From 23513cf8d28100118e1cd08cd6cc3e5210eeec0b Mon Sep 17 00:00:00 2001 From: Al Snow Date: Sun, 7 Sep 2014 13:00:54 -0400 Subject: [PATCH 01/60] Initial Rails 4.0.x upgrade --- Gemfile | 18 ++- Gemfile.lock | 135 +++++++++--------- app/controllers/admin_controller.rb | 2 +- app/controllers/application_controller.rb | 2 +- config/application.rb | 13 +- config/boot.rb | 4 +- config/environment.rb | 4 +- config/environments/development.rb | 6 +- config/environments/mysql.rb | 3 - config/environments/production.rb | 3 + config/environments/test.rb | 9 +- .../initializers/filter_parameter_logging.rb | 4 + config/initializers/inflections.rb | 11 +- config/initializers/secret_token.rb | 1 + config/initializers/session_store.rb | 7 +- config/locales/en.yml | 22 ++- config/routes.rb | 4 +- vendor/plugins/.gitkeep | 0 18 files changed, 125 insertions(+), 123 deletions(-) create mode 100644 config/initializers/filter_parameter_logging.rb delete mode 100755 vendor/plugins/.gitkeep diff --git a/Gemfile b/Gemfile index ee1afb3..f51d914 100755 --- a/Gemfile +++ b/Gemfile @@ -1,7 +1,8 @@ source 'https://rubygems.org' #don't upgrade -gem 'rails', '3.2.19' +gem 'rails', '4.0.9' +gem 'protected_attributes' # For Rails 4.0+ ruby '2.1.2' @@ -44,15 +45,12 @@ end # Gems used only for assets and not required # in production environments by default. -group :assets do - gem 'sass-rails' - gem 'coffee-rails' - gem 'jquery-fileupload-rails' - # See https://github.com/sstephenson/execjs#readme for more supported runtimes - # gem 'therubyracer', :platforms => :ruby - - gem 'uglifier' -end +gem 'sass-rails' +gem 'coffee-rails' +gem 'jquery-fileupload-rails' +gem 'uglifier' +# See https://github.com/sstephenson/execjs#readme for more supported runtimes +# gem 'therubyracer', :platforms => :ruby gem 'jquery-rails' diff --git a/Gemfile.lock b/Gemfile.lock index b464d0b..657e83d 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -1,35 +1,32 @@ GEM remote: https://rubygems.org/ specs: - actionmailer (3.2.19) - actionpack (= 3.2.19) + actionmailer (4.0.9) + actionpack (= 4.0.9) mail (~> 2.5.4) - actionpack (3.2.19) - activemodel (= 3.2.19) - activesupport (= 3.2.19) - builder (~> 3.0.0) + actionpack (4.0.9) + activesupport (= 4.0.9) + builder (~> 3.1.0) erubis (~> 2.7.0) - journey (~> 1.0.4) - rack (~> 1.4.5) - rack-cache (~> 1.2) - rack-test (~> 0.6.1) - sprockets (~> 2.2.1) - activemodel (3.2.19) - activesupport (= 3.2.19) - builder (~> 3.0.0) - activerecord (3.2.19) - activemodel (= 3.2.19) - activesupport (= 3.2.19) - arel (~> 3.0.2) - tzinfo (~> 0.3.29) - activeresource (3.2.19) - activemodel (= 3.2.19) - activesupport (= 3.2.19) - activesupport (3.2.19) - i18n (~> 0.6, >= 0.6.4) - multi_json (~> 1.0) + rack (~> 1.5.2) + rack-test (~> 0.6.2) + activemodel (4.0.9) + activesupport (= 4.0.9) + builder (~> 3.1.0) + activerecord (4.0.9) + activemodel (= 4.0.9) + activerecord-deprecated_finders (~> 1.0.2) + activesupport (= 4.0.9) + arel (~> 4.0.0) + activerecord-deprecated_finders (1.0.3) + activesupport (4.0.9) + i18n (~> 0.6, >= 0.6.9) + minitest (~> 4.2) + multi_json (~> 1.3) + thread_safe (~> 0.1) + tzinfo (~> 0.3.37) addressable (2.3.6) - arel (3.0.3) + arel (4.0.2) aruba (0.5.4) childprocess (>= 0.3.6) cucumber (>= 1.1.1) @@ -52,7 +49,7 @@ GEM sass (~> 3.0) slim (>= 1.3.6, < 3.0) terminal-table (~> 1.4) - builder (3.0.4) + builder (3.1.4) bundler-audit (0.3.1) bundler (~> 1.2) thor (~> 0.18) @@ -68,9 +65,9 @@ GEM ffi (~> 1.0, >= 1.0.11) cliver (0.3.2) coderay (1.1.0) - coffee-rails (3.2.2) + coffee-rails (4.0.1) coffee-script (>= 2.2.0) - railties (~> 3.2.0) + railties (>= 4.0.0, < 5.0) coffee-script (2.3.0) coffee-script-source execjs @@ -133,7 +130,6 @@ GEM hitimes (1.2.2) http_parser.rb (0.6.0) i18n (0.6.11) - journey (1.0.4) jquery-fileupload-rails (0.4.1) actionpack (>= 3.1) railties (>= 3.1) @@ -153,18 +149,20 @@ GEM mail (2.5.4) mime-types (~> 1.16) treetop (~> 1.4.8) - mailcatcher (0.5.12) - activesupport (~> 3.0) - eventmachine (~> 1.0.0) - haml (>= 3.1, < 5) - mail (~> 2.3) - sinatra (~> 1.2) - skinny (~> 0.2.3) - sqlite3 (~> 1.3) - thin (~> 1.5.0) + mailcatcher (0.2.4) + eventmachine + haml + i18n + json + mail + sinatra + skinny (>= 0.1.2) + sqlite3-ruby + thin method_source (0.8.2) mime-types (1.25.1) mini_portile (0.5.3) + minitest (4.7.5) multi_json (1.10.1) multi_test (0.1.1) mysql2 (0.3.16) @@ -178,43 +176,37 @@ GEM polyglot (0.3.5) powder (0.2.1) thor (>= 0.11.5) + protected_attributes (1.0.8) + activemodel (>= 4.0.1, < 5.0) pry (0.10.1) coderay (~> 1.1.0) method_source (~> 0.8.1) slop (~> 3.4) - rack (1.4.5) - rack-cache (1.2) - rack (>= 0.4) + rack (1.5.2) rack-livereload (0.3.15) rack rack-protection (1.5.3) rack - rack-ssl (1.3.4) - rack rack-test (0.6.2) rack (>= 1.0) - rails (3.2.19) - actionmailer (= 3.2.19) - actionpack (= 3.2.19) - activerecord (= 3.2.19) - activeresource (= 3.2.19) - activesupport (= 3.2.19) - bundler (~> 1.0) - railties (= 3.2.19) - railties (3.2.19) - actionpack (= 3.2.19) - activesupport (= 3.2.19) - rack-ssl (~> 1.3.2) + rails (4.0.9) + actionmailer (= 4.0.9) + actionpack (= 4.0.9) + activerecord (= 4.0.9) + activesupport (= 4.0.9) + bundler (>= 1.3.0, < 2.0) + railties (= 4.0.9) + sprockets-rails (~> 2.0) + railties (4.0.9) + actionpack (= 4.0.9) + activesupport (= 4.0.9) rake (>= 0.8.7) - rdoc (~> 3.4) - thor (>= 0.14.6, < 2.0) + thor (>= 0.18.1, < 2.0) raindrops (0.13.0) rake (10.3.2) rb-fsevent (0.9.4) rb-inotify (0.9.5) ffi (>= 0.5.0) - rdoc (3.12.2) - json (~> 1.4) ref (1.0.5) rspec (2.14.1) rspec-core (~> 2.14.0) @@ -237,11 +229,12 @@ GEM sexp_processor (~> 4.0) ruby_parser (3.5.0) sexp_processor (~> 4.1) - sass (3.4.3) - sass-rails (3.2.6) - railties (~> 3.2.0) - sass (>= 3.1.10) - tilt (~> 1.3) + sass (3.2.19) + sass-rails (4.0.3) + railties (>= 4.0.0, < 5.0) + sass (~> 3.2.0) + sprockets (~> 2.8, <= 2.11.0) + sprockets-rails (~> 2.0) sexp_processor (4.4.4) simplecov (0.9.0) docile (~> 1.1.0) @@ -259,12 +252,18 @@ GEM temple (~> 0.6.6) tilt (>= 1.3.3, < 2.1) slop (3.6.0) - sprockets (2.2.2) + sprockets (2.11.0) hike (~> 1.2) multi_json (~> 1.0) rack (~> 1.0) tilt (~> 1.1, != 1.3.0) + sprockets-rails (2.1.4) + actionpack (>= 3.0) + activesupport (>= 3.0) + sprockets (~> 2.8) sqlite3 (1.3.9) + sqlite3-ruby (1.3.3) + sqlite3 (>= 1.3.3) temple (0.6.8) terminal-table (1.4.5) therubyracer (0.12.1) @@ -275,6 +274,7 @@ GEM eventmachine (>= 0.12.6) rack (>= 1.0.0) thor (0.19.1) + thread_safe (0.3.4) tilt (1.4.1) timers (4.0.0) hitimes @@ -323,9 +323,10 @@ DEPENDENCIES mysql2 poltergeist powder + protected_attributes pry rack-livereload - rails (= 3.2.19) + rails (= 4.0.9) rb-fsevent rspec-rails (= 2.14.2) sass-rails diff --git a/app/controllers/admin_controller.rb b/app/controllers/admin_controller.rb index 055e9c5..62c228a 100755 --- a/app/controllers/admin_controller.rb +++ b/app/controllers/admin_controller.rb @@ -1,5 +1,5 @@ class AdminController < ApplicationController - before_filter :administrative, :if => :admin_param, :except => [:get_user] + before_action :administrative, :if => :admin_param, :except => [:get_user] skip_before_filter :has_info def dashboard diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 3a58ed4..9524491 100755 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -1,5 +1,5 @@ class ApplicationController < ActionController::Base - before_filter :authenticated, :has_info, :create_analytic, :mailer_options + before_action :authenticated, :has_info, :create_analytic, :mailer_options helper_method :current_user, :is_admin?, :sanitize_font # Our security guy keep talking about sea-surfing, cool story bro. diff --git a/config/application.rb b/config/application.rb index 25ef3f4..7a2e9d3 100755 --- a/config/application.rb +++ b/config/application.rb @@ -2,12 +2,7 @@ require File.expand_path('../boot', __FILE__) require 'rails/all' -if defined?