> 1.0) - simplecov-html (~> 0.8.0) - simplecov-html (0.8.0) - sinatra (1.4.5) + json (~> 1.8) + simplecov-html (~> 0.10.0) + simplecov-html (0.10.0) + sinatra (1.4.6) rack (~> 1.4) rack-protection (~> 1.4) - tilt (~> 1.3, >= 1.3.4) + tilt (>= 1.3, < 3) skinny (0.2.3) eventmachine (~> 1.0.0) thin (~> 1.5.0) slop (3.6.0) - sprockets (2.2.3) - hike (~> 1.2) - multi_json (~> 1.0) + sprockets (3.2.0) rack (~> 1.0) - tilt (~> 1.1, != 1.3.0) + sprockets-rails (2.3.2) + actionpack (>= 3.0) + activesupport (>= 3.0) + sprockets (>= 2.8, < 4.0) sqlite3 (1.3.10) - terminal-table (1.4.5) - therubyracer (0.12.1) + terminal-table (1.5.2) + test-unit (3.1.2) + power_assert + therubyracer (0.12.2) libv8 (~> 3.16.14.0) ref thin (1.5.1) @@ -275,26 +297,25 @@ GEM eventmachine (>= 0.12.6) rack (>= 1.0.0) thor (0.19.1) + thread_safe (0.3.5) tilt (1.4.1) - timers (4.0.1) - hitimes travis-lint (2.0.0) json - treetop (1.4.15) - polyglot - polyglot (>= 0.3.1) - trollop (2.0) - tzinfo (0.3.42) - uglifier (2.6.0) + trollop (2.1.2) + turbolinks (2.5.3) + coffee-rails + tzinfo (1.2.2) + thread_safe (~> 0.1) + uglifier (2.7.1) execjs (>= 0.3.0) json (>= 1.8.0) - unicorn (4.8.3) + unicorn (4.9.0) kgio (~> 2.6) rack raindrops (~> 0.7) - websocket-driver (0.5.1) + websocket-driver (0.5.4) websocket-extensions (>= 0.1.0) - websocket-extensions (0.1.1) + websocket-extensions (0.1.2) xpath (2.0.0) nokogiri (~> 1.3) @@ -322,6 +343,7 @@ DEPENDENCIES jquery-fileupload-rails jquery-rails launchy + libv8 (= 3.16.14.8) mailcatcher mysql2 poltergeist @@ -329,13 +351,18 @@ DEPENDENCIES pry pry-rails rack-livereload - rails (= 3.2.21) + rails (= 4.2.2) rb-fsevent rspec-rails (= 2.14.2) sass-rails simplecov sqlite3 + test-unit therubyracer travis-lint + turbolinks uglifier unicorn + +BUNDLED WITH + 1.10.5 diff --git a/README.md b/README.md index cd37342..f39a479 100755 --- a/README.md +++ b/README.md @@ -1,42 +1,49 @@ # RailsGoat [![Build Status](https://api.travis-ci.org/OWASP/railsgoat.png?branch=master)](https://travis-ci.org/OWASP/railsgoat) [![Code Climate](https://codeclimate.com/github/OWASP/railsgoat.png)](https://codeclimate.com/github/OWASP/railsgoat) -RailsGoat is a vulnerable version of the Ruby on Rails Framework. It includes vulnerabilities from the OWASP Top 10, as well as some "extras" that the initial project contributors felt worthwhile to share. This project is designed to educate both developers, as well as security professionals. +RailsGoat is a vulnerable version of the Ruby on Rails Framework both versions 3 and 4. It includes vulnerabilities from the OWASP Top 10, as well as some "extras" that the initial project contributors felt worthwhile to share. This project is designed to educate both developers, as well as security professionals. ## Getting Started To begin, install the Ruby Version Manager (RVM): -``` +```bash $ curl -L https://get.rvm.io | bash -s stable --autolibs=3 --ruby=2.1.2 ``` After installing the package, clone this repo: -``` +```bash $ git clone git@github.com:OWASP/railsgoat.git ``` -Navigate into the directory and install the dependencies: +**NOTE: NOT NECESSARY IF YOU WANT TO WORK WITH RAILS 4.** Otherwise, if you wish to use the Rails 3 version, you'll need to switch branches +```bash +$ cd railsgoat +$ git checkout rails_3_2 ``` + +Navigate into the directory (already there if you followed the previous step) and install the dependencies: + +```bash $ bundle install ``` If you receive an error, make sure you have `bundler` installed: -``` +```bash $ gem install bundler ``` Initialize the database: -``` +```bash $ rake db:setup ``` Start the Thin web server: -``` +```bash $ rails server ``` diff --git a/app/assets/javascripts/application.js b/app/assets/javascripts/application.js index 902f1e8..aa51d07 100755 --- a/app/assets/javascripts/application.js +++ b/app/assets/javascripts/application.js @@ -12,9 +12,11 @@ // //= require jquery //= require jquery_ujs +//= require turbolinks //= require wysiwyg/wysihtml5-0.3.0.js //= require jquery.min.js //= require jquery.scrollUp.js +//= require bootstrap.js //= require wysiwyg/bootstrap-wysihtml5.js //= require bootstrap-colorpicker.js //= require date-picker/date.js diff --git a/app/controllers/admin_controller.rb b/app/controllers/admin_controller.rb index 055e9c5..62c228a 100755 --- a/app/controllers/admin_controller.rb +++ b/app/controllers/admin_controller.rb @@ -1,5 +1,5 @@ class AdminController < ApplicationController - before_filter :administrative, :if => :admin_param, :except => [:get_user] + before_action :administrative, :if => :admin_param, :except => [:get_user] skip_before_filter :has_info def dashboard diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 3a58ed4..c8393dd 100755 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -1,9 +1,11 @@ class ApplicationController < ActionController::Base - before_filter :authenticated, :has_info, :create_analytic, :mailer_options + before_action :authenticated, :has_info, :create_analytic, :mailer_options helper_method :current_user, :is_admin?, :sanitize_font # Our security guy keep talking about sea-surfing, cool story bro. - # protect_from_forgery + # Prevent CSRF attacks by raising an exception. + # For APIs, you may want to use :null_session instead. + #protect_from_forgery with: :exception private diff --git a/vendor/plugins/.gitkeep b/app/controllers/concerns/.keep old mode 100755 new mode 100644 similarity index 100% rename from vendor/plugins/.gitkeep rename to app/controllers/concerns/.keep diff --git a/app/controllers/messages_controller.rb b/app/controllers/messages_controller.rb index 83b992c..e657297 100644 --- a/app/controllers/messages_controller.rb +++ b/app/controllers/messages_controller.rb @@ -33,4 +33,10 @@ class MessagesController < ApplicationController end end end -end \ No newline at end of file + + private + + def message_params + params.require(:message).permit(:creator_id, :message, :read, :receiver_id) + end +end diff --git a/app/controllers/schedule_controller.rb b/app/controllers/schedule_controller.rb index 65caa2e..d940a9d 100644 --- a/app/controllers/schedule_controller.rb +++ b/app/controllers/schedule_controller.rb @@ -4,7 +4,7 @@ class ScheduleController < ApplicationController message = false if params[:schedule][:event_type] == "pto" - sched = Schedule.new(params[:schedule]) + sched = Schedule.new(schedule_params) sched.date_begin, sched.date_end = format_schedule_date(params[:date_range1]) sched.user_id = current_user.user_id a = sched.date_end @@ -56,4 +56,10 @@ class ScheduleController < ApplicationController end return vals end + + private + + def schedule_params + params.require(:schedule).permit(:date_begin, :date_end, :event_desc, :event_name, :event_type) + end end diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb index fdf2edc..f9172d9 100755 --- a/app/controllers/sessions_controller.rb +++ b/app/controllers/sessions_controller.rb @@ -25,7 +25,7 @@ class SessionsController < ApplicationController redirect_to path else # Removed this code, just doesn't seem specific enough! - # flash[:error] = "Either your username and password is incorrect" + # flash[:error] = "Either your username and password is incorrect" flash[:error] = e.message render "new" end diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb index 1fb5d4a..58ca211 100755 --- a/app/controllers/users_controller.rb +++ b/app/controllers/users_controller.rb @@ -7,7 +7,7 @@ class UsersController < ApplicationController end def create - user = User.new(params[:user]) + user = User.new(user_params) user.build_benefits_data if user.save session[:user_id] = user.user_id @@ -31,11 +31,12 @@ class UsersController < ApplicationController # Still an Insecure DoR vulnerability #user = User.find(:first, :conditions => ["user_id = ?", "#{params[:user][:user_id]}"]) - user = User.find(:first, :conditions => "user_id = '#{params[:user][:user_id]}'") + # user = User.find(:first, :conditions => "user_id = '#{params[:user][:user_id]}'") + user = User.where("user_id = '#{params[:user][:user_id]}'").first if user user.skip_user_id_assign = true user.skip_hash_password = true - user.update_attributes(params[:user].reject { |k| %w(password password_confirmation user_id).include? k }) + user.update_attributes(user_params_without_password) if !