(Bundler) - # If you precompile assets before deploying to production, use this line - Bundler.require(*Rails.groups(:assets => %w(development test mysql))) - # If you want your assets lazily compiled in production, use this line - # Bundler.require(:default, :assets, Rails.env) -end +Bundler.require(:default, Rails.env) module Railsgoat class Application < Rails::Application @@ -47,12 +42,6 @@ module Railsgoat # like if you have constraints or database-specific column types # config.active_record.schema_format = :sql - # Enforce whitelist mode for mass assignment. - # This will create an empty whitelist of attributes available for mass-assignment for all models - # in your app. As such, your models will need to explicitly whitelist or blacklist accessible - # parameters by using an attr_accessible or attr_protected declaration. - config.active_record.whitelist_attributes = false - # Enable the asset pipeline config.assets.enabled = true diff --git a/config/boot.rb b/config/boot.rb index 4489e58..5e5f0c1 100755 --- a/config/boot.rb +++ b/config/boot.rb @@ -1,6 +1,4 @@ -require 'rubygems' - # Set up gems listed in the Gemfile. ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../../Gemfile', __FILE__) -require 'bundler/setup' if File.exists?(ENV['BUNDLE_GEMFILE']) +require 'bundler/setup' if File.exist?(ENV['BUNDLE_GEMFILE']) diff --git a/config/environment.rb b/config/environment.rb index 64c26bc..e3ae560 100755 --- a/config/environment.rb +++ b/config/environment.rb @@ -1,5 +1,5 @@ -# Load the rails application +# Load the Rails application. require File.expand_path('../application', __FILE__) -# Initialize the rails application +# Initialize the Rails application. Railsgoat::Application.initialize! diff --git a/config/environments/development.rb b/config/environments/development.rb index 1c25474..ed6116c 100755 --- a/config/environments/development.rb +++ b/config/environments/development.rb @@ -22,9 +22,6 @@ Railsgoat::Application.configure do # Only use best-standards-support built into browsers config.action_dispatch.best_standards_support = :builtin - # Raise exception on mass assignment protection for Active Record models - config.active_record.mass_assignment_sanitizer = :strict - # Log the query plan for queries taking more than this (works # with SQLite, MySQL, and PostgreSQL) config.active_record.auto_explain_threshold_in_seconds = 0.5 @@ -50,4 +47,7 @@ Railsgoat::Application.configure do :host => 'railsgoat.dev', :ignore => [ %r{dont/modify\.html$} ] ) + + # For Rails 4.0+ + config.eager_load = false end diff --git a/config/environments/mysql.rb b/config/environments/mysql.rb index 9ff11cf..04ffd34 100755 --- a/config/environments/mysql.rb +++ b/config/environments/mysql.rb @@ -22,9 +22,6 @@ Railsgoat::Application.configure do # Only use best-standards-support built into browsers config.action_dispatch.best_standards_support = :builtin - # Raise exception on mass assignment protection for Active Record models - config.active_record.mass_assignment_sanitizer = :strict - # Log the query plan for queries taking more than this (works # with SQLite, MySQL, and PostgreSQL) config.active_record.auto_explain_threshold_in_seconds = 0.5 diff --git a/config/environments/production.rb b/config/environments/production.rb index 5917335..1ada3e1 100755 --- a/config/environments/production.rb +++ b/config/environments/production.rb @@ -64,4 +64,7 @@ Railsgoat::Application.configure do # Log the query plan for queries taking more than this (works # with SQLite, MySQL, and PostgreSQL) # config.active_record.auto_explain_threshold_in_seconds = 0.5 + + # For Rails 4.0+ + config.eager_load = true end diff --git a/config/environments/test.rb b/config/environments/test.rb index 71d265d..899e600 100755 --- a/config/environments/test.rb +++ b/config/environments/test.rb @@ -11,9 +11,6 @@ Railsgoat::Application.configure do config.serve_static_assets = true config.static_cache_control = "public, max-age=3600" - # Log error messages when you accidentally call methods on nil - config.whiny_nils = true - # Show full error reports and disable caching config.consider_all_requests_local = true config.action_controller.perform_caching = false @@ -29,9 +26,9 @@ Railsgoat::Application.configure do # ActionMailer::Base.deliveries array. config.action_mailer.delivery_method = :test - # Raise exception on mass assignment protection for Active Record models - config.active_record.mass_assignment_sanitizer = :strict - # Print deprecation notices to the stderr config.active_support.deprecation = :stderr + + # For Rails 4.0+ + config.eager_load = false end diff --git a/config/initializers/filter_parameter_logging.rb b/config/initializers/filter_parameter_logging.rb new file mode 100644 index 0000000..4a994e1 --- /dev/null +++ b/config/initializers/filter_parameter_logging.rb @@ -0,0 +1,4 @@ +# Be sure to restart your server when you modify this file. + +# Configure sensitive parameters which will be filtered from the log file. +Rails.application.config.filter_parameters += [:password] diff --git a/config/initializers/inflections.rb b/config/initializers/inflections.rb index 5d8d9be..ac033bf 100755 --- a/config/initializers/inflections.rb +++ b/config/initializers/inflections.rb @@ -1,15 +1,16 @@ # Be sure to restart your server when you modify this file. -# Add new inflection rules using the following format -# (all these examples are active by default): -# ActiveSupport::Inflector.inflections do |inflect| +# Add new inflection rules using the following format. Inflections +# are locale specific, and you may define rules for as many different +# locales as you wish. All of these examples are active by default: +# ActiveSupport::Inflector.inflections(:en) do |inflect| # inflect.plural /^(ox)$/i, '\1en' # inflect.singular /^(ox)en/i, '\1' # inflect.irregular 'person', 'people' # inflect.uncountable %w( fish sheep ) # end -# + # These inflection rules are supported but not enabled by default: -# ActiveSupport::Inflector.inflections do |inflect| +# ActiveSupport::Inflector.inflections(:en) do |inflect| # inflect.acronym 'RESTful' # end diff --git a/config/initializers/secret_token.rb