(params[:user][:password].empty?) && (params[:user][:password] == params[:user][:password_confirmation]) user.skip_hash_password = false user.password = params[:user][:password] @@ -50,4 +51,15 @@ class UsersController < ApplicationController redirect_to user_account_settings_path(:user_id => current_user.user_id) end end + + private + + def user_params + params.require(:user).permit! + end + + # unpermitted attributes are ignored in production + def user_params_without_password + params.require(:user).permit(:email, :admin, :first_name, :last_name) + end end diff --git a/app/models/analytics.rb b/app/models/analytics.rb index 2d9fbe5..d84e777 100644 --- a/app/models/analytics.rb +++ b/app/models/analytics.rb @@ -1,6 +1,4 @@ class Analytics < ActiveRecord::Base - attr_accessible :ip_address, :referrer, :user_agent - scope :hits_by_ip, ->(ip,col="*") { select("#{col}").where(:ip_address => ip).order("id DESC")} def self.count_by_col(col) diff --git a/app/models/benefits.rb b/app/models/benefits.rb index 144a2f4..4deae64 100644 --- a/app/models/benefits.rb +++ b/app/models/benefits.rb @@ -1,5 +1,4 @@ class Benefits < ActiveRecord::Base - attr_accessor :backup def self.save(file, backup=false) data_path = Rails.root.join("public", "data") diff --git a/app/models/concerns/.keep b/app/models/concerns/.keep new file mode 100644 index 0000000..e69de29 diff --git a/app/models/key_management.rb b/app/models/key_management.rb index 70adbd1..7188efa 100644 --- a/app/models/key_management.rb +++ b/app/models/key_management.rb @@ -1,5 +1,4 @@ class KeyManagement < ActiveRecord::Base - attr_accessible :iv, :user_id belongs_to :work_info belongs_to :user end diff --git a/app/models/message.rb b/app/models/message.rb index 12aaaba..7de4c26 100644 --- a/app/models/message.rb +++ b/app/models/message.rb @@ -1,6 +1,5 @@ class Message < ActiveRecord::Base belongs_to :user - attr_accessible :creator_id, :message, :read, :receiver_id validates_presence_of :creator_id, :receiver_id, :message def creator_name diff --git a/app/models/paid_time_off.rb b/app/models/paid_time_off.rb index 409d355..c398f77 100644 --- a/app/models/paid_time_off.rb +++ b/app/models/paid_time_off.rb @@ -1,5 +1,4 @@ class PaidTimeOff < ActiveRecord::Base - attr_accessible :pto_earned, :pto_taken, :sick_days_earned, :sick_days_taken belongs_to :user has_many :schedule, :foreign_key => :user_id, :primary_key => :user_id, :dependent => :destroy diff --git a/app/models/pay.rb b/app/models/pay.rb index 2218d11..7a35563 100644 --- a/app/models/pay.rb +++ b/app/models/pay.rb @@ -1,7 +1,4 @@ class Pay < ActiveRecord::Base - # mass-assignable attributes - attr_accessible :bank_account_num, :bank_routing_num, :percent_of_deposit - # Associations belongs_to :user diff --git a/app/models/performance.rb b/app/models/performance.rb index 73f25c1..5dfad88 100644 --- a/app/models/performance.rb +++ b/app/models/performance.rb @@ -1,5 +1,4 @@ class Performance < ActiveRecord::Base - attr_accessible :comments, :date_submitted, :reviewer, :score belongs_to :user def reviewer_name diff --git a/app/models/retirement.rb b/app/models/retirement.rb index 47048a0..c3c981c 100644 --- a/app/models/retirement.rb +++ b/app/models/retirement.rb @@ -1,4 +1,3 @@ class Retirement < ActiveRecord::Base - attr_accessible :employee_contrib, :employer_contrib, :total belongs_to :user end diff --git a/app/models/schedule.rb b/app/models/schedule.rb index fc66df7..6692c27 100644 --- a/app/models/schedule.rb +++ b/app/models/schedule.rb @@ -1,5 +1,4 @@ class Schedule < ActiveRecord::Base - attr_accessible :date_begin, :date_end, :event_desc, :event_name, :event_type belongs_to :paid_time_off validates_presence_of :date_begin, :date_end, :event_desc, :event_name, :event_type diff --git a/app/models/user.rb b/app/models/user.rb index 21b4fd1..9aae72e 100755 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -1,7 +1,6 @@ require 'encryption' class User < ActiveRecord::Base - attr_accessible :email, :admin, :first_name, :last_name, :user_id, :password, :password_confirmation validates :password, :presence => true, :confirmation => true, :length => {:within => 6..40}, diff --git a/app/models/work_info.rb b/app/models/work_info.rb index 2816dfa..9484803 100644 --- a/app/models/work_info.rb +++ b/app/models/work_info.rb @@ -1,5 +1,4 @@ class WorkInfo < ActiveRecord::Base - attr_accessible :DoB, :SSN, :bonuses, :income, :years_worked belongs_to :user has_one :key_management, :foreign_key => :user_id, :primary_key => :user_id, :dependent => :destroy #before_save :encrypt_ssn diff --git a/app/views/layouts/application.html.erb b/app/views/layouts/application.html.erb index c4a1cb2..5baa362 100755 --- a/app/views/layouts/application.html.erb +++ b/app/views/layouts/application.html.erb @@ -2,8 +2,8 @@ RailsGoat - <%= stylesheet_link_tag "application", :media => "all" %> - <%= javascript_include_tag "application" %> + <%= stylesheet_link_tag "application", media: "all", "data-turbolinks-track" => true %> + <%= javascript_include_tag "application", "data-turbolinks-track" => true %> <%= csrf_meta_tags %> <% diff --git a/app/views/layouts/shared/_header.html.erb b/app/views/layouts/shared/_header.html.erb index 0bb3600..0339949 100755 --- a/app/views/layouts/shared/_header.html.erb +++ b/app/views/layouts/shared/_header.html.erb @@ -31,11 +31,11 @@ @@ -60,16 +60,16 @@ - + diff --git a/app/views/layouts/shared/_messages.html.erb b/app/views/layouts/shared/_messages.html.erb index 76785d5..08ef212 100755 --- a/app/views/layouts/shared/_messages.html.erb +++ b/app/views/layouts/shared/_messages.html.erb @@ -1,4 +1,5 @@ <% flash.each do |name, msg| %> + <% name = name.to_sym %> <% if name == :error %>