b/config/initializers/secret_token.rb index 1d9d83c..6bae38e 100755 --- a/config/initializers/secret_token.rb +++ b/config/initializers/secret_token.rb @@ -5,3 +5,4 @@ # Make sure the secret is at least 30 characters and all random, # no regular words or you'll be exposed to dictionary attacks. Railsgoat::Application.config.secret_token = '2f1d90a26236c3245d96f5606c201a780dc9ca687e5ed82b45e211bb5dc84c1870f61ca9e002dad5dd8a149c9792d8f07f31a9575065cca064bd6af44f8750e4' +Railsgoat::Application.config.secret_key_base = '2f1d90a26236c3245d96f5606c201a780dc9ca687e5ed82b45e211bb5dc84c1870f61ca9e002dad5dd8a149c9792d8f07f31a9575065cca064bd6af44f8750e4' diff --git a/config/initializers/session_store.rb b/config/initializers/session_store.rb index 045db16..a60be40 100755 --- a/config/initializers/session_store.rb +++ b/config/initializers/session_store.rb @@ -1,8 +1,3 @@ # Be sure to restart your server when you modify this file. -Railsgoat::Application.config.session_store :cookie_store, key: '_railsgoat_session', httponly: false - -# Use the database for sessions instead of the cookie-based default, -# which shouldn't be used to store highly confidential information -# (create the session table with "rails generate session_migration") -# Railsgoat::Application.config.session_store :active_record_store +Railsgoat::Application.config.session_store :cookie_store, key: '_railsgoat_session' diff --git a/config/locales/en.yml b/config/locales/en.yml index 179c14c..0653957 100755 --- a/config/locales/en.yml +++ b/config/locales/en.yml @@ -1,5 +1,23 @@ -# Sample localization file for English. Add more files in this directory for other locales. -# See https://github.com/svenfuchs/rails-i18n/tree/master/rails%2Flocale for starting points. +# Files in the config/locales directory are used for internationalization +# and are automatically loaded by Rails. If you want to use locales other +# than English, add the necessary files in this directory. +# +# To use the locales, use `I18n.t`: +# +# I18n.t 'hello' +# +# In views, this is aliased to just `t`: +# +# <%= t('hello') %> +# +# To use a different locale, set it with `I18n.locale`: +# +# I18n.locale = :es +# +# This would use the information in config/locales/es.yml. +# +# To learn more, please read the Rails Internationalization guide +# available at http://guides.rubyonrails.org/i18n.html. en: hello: "Hello world" diff --git a/config/routes.rb b/config/routes.rb index 35ef733..7c1212a 100755 --- a/config/routes.rb +++ b/config/routes.rb @@ -3,7 +3,7 @@ Railsgoat::Application.routes.draw do get "login" => "sessions#new" get "signup" => "users#new" get "logout" => "sessions#destroy" - match "forgot_password" => "password_resets#forgot_password" + get "forgot_password" => "password_resets#forgot_password" get "password_resets" => "password_resets#confirm_token" post "password_resets" => "password_resets#reset_password" @@ -80,7 +80,7 @@ Railsgoat::Application.routes.draw do get "dashboard" get "get_user" post "delete_user" - put "update_user" + patch "update_user" get "get_all_users" get "analytics" end diff --git a/vendor/plugins/.gitkeep b/vendor/plugins/.gitkeep deleted file mode 100755 index e69de29..0000000 From 1ea0c2ddbb617daeb9e5c9e294846b9a9ea0a71b Mon Sep 17 00:00:00 2001 From: Al Snow Date: Sat, 13 Sep 2014 13:44:07 -0400 Subject: [PATCH 02/60] More Rails 4.0 upgrade changes 1. Compared existing branch with empty Rails 4.0 project and made changes as needed. 2. Fix find/first warning. 3. Fix sqlite timeout issue. -- config/database.yml -- spec/vulnerabilities/insecure_dor_spec.rb --- Gemfile | 8 +++ Gemfile.lock | 3 ++ app/assets/javascripts/application.js | 2 + app/controllers/application_controller.rb | 4 +- app/controllers/concerns/.keep | 0 app/controllers/users_controller.rb | 3 +- app/models/concerns/.keep | 0 app/views/layouts/application.html.erb | 4 +- config.ru | 2 +- config/application.rb | 2 + config/boot.rb | 2 +- config/database.yml | 6 +-- config/environments/development.rb | 13 +++-- config/environments/production.rb | 66 ++++++++++++++++++----- config/environments/test.rb | 13 +++-- config/initializers/wrap_parameters.rb | 2 +- public/404.html | 54 +++++++++++++++---- public/422.html | 54 +++++++++++++++---- public/500.html | 54 +++++++++++++++---- public/robots.txt | 2 +- spec/vulnerabilities/insecure_dor_spec.rb | 4 +- test/controllers/.keep | 0 test/fixtures/.keep | 0 test/helpers/.keep | 0 test/integration/.keep | 0 test/mailers/.keep | 0 test/models/.keep | 0 test/test_helper.rb | 4 +- 28 files changed, 234 insertions(+), 68 deletions(-) create mode 100644 app/controllers/concerns/.keep create mode 100644 app/models/concerns/.keep create mode 100644 test/controllers/.keep create mode 100644 test/fixtures/.keep create mode 100644 test/helpers/.keep create mode 100644 test/integration/.keep create mode 100644 test/mailers/.keep create mode 100644 test/models/.keep diff --git a/Gemfile b/Gemfile index f51d914..b63980f 100755 --- a/Gemfile +++ b/Gemfile @@ -49,6 +49,8 @@ gem 'sass-rails' gem 'coffee-rails' gem 'jquery-fileupload-rails' gem 'uglifier' +gem 'turbolinks' # New for Rails 4.0 + # See https://github.com/sstephenson/execjs#readme for more supported runtimes # gem 'therubyracer', :platforms => :ruby @@ -82,3 +84,9 @@ gem 'therubyracer' # Add SMTP server support using MailCatcher gem 'mailcatcher' + +#For Rails 4.0 +#group :doc do +# # bundle exec rake doc:rails generates the API under doc/api. +# gem 'sdoc', require: false +#end diff --git a/Gemfile.lock b/Gemfile.lock index ef3263b..1adcbd3 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -284,6 +284,8 @@ GEM polyglot polyglot (>= 0.3.1) trollop (2.0) + turbolinks (2.3.0) + coffee-rails tzinfo (0.3.41) uglifier (2.5.3) execjs (>= 0.3.0) @@ -334,5 +336,6 @@ DEPENDENCIES sqlite3 therubyracer travis-lint + turbolinks uglifier unicorn diff --git a/app/assets/javascripts/application.js b/app/assets/javascripts/application.js index 902f1e8..f58ec86 100755 --- a/app/assets/javascripts/application.js +++ b/app/assets/javascripts/application.js @@ -12,6 +12,7 @@ // //= require jquery //= require jquery_ujs +//= require turbolinks //= require wysiwyg/wysihtml5-0.3.0.js //= require jquery.min.js //= require jquery.scrollUp.js @@ -31,6 +32,7 @@ //= require jsapi //= html5.js + function rubyCodeFormat() { diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 9524491..c8393dd 100755 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -3,7 +3,9 @@ class ApplicationController < ActionController::Base helper_method :current_user, :is_admin?, :sanitize_font # Our security guy keep talking about sea-surfing, cool story bro. - # protect_from_forgery + # Prevent CSRF attacks by raising an exception. + # For APIs, you may want to use :null_session instead. + #protect_from_forgery with: :exception private diff --git a/app/controllers/concerns/.keep b/app/controllers/concerns/.keep new file mode 100644 index 0000000..e69de29 diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb index 1fb5d4a..d8835fb 100755 --- a/app/controllers/users_controller.rb +++ b/app/controllers/users_controller.rb @@ -31,7 +31,8 @@ class UsersController < ApplicationController # Still an Insecure DoR vulnerability #user = User.find(:first, :conditions => ["user_id = ?", "#{params[:user][:user_id]}"]) - user = User.find(:first, :conditions => "user_id = '#{params[:user][:user_id]}'") + #user = User.find(:first, :conditions => "user_id = '#{params[:user][:user_id]}'") + user = User.where("user_id == '#{params[:user][:user_id]}'").first if user user.skip_user_id_assign = true user.skip_hash_password = true diff --git a/app/models/concerns/.keep b/app/models/concerns/.keep new file mode 100644 index 0000000..e69de29 diff --git a/app/views/layouts/application.html.erb b/app/views/layouts/application.html.erb index 03fed5d..cd37348 100755 --- a/app/views/layouts/application.html.erb +++ b/app/views/layouts/application.html.erb @@ -2,8 +2,8 @@ RailsGoat - <%= stylesheet_link_tag "application", :media => "all" %> - <%= javascript_include_tag "application" %> + <%= stylesheet_link_tag "application", media: "all", "data-turbolinks-track" => true %> + <%= javascript_include_tag "application", "data-turbolinks-track" => true %> <%= csrf_meta_tags %> <% diff --git a/config.ru b/config.ru index bee68f6..5bc2a61 100755 --- a/config.ru +++ b/config.ru @@ -1,4 +1,4 @@ # This file is used by Rack-based servers to start the application. require ::File.expand_path('../config/environment', __FILE__) -run Railsgoat::Application +run Rails.application diff --git a/config/application.rb b/config/application.rb index 7a2e9d3..ce5141a 100755 --- a/config/application.rb +++ b/config/application.rb @@ -2,6 +2,8 @@ require File.expand_path('../boot', __FILE__) require 'rails/all' +# Require the gems listed in Gemfile, including any gems +# you've limited to :test, :development, or :production. Bundler.require(:default, Rails.env) module Railsgoat diff --git a/config/boot.rb b/config/boot.rb index 5e5f0c1..3596736 100755 --- a/config/boot.rb +++ b/config/boot.rb @@ -1,4 +1,4 @@ # Set up gems listed in the Gemfile. ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../../Gemfile', __FILE__) -require 'bundler/setup' if File.exist?(ENV['BUNDLE_GEMFILE']) +require 'bundler/setup' if File.exists?(ENV['BUNDLE_GEMFILE']) diff --git a/config/database.yml b/config/database.yml index bb84441..38ed83a 100755 --- a/config/database.yml +++ b/config/database.yml @@ -7,13 +7,13 @@ development: adapter: sqlite3 database: db/development.sqlite3 pool: 5 - timeout: 5000 + timeout: 15000 mysql: adapter: mysql2 database: development_railsgoat pool: 5 - timeout: 5000 + timeout: 15000 host: localhost username: root password: @@ -25,7 +25,7 @@ test: adapter: sqlite3 database: db/test.sqlite3 pool: 5 - timeout: 5000 + timeout: 15000 production: adapter: sqlite3 diff --git a/config/environments/development.rb b/config/environments/development.rb index ed6116c..45fc75d 100755 --- a/config/environments/development.rb +++ b/config/environments/development.rb @@ -9,11 +9,11 @@ Railsgoat::Application.configure do # Log error messages when you accidentally call methods on nil. config.whiny_nils = true - # Show full error reports and disable caching + # Show full error reports and disable caching. config.consider_all_requests_local = true config.action_controller.perform_caching = false - # Don't care if the mailer can't send + # Don't care if the mailer can't send. config.action_mailer.raise_delivery_errors = false # Print deprecation notices to the Rails logger @@ -32,7 +32,9 @@ Railsgoat::Application.configure do # Do not compress assets config.assets.compress = false - # Expands the lines which load the assets + # Debug mode disables concatenation and preprocessing of assets. + # This option may cause significant delays in view rendering with a large + # number of complex assets. config.assets.debug = true # ActionMailer settings for email support @@ -48,6 +50,9 @@ Railsgoat::Application.configure do :ignore => [ %r{dont/modify\.html$} ] ) - # For Rails 4.0+ + # For Rails 4.0+: Do not eager load code on boot. config.eager_load = false + + # For Rails 4.0+: Raise an error on page load if there are pending migrations + config.active_record.migration_error = :page_load end diff --git a/config/environments/production.rb b/config/environments/production.rb index 1ada3e1..69cf20b 100755 --- a/config/environments/production.rb +++ b/config/environments/production.rb @@ -1,37 +1,50 @@ Railsgoat::Application.configure do # Settings specified here will take precedence over those in config/application.rb - # Code is not reloaded between requests + # Code is not reloaded between requests. config.cache_classes = true - # Full error reports are disabled and caching is turned on + # Full error reports are disabled and caching is turned on. config.consider_all_requests_local = false config.action_controller.perform_caching = true - # Disable Rails's static asset server (Apache or nginx will already do this) + # Enable Rack::Cache to put a simple HTTP cache in front of your application + # Add `rack-cache` to your Gemfile before enabling this. + # For large-scale production use, consider using a caching + # reverse proxy like nginx, varnish or squid. + # config.action_dispatch.rack_cache = true + + # Disable Rails's static asset server (Apache or nginx will already do this). config.serve_static_assets = false # Compress JavaScripts and CSS config.assets.compress = true - # Don't fallback to assets pipeline if a precompiled asset is missed - config.assets.compile = true + # Compress JavaScripts and CSS. + config.assets.js_compressor = :uglifier + # config.assets.css_compressor = :sass - # Generate digests for assets URLs + # Do not fallback to assets pipeline if a precompiled asset is missed. + config.assets.compile = true # default is false + + # Generate digests for assets URLs. config.assets.digest = true + # For Rails 4.0+: Version of your assets, change this if you want to expire all your assets. + config.assets.version = '1.0' + # Defaults to nil and saved in location specified by config.assets.prefix # config.assets.manifest = YOUR_PATH - # Specifies the header that your server uses for sending files + # Specifies the header that your server uses for sending files. # config.action_dispatch.x_sendfile_header = "X-Sendfile" # for apache # config.action_dispatch.x_sendfile_header = 'X-Accel-Redirect' # for nginx # Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies. # config.force_ssl = true - # See everything in the log (default is :info) - # config.log_level = :debug + # Set to :debug to see everything in the log. + config.log_level = :info # Prepend all log lines with the following tags # config.log_tags = [ :subdomain, :uuid ] @@ -55,16 +68,45 @@ Railsgoat::Application.configure do # config.threadsafe! # Enable locale fallbacks for I18n (makes lookups for any locale fall back to - # the I18n.default_locale when a translation can not be found) + # the I18n.default_locale when a translation can not be found). config.i18n.fallbacks = true - # Send deprecation notices to registered listeners + # Send deprecation notices to registered listeners. config.active_support.deprecation = :notify # Log the query plan for queries taking more than this (works # with SQLite, MySQL, and PostgreSQL) # config.active_record.auto_explain_threshold_in_seconds = 0.5 - # For Rails 4.0+ + # For Rails 4.0+: Eager load code on boot. This eager loads most of + # Rails and your application in memory, allowing both thread web + # servers and those relying on copy on write to perform better. + # Rake tasks automatically ignore this option for performance. config.eager_load = true + + # For Rails 4.0+: Use default logging formatter so that PID and timestamp are not suppressed. + config.log_formatter = ::Logger::Formatter.new + + # For Rails 4.0+: Disable automatic flushing of the log to improve performance. + # config.autoflush_log = false + + # Prepend all log lines with the following tags. + # config.log_tags = [ :subdomain, :uuid ] + + # Use a different logger for distributed setups. + # config.logger = ActiveSupport::TaggedLogging.new(SyslogLogger.new) + + # Use a different cache store in production. + # config.cache_store = :mem_cache_store + + # Enable serving of images, stylesheets, and JavaScripts from an asset server. + # config.action_controller.asset_host = "http://assets.example.com" + + # Precompile additional assets. + # application.js, application.css, and all non-JS/CSS in app/assets folder are already added. + # config.assets.precompile += %w( search.js ) + + # Ignore bad email addresses and do not raise email delivery errors. + # Set this to true and configure the email server for immediate delivery to raise delivery errors. + # config.action_mailer.raise_delivery_errors = false end diff --git a/config/environments/test.rb b/config/environments/test.rb index 899e600..f63436d 100755 --- a/config/environments/test.rb +++ b/config/environments/test.rb @@ -7,18 +7,18 @@ Railsgoat::Application.configure do # and recreated between test runs. Don't rely on the data there! config.cache_classes = true - # Configure static asset server for tests with Cache-Control for performance + # Configure static asset server for tests with Cache-Control for performance. config.serve_static_assets = true config.static_cache_control = "public, max-age=3600" - # Show full error reports and disable caching + # Show full error reports and disable caching. config.consider_all_requests_local = true config.action_controller.perform_caching = false - # Raise exceptions instead of rendering exception templates + # Raise exceptions instead of rendering exception templates. config.action_dispatch.show_exceptions = false - # Disable request forgery protection in test environment + # Disable request forgery protection in test environment. config.action_controller.allow_forgery_protection = false # Tell Action Mailer not to deliver emails to the real world. @@ -26,9 +26,12 @@ Railsgoat::Application.configure do # ActionMailer::Base.deliveries array. config.action_mailer.delivery_method = :test - # Print deprecation notices to the stderr + # Print deprecation notices to the stderr. config.active_support.deprecation = :stderr # For Rails 4.0+ + # Do not eager load code on boot. This avoids loading your whole application + # just for the purpose of running a single test. If you are using a tool that + # preloads Rails for running tests, you may have to set it to true. config.eager_load = false end diff --git a/config/initializers/wrap_parameters.rb b/config/initializers/wrap_parameters.rb index 999df20..6835995 100755 --- a/config/initializers/wrap_parameters.rb +++ b/config/initializers/wrap_parameters.rb @@ -5,7 +5,7 @@ # Enable parameter wrapping for JSON. You can disable this by setting :format to an empty array. ActiveSupport.on_load(:action_controller) do - wrap_parameters format: [:json] + wrap_parameters format: [:json] if respond_to?(:wrap_parameters) end # Disable root element in JSON by default. diff --git a/public/404.html b/public/404.html index 9a48320..a0daa0c 100755 --- a/public/404.html +++ b/public/404.html @@ -2,17 +2,48 @@ The page you were looking for doesn't exist (404) - @@ -22,5 +53,6 @@

The page you were looking for doesn't exist.

You may have mistyped the address or the page may have moved.

+

If you are the application owner check the logs for more information.

diff --git a/public/422.html b/public/422.html index 83660ab..fbb4b84 100755 --- a/public/422.html +++ b/public/422.html @@ -2,17 +2,48 @@ The change you wanted was rejected (422) - @@ -22,5 +53,6 @@

The change you wanted was rejected.

Maybe you tried to change something you didn't have access to.

+

If you are the application owner check the logs for more information.

diff --git a/public/500.html b/public/500.html index f3648a0..e9052d3 100755 --- a/public/500.html +++ b/public/500.html @@ -2,17 +2,48 @@ We're sorry, but something went wrong (500) - @@ -21,5 +52,6 @@

We're sorry, but something went wrong.

+

If you are the application owner check the logs for more information.

diff --git a/public/robots.txt b/public/robots.txt index 085187f..1a3a5e4 100755 --- a/public/robots.txt +++ b/public/robots.txt @@ -1,5 +1,5 @@ # See http://www.robotstxt.org/wc/norobots.html for documentation on how to use the robots.txt file # # To ban all spiders from the entire site uncomment the next two lines: -# User-Agent: * +# User-agent: * # Disallow: / diff --git a/spec/vulnerabilities/insecure_dor_spec.rb b/spec/vulnerabilities/insecure_dor_spec.rb index c53cd9c..fa8b2ed 100644 --- a/spec/vulnerabilities/insecure_dor_spec.rb +++ b/spec/vulnerabilities/insecure_dor_spec.rb @@ -16,7 +16,7 @@ feature 'insecure direct object reference' do pending(:if => verifying_fixed?) { page.status_code.should == 200 page.response_headers['Content-Disposition'].should include('database.yml') - page.response_headers['Content-Length'].should == '709' + page.response_headers['Content-Length'].should == '712' } end @@ -28,4 +28,4 @@ feature 'insecure direct object reference' do pending(:if => verifying_fixed?) { first('td').text.should == 'Jack Mannino' } end -end \ No newline at end of file +end diff --git a/test/controllers/.keep b/test/controllers/.keep new file mode 100644 index 0000000..e69de29 diff --git a/test/fixtures/.keep b/test/fixtures/.keep new file mode 100644 index 0000000..e69de29 diff --git a/test/helpers/.keep b/test/helpers/.keep new file mode 100644 index 0000000..e69de29 diff --git a/test/integration/.keep b/test/integration/.keep new file mode 100644 index 0000000..e69de29 diff --git a/test/mailers/.keep b/test/mailers/.keep new file mode 100644 index 0000000..e69de29 diff --git a/test/models/.keep b/test/models/.keep new file mode 100644 index 0000000..e69de29 diff --git a/test/test_helper.rb b/test/test_helper.rb index b757019..9f44476 100755 --- a/test/test_helper.rb +++ b/test/test_helper.rb @@ -1,4 +1,4 @@ -ENV["RAILS_ENV"] = "test" +ENV["RAILS_ENV"] ||= "test" # To use simplecov, do this: COVERAGE=true rake require 'simplecov' @@ -8,6 +8,8 @@ require File.expand_path('../../config/environment', __FILE__) require 'rails/test_help' class ActiveSupport::TestCase + # Maybe for Rails 4.0: ActiveRecord::Migration.check_pending! + # Setup all fixtures in test/fixtures/*.