× diff --git a/config.ru b/config.ru index bee68f6..5bc2a61 100755 --- a/config.ru +++ b/config.ru @@ -1,4 +1,4 @@ # This file is used by Rack-based servers to start the application. require ::File.expand_path('../config/environment', __FILE__) -run Railsgoat::Application +run Rails.application diff --git a/config/application.rb b/config/application.rb index 25ef3f4..ce5141a 100755 --- a/config/application.rb +++ b/config/application.rb @@ -2,12 +2,9 @@ require File.expand_path('../boot', __FILE__) require 'rails/all' -if defined?(Bundler) - # If you precompile assets before deploying to production, use this line - Bundler.require(*Rails.groups(:assets => %w(development test mysql))) - # If you want your assets lazily compiled in production, use this line - # Bundler.require(:default, :assets, Rails.env) -end +# Require the gems listed in Gemfile, including any gems +# you've limited to :test, :development, or :production. +Bundler.require(:default, Rails.env) module Railsgoat class Application < Rails::Application @@ -47,12 +44,6 @@ module Railsgoat # like if you have constraints or database-specific column types # config.active_record.schema_format = :sql - # Enforce whitelist mode for mass assignment. - # This will create an empty whitelist of attributes available for mass-assignment for all models - # in your app. As such, your models will need to explicitly whitelist or blacklist accessible - # parameters by using an attr_accessible or attr_protected declaration. - config.active_record.whitelist_attributes = false - # Enable the asset pipeline config.assets.enabled = true diff --git a/config/boot.rb b/config/boot.rb index 4489e58..3596736 100755 --- a/config/boot.rb +++ b/config/boot.rb @@ -1,5 +1,3 @@ -require 'rubygems' - # Set up gems listed in the Gemfile. ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../../Gemfile', __FILE__) diff --git a/config/environment.rb b/config/environment.rb index 64c26bc..e3ae560 100755 --- a/config/environment.rb +++ b/config/environment.rb @@ -1,5 +1,5 @@ -# Load the rails application +# Load the Rails application. require File.expand_path('../application', __FILE__) -# Initialize the rails application +# Initialize the Rails application. Railsgoat::Application.initialize! diff --git a/config/environments/development.rb b/config/environments/development.rb old mode 100755 new mode 100644 index c632b4d..3e46de3 --- a/config/environments/development.rb +++ b/config/environments/development.rb @@ -6,9 +6,6 @@ Railsgoat::Application.configure do # since you don't have to restart the web server when you make code changes. config.cache_classes = false - # Log error messages when you accidentally call methods on nil. - config.whiny_nils = true - # Show full error reports and disable caching config.consider_all_requests_local = true config.action_controller.perform_caching = false @@ -22,13 +19,6 @@ Railsgoat::Application.configure do # Only use best-standards-support built into browsers config.action_dispatch.best_standards_support = :builtin - # Raise exception on mass assignment protection for Active Record models - config.active_record.mass_assignment_sanitizer = :strict - - # Log the query plan for queries taking more than this (works - # with SQLite, MySQL, and PostgreSQL) - config.active_record.auto_explain_threshold_in_seconds = 0.5 - # Tired of caching causing issues config.middleware.delete Rack::ETag @@ -51,4 +41,10 @@ Railsgoat::Application.configure do # :host => 'railsgoat.dev', # :ignore => [ %r{dont/modify\.html$} ] # ) + + # For Rails 4.0+ + # Do not eager load code on boot. This avoids loading your whole application + # just for the purpose of running a single test. If you are using a tool that + # preloads Rails for running tests, you may have to set it to true. + config.eager_load = false end diff --git a/config/environments/mysql.rb b/config/environments/mysql.rb index 1b3f216..47d2452 100755 --- a/config/environments/mysql.rb +++ b/config/environments/mysql.rb @@ -6,9 +6,6 @@ Railsgoat::Application.configure do # since you don't have to restart the web server when you make code changes. config.cache_classes = false - # Log error messages when you accidentally call methods on nil. - config.whiny_nils = true - # Show full error reports and disable caching config.consider_all_requests_local = true config.action_controller.perform_caching = false @@ -22,13 +19,6 @@ Railsgoat::Application.configure do # Only use best-standards-support built into browsers config.action_dispatch.best_standards_support = :builtin - # Raise exception on mass assignment protection for Active Record models - config.active_record.mass_assignment_sanitizer = :strict - - # Log the query plan for queries taking more than this (works - # with SQLite, MySQL, and PostgreSQL) - config.active_record.auto_explain_threshold_in_seconds = 0.5 - # Tired of caching causing issues config.middleware.delete Rack::ETag diff --git a/config/environments/production.rb b/config/environments/production.rb index 5917335..4300360 100755 --- a/config/environments/production.rb +++ b/config/environments/production.rb @@ -1,37 +1,50 @@ Railsgoat::Application.configure do # Settings specified here will take precedence over those in config/application.rb - # Code is not reloaded between requests + # Code is not reloaded between requests. config.cache_classes = true - # Full error reports are disabled and caching is turned on + # Full error reports are disabled and caching is turned on. config.consider_all_requests_local = false config.action_controller.perform_caching = true - # Disable Rails's static asset server (Apache or nginx will already do this) + # Enable Rack::Cache to put a simple HTTP cache in front of your application + # Add `rack-cache` to your Gemfile before enabling this. + # For large-scale production use, consider using a caching + # reverse proxy like nginx, varnish or squid. + # config.action_dispatch.rack_cache = true + + # Disable Rails's static asset server (Apache or nginx will already do this). config.serve_static_assets = false # Compress JavaScripts and CSS config.assets.compress = true - # Don't fallback to assets pipeline if a precompiled asset is missed - config.assets.compile = true + # Compress JavaScripts and CSS. + config.assets.js_compressor = :uglifier + # config.assets.css_compressor = :sass - # Generate digests for assets URLs + # Do not fallback to assets pipeline if a precompiled asset is missed. + config.assets.compile = true # default is false + + # Generate digests for assets URLs. config.assets.digest = true + # For Rails 4.0+: Version of your assets, change this if you want to expire all your assets. + config.assets.version = '1.0' + # Defaults to nil and saved in location specified by config.assets.prefix # config.assets.manifest = YOUR_PATH - # Specifies the header that your server uses for sending files + # Specifies the header that your server uses for sending files. # config.action_dispatch.x_sendfile_header = "X-Sendfile" # for apache # config.action_dispatch.x_sendfile_header = 'X-Accel-Redirect' # for nginx # Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies. # config.force_ssl = true - # See everything in the log (default is :info) - # config.log_level = :debug + # Set to :debug to see everything in the log. + config.log_level = :info # Prepend all log lines with the following tags # config.log_tags = [ :subdomain, :uuid ] @@ -55,13 +68,41 @@ Railsgoat::Application.configure do # config.threadsafe! # Enable locale fallbacks for I18n (makes lookups for any locale fall back to - # the I18n.default_locale when a translation can not be found) + # the I18n.default_locale when a translation can not be found). config.i18n.fallbacks = true - # Send deprecation notices to registered listeners + # Send deprecation notices to registered listeners. config.active_support.deprecation = :notify - # Log the query plan for queries taking more than this (works - # with SQLite, MySQL, and PostgreSQL) - # config.active_record.auto_explain_threshold_in_seconds = 0.5 + # For Rails 4.0+: Eager load code on boot. This eager loads most of + # Rails and your application in memory, allowing both thread web + # servers and those relying on copy on write to perform better. + # Rake tasks automatically ignore this option for performance. + config.eager_load = true + + # For Rails 4.0+: Use default logging formatter so that PID and timestamp are not suppressed. + config.log_formatter = ::Logger::Formatter.new + + # For Rails 4.0+: Disable automatic flushing of the log to improve performance. + # config.autoflush_log = false + + # Prepend all log lines with the following tags. + # config.log_tags = [ :subdomain, :uuid ] + + # Use a different logger for distributed setups. + # config.logger = ActiveSupport::TaggedLogging.new(SyslogLogger.new) + + # Use a different cache store in production. + # config.cache_store = :mem_cache_store + + # Enable serving of images, stylesheets, and JavaScripts from an asset server. + # config.action_controller.asset_host = "http://assets.example.com" + + # Precompile additional assets. + # application.js, application.css, and all non-JS/CSS in app/assets folder are already added. + # config.assets.precompile += %w( search.js ) + + # Ignore bad email addresses and do not raise email delivery errors. + # Set this to true and configure the email server for immediate delivery to raise delivery errors. + # config.action_mailer.raise_delivery_errors = false end diff --git a/config/environments/test.rb b/config/environments/test.rb index d842cdd..3b1eb20 100755 --- a/config/environments/test.rb +++ b/config/environments/test.rb @@ -7,18 +7,15 @@ Railsgoat::Application.configure do # and recreated between test runs. Don't rely on the data there! config.cache_classes = true - # Configure static asset server for tests with Cache-Control for performance + # Configure static asset server for tests with Cache-Control for performance. config.serve_static_assets = true config.static_cache_control = "public, max-age=3600" - # Log error messages when you accidentally call methods on nil - config.whiny_nils = true - - # Show full error reports and disable caching + # Show full error reports and disable caching. config.consider_all_requests_local = true config.action_controller.perform_caching = false - # Raise exceptions instead of rendering exception templates + # Raise exceptions instead of rendering exception templates. config.action_dispatch.show_exceptions = false # Disable request forgery protection in test environment @@ -29,9 +26,12 @@ Railsgoat::Application.configure do # ActionMailer::Base.deliveries array. config.action_mailer.delivery_method = :test - # Raise exception on mass assignment protection for Active Record models - config.active_record.mass_assignment_sanitizer = :strict - - # Print deprecation notices to the stderr + # Print deprecation notices to the stderr. config.active_support.deprecation = :stderr + + # For Rails 4.0+ + # Do not eager load code on boot. This avoids loading your whole application + # just for the purpose of running a single test. If you are using a tool that + # preloads Rails for running tests, you may have to set it to true. + config.eager_load = false end diff --git a/config/initializers/filter_parameter_logging.rb b/config/initializers/filter_parameter_logging.rb new file mode 100644 index 0000000..4a994e1 --- /dev/null +++ b/config/initializers/filter_parameter_logging.rb @@ -0,0 +1,4 @@ +# Be sure to restart your server when you modify this file. + +# Configure sensitive parameters which will be filtered from the log file. +Rails.application.config.filter_parameters += [:password] diff --git a/config/initializers/inflections.rb b/config/initializers/inflections.rb index 5d8d9be..ac033bf 100755 --- a/config/initializers/inflections.rb +++ b/config/initializers/inflections.rb @@ -1,15 +1,16 @@ # Be sure to restart your server when you modify this file. -# Add new inflection rules using the following format -# (all these examples are active by default): -# ActiveSupport::Inflector.inflections do |inflect| +# Add new inflection rules using the following format. Inflections +# are locale specific, and you may define rules for as many different +# locales as you wish. All of these examples are active by default: +# ActiveSupport::Inflector.inflections(:en) do |inflect| # inflect.plural /^(ox)$/i, '\1en' # inflect.singular /^(ox)en/i, '\1' # inflect.irregular 'person', 'people' # inflect.uncountable %w( fish sheep ) # end -# + # These inflection rules are supported but not enabled by default: -# ActiveSupport::Inflector.inflections do |inflect| +# ActiveSupport::Inflector.inflections(:en) do |inflect| # inflect.acronym 'RESTful' # end diff --git a/config/initializers/secret_token.rb b/config/initializers/secret_token.rb index 1d9d83c..6bae38e 100755 --- a/config/initializers/secret_token.rb +++ b/config/initializers/secret_token.rb @@ -5,3 +5,4 @@ # Make sure the secret is at least 30 characters and all random, # no regular words or you'll be exposed to dictionary attacks. Railsgoat::Application.config.secret_token = '2f1d90a26236c3245d96f5606c201a780dc9ca687e5ed82b45e211bb5dc84c1870f61ca9e002dad5dd8a149c9792d8f07f31a9575065cca064bd6af44f8750e4' +Railsgoat::Application.config.secret_key_base = '2f1d90a26236c3245d96f5606c201a780dc9ca687e5ed82b45e211bb5dc84c1870f61ca9e002dad5dd8a149c9792d8f07f31a9575065cca064bd6af44f8750e4' diff --git a/config/initializers/session_store.rb b/config/initializers/session_store.rb index 045db16..caf4a5b 100755 --- a/config/initializers/session_store.rb +++ b/config/initializers/session_store.rb @@ -1,8 +1,3 @@ # Be sure to restart your server when you modify this file. Railsgoat::Application.config.session_store :cookie_store, key: '_railsgoat_session', httponly: false - -# Use the database for sessions instead of the cookie-based default, -# which shouldn't be used to store highly confidential information -# (create the session table with "rails generate session_migration") -# Railsgoat::Application.config.session_store :active_record_store diff --git a/config/initializers/strong_parameters.rb b/config/initializers/strong_parameters.rb new file mode 100644 index 0000000..394c1f5 --- /dev/null +++ b/config/initializers/strong_parameters.rb @@ -0,0 +1 @@ +ActiveRecord::Base.send(:include, ActiveModel::ForbiddenAttributesProtection) diff --git a/config/initializers/wrap_parameters.rb b/config/initializers/wrap_parameters.rb index 999df20..6835995 100755 --- a/config/initializers/wrap_parameters.rb +++ b/config/initializers/wrap_parameters.rb @@ -5,7 +5,7 @@ # Enable parameter wrapping for JSON. You can disable this by setting :format to an empty array. ActiveSupport.on_load(:action_controller) do - wrap_parameters format: [:json] + wrap_parameters format: [:json] if respond_to?(:wrap_parameters) end # Disable root element in JSON by default. diff --git a/config/locales/en.yml b/config/locales/en.yml index 179c14c..0653957 100755 --- a/config/locales/en.yml +++ b/config/locales/en.yml @@ -1,5 +1,23 @@ -# Sample localization file for English. Add more files in this directory for other locales. -# See https://github.com/svenfuchs/rails-i18n/tree/master/rails%2Flocale for starting points. +# Files in the config/locales directory are used for internationalization +# and are automatically loaded by Rails. If you want to use locales other +# than English, add the necessary files in this directory. +# +# To use the locales, use `I18n.t`: +# +# I18n.t 'hello' +# +# In views, this is aliased to just `t`: +# +# <%= t('hello') %> +# +# To use a different locale, set it with `I18n.locale`: +# +# I18n.locale = :es +# +# This would use the information in config/locales/es.yml. +# +# To learn more, please read the Rails Internationalization guide +# available at http://guides.rubyonrails.org/i18n.html. en: hello: "Hello world" diff --git a/config/routes.rb b/config/routes.rb index 30e08f7..6fa80f2 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -3,7 +3,7 @@ Railsgoat::Application.routes.draw do get "login" => "sessions#new" get "signup" => "users#new" get "logout" => "sessions#destroy" - match "forgot_password" => "password_resets#forgot_password" + get "forgot_password" => "password_resets#forgot_password" get "password_resets" => "password_resets#confirm_token" post "password_resets" => "password_resets#reset_password" get "dashboard/doc" => "dashboard#doc" @@ -63,7 +63,7 @@ Railsgoat::Application.routes.draw do get "dashboard" get "get_user" post "delete_user" - put "update_user" + patch "update_user" get "get_all_users" get "analytics" end diff --git a/db/schema.rb b/db/schema.rb index 705f2a3..a51d0db 100755 --- a/db/schema.rb +++ b/db/schema.rb @@ -11,7 +11,7 @@ # # It's strongly recommended to check this file into your version control system. -ActiveRecord::Schema.define(:version => 20140804171756) do +ActiveRecord::Schema.define(:version => 20140408185601) do create_table "analytics", :force => true do |t| t.string "ip_address" diff --git a/public/404.html b/public/404.html index 9a48320..a0daa0c 100755 --- a/public/404.html +++ b/public/404.html @@ -2,17 +2,48 @@ The page you were looking for doesn't exist (404) - @@ -22,5 +53,6 @@

The page you were looking for doesn't exist.

You may have mistyped the address or the page may have moved.

+

If you are the application owner check the logs for more information.

diff --git a/public/422.html b/public/422.html index 83660ab..fbb4b84 100755 --- a/public/422.html +++ b/public/422.html @@ -2,17 +2,48 @@ The change you wanted was rejected (422) - @@ -22,5 +53,6 @@

The change you wanted was rejected.

Maybe you tried to change something you didn't have access to.

+

If you are the application owner check the logs for more information.

diff --git a/public/500.html b/public/500.html index f3648a0..e9052d3 100755 --- a/public/500.html +++ b/public/500.html @@ -2,17 +2,48 @@ We're sorry, but something went wrong (500) - @@ -21,5 +52,6 @@

We're sorry, but something went wrong.

+

If you are the application owner check the logs for more information.

diff --git a/public/robots.txt b/public/robots.txt index 085187f..1a3a5e4 100755 --- a/public/robots.txt +++ b/public/robots.txt @@ -1,5 +1,5 @@ # See http://www.robotstxt.org/wc/norobots.html for documentation on how to use the robots.txt file # # To ban all spiders from the entire site uncomment the next two lines: -# User-Agent: * +# User-agent: * # Disallow: / diff --git a/spec/vulnerabilities/insecure_dor_spec.rb b/spec/vulnerabilities/insecure_dor_spec.rb index c53cd9c..7e198d8 100644 --- a/spec/vulnerabilities/insecure_dor_spec.rb +++ b/spec/vulnerabilities/insecure_dor_spec.rb @@ -28,4 +28,4 @@ feature 'insecure direct object reference' do pending(:if => verifying_fixed?) { first('td').text.should == 'Jack Mannino' } end -end \ No newline at end of file +end diff --git a/spec/vulnerabilities/xss_spec.rb b/spec/vulnerabilities/xss_spec.rb index 6ce2d30..9549f4d 100644 --- a/spec/vulnerabilities/xss_spec.rb +++ b/spec/vulnerabilities/xss_spec.rb @@ -20,11 +20,12 @@ feature 'xss' do click_on 'Submit' sleep(1) - visit '/' - - pending(:if => verifying_fixed?) { find('div input.btn').value.should == 'RailsGoat h4x0r3d' } - + + visit "/users/#{@normal_user.user_id}/account_settings" + + pending(:if => verifying_fixed?) { find('#submit_button').value.should == 'RailsGoat h4x0r3d' } + # might be nice to demonstrate posting cookie contents or somesuch, but # this at least shows the vulnerability still exists. end -end \ No newline at end of file +end diff --git a/test/controllers/.keep b/test/controllers/.keep new file mode 100644 index 0000000..e69de29 diff --git a/test/fixtures/.keep b/test/fixtures/.keep new file mode 100644 index 0000000..e69de29 diff --git a/test/helpers/.keep b/test/helpers/.keep new file mode 100644 index 0000000..e69de29 diff --git a/test/integration/.keep b/test/integration/.keep new file mode 100644 index 0000000..e69de29 diff --git a/test/mailers/.keep b/test/mailers/.keep new file mode 100644 index 0000000..e69de29 diff --git a/test/models/.keep b/test/models/.keep new file mode 100644 index 0000000..e69de29 diff --git a/test/test_helper.rb b/test/test_helper.rb index b757019..9f44476 100755 --- a/test/test_helper.rb +++ b/test/test_helper.rb @@ -1,4 +1,4 @@ -ENV["RAILS_ENV"] = "test" +ENV["RAILS_ENV"] ||= "test" # To use simplecov, do this: COVERAGE=true rake require 'simplecov' @@ -8,6 +8,8 @@ require File.expand_path('../../config/environment', __FILE__) require 'rails/test_help' class ActiveSupport::TestCase + # Maybe for Rails 4.0: ActiveRecord::Migration.check_pending! + # Setup all fixtures in test/fixtures/*.(yml|csv) for all tests in alphabetical order. # # Note: You'll currently still have to declare fixtures explicitly in integration tests