(yml|csv) for all tests in alphabetical order. # # Note: You'll currently still have to declare fixtures explicitly in integration tests From 1d3540dbb2b5c11698db8992c1488132388daade Mon Sep 17 00:00:00 2001 From: Al Snow Date: Sat, 13 Sep 2014 14:09:46 -0400 Subject: [PATCH 03/60] Upgraded Rails to 4.0.10 --- Gemfile | 2 +- Gemfile.lock | 55 ++++++++++++++++++++++++---------------------------- 2 files changed, 26 insertions(+), 31 deletions(-) diff --git a/Gemfile b/Gemfile index b63980f..65603bd 100755 --- a/Gemfile +++ b/Gemfile @@ -1,7 +1,7 @@ source 'https://rubygems.org' #don't upgrade -gem 'rails', '4.0.9' +gem 'rails', '4.0.10' gem 'protected_attributes' # For Rails 4.0+ ruby '2.1.2' diff --git a/Gemfile.lock b/Gemfile.lock index 1adcbd3..ff6594b 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -1,25 +1,25 @@ GEM remote: https://rubygems.org/ specs: - actionmailer (4.0.9) - actionpack (= 4.0.9) - mail (~> 2.5.4) - actionpack (4.0.9) - activesupport (= 4.0.9) + actionmailer (4.0.10) + actionpack (= 4.0.10) + mail (~> 2.5, >= 2.5.4) + actionpack (4.0.10) + activesupport (= 4.0.10) builder (~> 3.1.0) erubis (~> 2.7.0) rack (~> 1.5.2) rack-test (~> 0.6.2) - activemodel (4.0.9) - activesupport (= 4.0.9) + activemodel (4.0.10) + activesupport (= 4.0.10) builder (~> 3.1.0) - activerecord (4.0.9) - activemodel (= 4.0.9) + activerecord (4.0.10) + activemodel (= 4.0.10) activerecord-deprecated_finders (~> 1.0.2) - activesupport (= 4.0.9) + activesupport (= 4.0.10) arel (~> 4.0.0) activerecord-deprecated_finders (1.0.3) - activesupport (4.0.9) + activesupport (4.0.10) i18n (~> 0.6, >= 0.6.9) minitest (~> 4.2) multi_json (~> 1.3) @@ -140,15 +140,14 @@ GEM kgio (2.9.2) launchy (2.4.2) addressable (~> 2.3) - libv8 (3.16.14.5) + libv8 (3.16.14.7) listen (2.7.9) celluloid (>= 0.15.2) rb-fsevent (>= 0.9.3) rb-inotify (>= 0.9) lumberjack (1.0.9) - mail (2.5.4) - mime-types (~> 1.16) - treetop (~> 1.4.8) + mail (2.6.1) + mime-types (>= 1.16, < 3) mailcatcher (0.2.4) eventmachine haml @@ -160,7 +159,7 @@ GEM sqlite3-ruby thin method_source (0.8.2) - mime-types (1.25.1) + mime-types (2.3) mini_portile (0.5.3) minitest (4.7.5) multi_json (1.10.1) @@ -173,7 +172,6 @@ GEM cliver (~> 0.3.1) multi_json (~> 1.0) websocket-driver (>= 0.2.0) - polyglot (0.3.5) powder (0.2.1) thor (>= 0.11.5) protected_attributes (1.0.8) @@ -189,17 +187,17 @@ GEM rack rack-test (0.6.2) rack (>= 1.0) - rails (4.0.9) - actionmailer (= 4.0.9) - actionpack (= 4.0.9) - activerecord (= 4.0.9) - activesupport (= 4.0.9) + rails (4.0.10) + actionmailer (= 4.0.10) + actionpack (= 4.0.10) + activerecord (= 4.0.10) + activesupport (= 4.0.10) bundler (>= 1.3.0, < 2.0) - railties (= 4.0.9) + railties (= 4.0.10) sprockets-rails (~> 2.0) - railties (4.0.9) - actionpack (= 4.0.9) - activesupport (= 4.0.9) + railties (4.0.10) + actionpack (= 4.0.10) + activesupport (= 4.0.10) rake (>= 0.8.7) thor (>= 0.18.1, < 2.0) raindrops (0.13.0) @@ -280,9 +278,6 @@ GEM hitimes travis-lint (2.0.0) json - treetop (1.4.15) - polyglot - polyglot (>= 0.3.1) trollop (2.0) turbolinks (2.3.0) coffee-rails @@ -328,7 +323,7 @@ DEPENDENCIES protected_attributes pry rack-livereload - rails (= 4.0.9) + rails (= 4.0.10) rb-fsevent rspec-rails (= 2.14.2) sass-rails From d6a6864f739ca278023a87680daad2ed5a3aa45d Mon Sep 17 00:00:00 2001 From: Al Snow Date: Wed, 17 Sep 2014 14:11:01 -0400 Subject: [PATCH 04/60] Undid my find/first fix --- app/controllers/users_controller.rb | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb index d8835fb..1fb5d4a 100755 --- a/app/controllers/users_controller.rb +++ b/app/controllers/users_controller.rb @@ -31,8 +31,7 @@ class UsersController < ApplicationController # Still an Insecure DoR vulnerability #user = User.find(:first, :conditions => ["user_id = ?", "#{params[:user][:user_id]}"]) - #user = User.find(:first, :conditions => "user_id = '#{params[:user][:user_id]}'") - user = User.where("user_id == '#{params[:user][:user_id]}'").first + user = User.find(:first, :conditions => "user_id = '#{params[:user][:user_id]}'") if user user.skip_user_id_assign = true user.skip_hash_password = true From 74d047507a6fd78f327a6fa5c1583c603adab502 Mon Sep 17 00:00:00 2001 From: Al Snow Date: Fri, 19 Sep 2014 11:12:32 -0400 Subject: [PATCH 05/60] Changed timeout to 25000 for all envs --- config/database.yml | 8 ++++---- spec/vulnerabilities/insecure_dor_spec.rb | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/config/database.yml b/config/database.yml index 38ed83a..4c8bca9 100755 --- a/config/database.yml +++ b/config/database.yml @@ -7,13 +7,13 @@ development: adapter: sqlite3 database: db/development.sqlite3 pool: 5 - timeout: 15000 + timeout: 25000 mysql: adapter: mysql2 database: development_railsgoat pool: 5 - timeout: 15000 + timeout: 25000 host: localhost username: root password: @@ -25,10 +25,10 @@ test: adapter: sqlite3 database: db/test.sqlite3 pool: 5 - timeout: 15000 + timeout: 25000 production: adapter: sqlite3 database: db/production.sqlite3 pool: 5 - timeout: 5000 + timeout: 25000 diff --git a/spec/vulnerabilities/insecure_dor_spec.rb b/spec/vulnerabilities/insecure_dor_spec.rb index fa8b2ed..c533354 100644 --- a/spec/vulnerabilities/insecure_dor_spec.rb +++ b/spec/vulnerabilities/insecure_dor_spec.rb @@ -16,7 +16,7 @@ feature 'insecure direct object reference' do pending(:if => verifying_fixed?) { page.status_code.should == 200 page.response_headers['Content-Disposition'].should include('database.yml') - page.response_headers['Content-Length'].should == '712' + page.response_headers['Content-Length'].should == '713' } end From 0957033457eda73bfad2086307fa36483e13aeef Mon Sep 17 00:00:00 2001 From: Al Snow Date: Fri, 19 Sep 2014 19:00:40 -0400 Subject: [PATCH 06/60] Upgraded to Ruby 2.1.3; Changed timeout value --- .ruby-version | 2 +- .travis.yml | 2 +- Gemfile | 2 +- config/database.yml | 8 ++++---- spec/vulnerabilities/insecure_dor_spec.rb | 2 +- 5 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.ruby-version b/.ruby-version index 8f9174b..abae0d9 100644 --- a/.ruby-version +++ b/.ruby-version @@ -1 +1 @@ -2.1.2 \ No newline at end of file +2.1.3 \ No newline at end of file diff --git a/.travis.yml b/.travis.yml index 0d20e2c..c7585c0 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,6 +1,6 @@ language: ruby rvm: - - "2.1.2" + - "2.1.3" before_script: rake db:setup before_script: bundle exec rake db:setup env: RAILSGOAT_MAINTAINER=true \ No newline at end of file diff --git a/Gemfile b/Gemfile index 65603bd..b29cfe1 100755 --- a/Gemfile +++ b/Gemfile @@ -4,7 +4,7 @@ source 'https://rubygems.org' gem 'rails', '4.0.10' gem 'protected_attributes' # For Rails 4.0+ -ruby '2.1.2' +ruby '2.1.3' # Bundle edge Rails instead: # gem 'rails', :git => 'git://github.com/rails/rails.git' diff --git a/config/database.yml b/config/database.yml index 4c8bca9..bb84441 100755 --- a/config/database.yml +++ b/config/database.yml @@ -7,13 +7,13 @@ development: adapter: sqlite3 database: db/development.sqlite3 pool: 5 - timeout: 25000 + timeout: 5000 mysql: adapter: mysql2 database: development_railsgoat pool: 5 - timeout: 25000 + timeout: 5000 host: localhost username: root password: @@ -25,10 +25,10 @@ test: adapter: sqlite3 database: db/test.sqlite3 pool: 5 - timeout: 25000 + timeout: 5000 production: adapter: sqlite3 database: db/production.sqlite3 pool: 5 - timeout: 25000 + timeout: 5000 diff --git a/spec/vulnerabilities/insecure_dor_spec.rb b/spec/vulnerabilities/insecure_dor_spec.rb index c533354..7e198d8 100644 --- a/spec/vulnerabilities/insecure_dor_spec.rb +++ b/spec/vulnerabilities/insecure_dor_spec.rb @@ -16,7 +16,7 @@ feature 'insecure direct object reference' do pending(:if => verifying_fixed?) { page.status_code.should == 200 page.response_headers['Content-Disposition'].should include('database.yml') - page.response_headers['Content-Length'].should == '713' + page.response_headers['Content-Length'].should == '709' } end From 789ccff34915d0c78f00ae089dd1cdfe7ba52419 Mon Sep 17 00:00:00 2001 From: Al Snow Date: Fri, 10 Oct 2014 15:38:00 -0400 Subject: [PATCH 07/60] Upgraded 2 gems by rebuilding Gemfile.lock file; Fixed find/first dep warning #158 --- Gemfile.lock | 4 ++-- app/controllers/users_controller.rb | 3 ++- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 88b18b5..ee14cd7 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -93,7 +93,7 @@ GEM eventmachine (1.0.3) execjs (2.2.1) fastercsv (1.5.5) - ffi (1.9.5) + ffi (1.9.6) foreman (0.75.0) dotenv (~> 0.11.1) thor (~> 0.19.1) @@ -159,7 +159,7 @@ GEM sqlite3-ruby thin method_source (0.8.2) - mime-types (2.3) + mime-types (2.4.1) mini_portile (0.5.3) minitest (4.7.5) multi_json (1.10.1) diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb index 1fb5d4a..10f31f4 100755 --- a/app/controllers/users_controller.rb +++ b/app/controllers/users_controller.rb @@ -31,7 +31,8 @@ class UsersController < ApplicationController # Still an Insecure DoR vulnerability #user = User.find(:first, :conditions => ["user_id = ?", "#{params[:user][:user_id]}"]) - user = User.find(:first, :conditions => "user_id = '#{params[:user][:user_id]}'") + # user = User.find(:first, :conditions => "user_id = '#{params[:user][:user_id]}'") + user = User.where("user_id = '#{params[:user][:user_id]}'").first if user user.skip_user_id_assign = true user.skip_hash_password = true From ea8e9901f45dfa5fc5d6308ac7ffd0dc5a9996da Mon Sep 17 00:00:00 2001 From: Fred Nixon Date: Fri, 5 Dec 2014 15:04:01 -0500 Subject: [PATCH 08/60] On branch strong-params Your branch is behind 'origin/strong-params' by 1 commit, and can be fast-forwarded. I'll pull to catch up after this commit Change code to whitelist params Remove attr_accessible lines Add strong_params to Gemfile, since this branch is still on Rails 3 Mixin to ActiveRecord::Base ActiveModel::ForbiddenAttributesProtection Use an initializer for the mixin --- .gitignore | 1 + Gemfile | 5 +- Gemfile.lock | 190 ++++------------------- app/controllers/messages_controller.rb | 8 +- app/controllers/schedule_controller.rb | 8 +- app/controllers/users_controller.rb | 15 +- app/models/analytics.rb | 2 - app/models/benefits.rb | 1 - app/models/key_management.rb | 1 - app/models/message.rb | 1 - app/models/paid_time_off.rb | 1 - app/models/pay.rb | 3 - app/models/performance.rb | 1 - app/models/retirement.rb | 1 - app/models/schedule.rb | 1 - app/models/user.rb | 1 - app/models/work_info.rb | 1 - config/initializers/strong_parameters.rb | 1 + db/schema.rb | 2 +- 19 files changed, 65 insertions(+), 179 deletions(-) create mode 100644 config/initializers/strong_parameters.rb diff --git a/.gitignore b/.gitignore index faea331..86eb146 100755 --- a/.gitignore +++ b/.gitignore @@ -10,3 +10,4 @@ coverage .tags /.vagrant +/vendor/ruby diff --git a/Gemfile b/Gemfile index 1217dcc..5799cac 100755 --- a/Gemfile +++ b/Gemfile @@ -1,7 +1,7 @@ source 'https://rubygems.org' #don't upgrade -gem 'rails', '3.2.20' +gem 'rails', '3.2.21' ruby '2.1.5' @@ -56,6 +56,9 @@ end gem 'jquery-rails' +## strong parameters in Rails 3 (see rails gem above) +gem 'strong_parameters' + # To use ActiveModel has_secure_password gem 'bcrypt' diff --git a/Gemfile.lock b/Gemfile.lock index 157a053..d03caba 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -1,12 +1,12 @@ GEM remote: https://rubygems.org/ specs: - actionmailer (3.2.20) - actionpack (= 3.2.20) + actionmailer (3.2.21) + actionpack (= 3.2.21) mail (~> 2.5.4) - actionpack (3.2.20) - activemodel (= 3.2.20) - activesupport (= 3.2.20) + actionpack (3.2.21) + activemodel (= 3.2.21) + activesupport (= 3.2.21) builder (~> 3.0.0) erubis (~> 2.7.0) journey (~> 1.0.4) @@ -14,18 +14,18 @@ GEM rack-cache (~> 1.2) rack-test (~> 0.6.1) sprockets (~> 2.2.1) - activemodel (3.2.20) - activesupport (= 3.2.20) + activemodel (3.2.21) + activesupport (= 3.2.21) builder (~> 3.0.0) - activerecord (3.2.20) - activemodel (= 3.2.20) - activesupport (= 3.2.20) + activerecord (3.2.21) + activemodel (= 3.2.21) + activesupport (= 3.2.21) arel (~> 3.0.2) tzinfo (~> 0.3.29) - activeresource (3.2.20) - activemodel (= 3.2.20) - activesupport (= 3.2.20) - activesupport (3.2.20) + activeresource (3.2.21) + activemodel (= 3.2.21) + activesupport (= 3.2.21) + activesupport (3.2.21) i18n (~> 0.6, >= 0.6.4) multi_json (~> 1.0) addressable (2.3.6) @@ -193,17 +193,17 @@ GEM rack rack-test (0.6.2) rack (>= 1.0) - rails (3.2.20) - actionmailer (= 3.2.20) - actionpack (= 3.2.20) - activerecord (= 3.2.20) - activeresource (= 3.2.20) - activesupport (= 3.2.20) + rails (3.2.21) + actionmailer (= 3.2.21) + actionpack (= 3.2.21) + activerecord (= 3.2.21) + activeresource (= 3.2.21) + activesupport (= 3.2.21) bundler (~> 1.0) - railties (= 3.2.20) - railties (3.2.20) - actionpack (= 3.2.20) - activesupport (= 3.2.20) + railties (= 3.2.21) + railties (3.2.21) + actionpack (= 3.2.21) + activesupport (= 3.2.21) rack-ssl (~> 1.3.2) rake (>= 0.8.7) rdoc (~> 3.4) @@ -265,6 +265,11 @@ GEM rack (~> 1.0) tilt (~> 1.1, != 1.3.0) sqlite3 (1.3.10) + strong_parameters (0.2.3) + actionpack (~> 3.0) + activemodel (~> 3.0) + activesupport (~> 3.0) + railties (~> 3.0) temple (0.6.10) terminal-table (1.4.5) therubyracer (0.12.1) @@ -282,140 +287,6 @@ GEM json treetop (1.4.15) polyglot - polyglot - polyglot - polyglot - polyglot - polyglot - polyglot - polyglot - polyglot - polyglot - polyglot - polyglot - polyglot - polyglot - polyglot - polyglot - polyglot - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) - polyglot (>= 0.3.1) polyglot (>= 0.3.1) trollop (2.0) tzinfo (0.3.42) @@ -459,12 +330,13 @@ DEPENDENCIES powder pry rack-livereload - rails (= 3.2.20) + rails (= 3.2.21) rb-fsevent rspec-rails (= 2.14.2) sass-rails simplecov sqlite3 + strong_parameters therubyracer travis-lint uglifier diff --git a/app/controllers/messages_controller.rb b/app/controllers/messages_controller.rb index 83b992c..e657297 100644 --- a/app/controllers/messages_controller.rb +++ b/app/controllers/messages_controller.rb @@ -33,4 +33,10 @@ class MessagesController < ApplicationController end end end -end \ No newline at end of file + + private + + def message_params + params.require(:message).permit(:creator_id, :message, :read, :receiver_id) + end +end diff --git a/app/controllers/schedule_controller.rb b/app/controllers/schedule_controller.rb index 65caa2e..d940a9d 100644 --- a/app/controllers/schedule_controller.rb +++ b/app/controllers/schedule_controller.rb @@ -4,7 +4,7 @@ class ScheduleController < ApplicationController message = false if params[:schedule][:event_type] == "pto" - sched = Schedule.new(params[:schedule]) + sched = Schedule.new(schedule_params) sched.date_begin, sched.date_end = format_schedule_date(params[:date_range1]) sched.user_id = current_user.user_id a = sched.date_end @@ -56,4 +56,10 @@ class ScheduleController < ApplicationController end return vals end + + private + + def schedule_params + params.require(:schedule).permit(:date_begin, :date_end, :event_desc, :event_name, :event_type) + end end diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb index 1fb5d4a..8db2dc0 100755 --- a/app/controllers/users_controller.rb +++ b/app/controllers/users_controller.rb @@ -7,7 +7,7 @@ class UsersController < ApplicationController end def create - user = User.new(params[:user]) + user = User.new(user_params) user.build_benefits_data if user.save session[:user_id] = user.user_id @@ -35,7 +35,7 @@ class UsersController < ApplicationController if user user.skip_user_id_assign = true user.skip_hash_password = true - user.update_attributes(params[:user].reject { |k| %w(password password_confirmation user_id).include? k }) + user.update_attributes(user_params_without_password) if !(params[:user][:password].empty?) && (params[:user][:password] == params[:user][:password_confirmation]) user.skip_hash_password = false user.password = params[:user][:password] @@ -50,4 +50,15 @@ class UsersController < ApplicationController redirect_to user_account_settings_path(:user_id => current_user.user_id) end end + + private + + def user_params + params.require(:user).permit(:email, :admin, :first_name, :last_name, :user_id, :password, :password_confirmation) + end + + # unpermitted attributes are ignored in production + def user_params_without_password + params.require(:user).permit(:email, :admin, :first_name, :last_name) + end end diff --git a/app/models/analytics.rb b/app/models/analytics.rb index 2d9fbe5..d84e777 100644 --- a/app/models/analytics.rb +++ b/app/models/analytics.rb @@ -1,6 +1,4 @@ class Analytics < ActiveRecord::Base - attr_accessible :ip_address, :referrer, :user_agent - scope :hits_by_ip, ->(ip,col="*") { select("#{col}").where(:ip_address => ip).order("id DESC")} def self.count_by_col(col) diff --git a/app/models/benefits.rb b/app/models/benefits.rb index 144a2f4..4deae64 100644 --- a/app/models/benefits.rb +++ b/app/models/benefits.rb @@ -1,5 +1,4 @@ class Benefits < ActiveRecord::Base - attr_accessor :backup def self.save(file, backup=false) data_path = Rails.root.join("public", "data") diff --git a/app/models/key_management.rb b/app/models/key_management.rb index 70adbd1..7188efa 100644 --- a/app/models/key_management.rb +++ b/app/models/key_management.rb @@ -1,5 +1,4 @@ class KeyManagement < ActiveRecord::Base - attr_accessible :iv, :user_id belongs_to :work_info belongs_to :user end diff --git a/app/models/message.rb b/app/models/message.rb index 12aaaba..7de4c26 100644 --- a/app/models/message.rb +++ b/app/models/message.rb @@ -1,6 +1,5 @@ class Message < ActiveRecord::Base belongs_to :user - attr_accessible :creator_id, :message, :read, :receiver_id validates_presence_of :creator_id, :receiver_id, :message def creator_name diff --git a/app/models/paid_time_off.rb b/app/models/paid_time_off.rb index 409d355..c398f77 100644 --- a/app/models/paid_time_off.rb +++ b/app/models/paid_time_off.rb @@ -1,5 +1,4 @@ class PaidTimeOff < ActiveRecord::Base - attr_accessible :pto_earned, :pto_taken, :sick_days_earned, :sick_days_taken belongs_to :user has_many :schedule, :foreign_key => :user_id, :primary_key => :user_id, :dependent => :destroy diff --git a/app/models/pay.rb b/app/models/pay.rb index 2218d11..7a35563 100644 --- a/app/models/pay.rb +++ b/app/models/pay.rb @@ -1,7 +1,4 @@ class Pay < ActiveRecord::Base - # mass-assignable attributes - attr_accessible :bank_account_num, :bank_routing_num, :percent_of_deposit - # Associations belongs_to :user diff --git a/app/models/performance.rb b/app/models/performance.rb index 73f25c1..5dfad88 100644 --- a/app/models/performance.rb +++ b/app/models/performance.rb @@ -1,5 +1,4 @@ class Performance < ActiveRecord::Base - attr_accessible :comments, :date_submitted, :reviewer, :score belongs_to :user def reviewer_name diff --git a/app/models/retirement.rb b/app/models/retirement.rb index 47048a0..c3c981c 100644 --- a/app/models/retirement.rb +++ b/app/models/retirement.rb @@ -1,4 +1,3 @@ class Retirement < ActiveRecord::Base - attr_accessible :employee_contrib, :employer_contrib, :total belongs_to :user end diff --git a/app/models/schedule.rb b/app/models/schedule.rb index fc66df7..6692c27 100644 --- a/app/models/schedule.rb +++ b/app/models/schedule.rb @@ -1,5 +1,4 @@ class Schedule < ActiveRecord::Base - attr_accessible :date_begin, :date_end, :event_desc, :event_name, :event_type belongs_to :paid_time_off validates_presence_of :date_begin, :date_end, :event_desc, :event_name, :event_type diff --git a/app/models/user.rb b/app/models/user.rb index 9c5cc7f..263b56d 100755 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -1,7 +1,6 @@ require 'encryption' class User < ActiveRecord::Base - attr_accessible :email, :admin, :first_name, :last_name, :user_id, :password, :password_confirmation validates :password, :presence => true, :confirmation => true, :length => {:within => 6..40}, diff --git a/app/models/work_info.rb b/app/models/work_info.rb index 2816dfa..9484803 100644 --- a/app/models/work_info.rb +++ b/app/models/work_info.rb @@ -1,5 +1,4 @@ class WorkInfo < ActiveRecord::Base - attr_accessible :DoB, :SSN, :bonuses, :income, :years_worked belongs_to :user has_one :key_management, :foreign_key => :user_id, :primary_key => :user_id, :dependent => :destroy #before_save :encrypt_ssn diff --git a/config/initializers/strong_parameters.rb b/config/initializers/strong_parameters.rb new file mode 100644 index 0000000..394c1f5 --- /dev/null +++ b/config/initializers/strong_parameters.rb @@ -0,0 +1 @@ +ActiveRecord::Base.send(:include, ActiveModel::ForbiddenAttributesProtection) diff --git a/db/schema.rb b/db/schema.rb index 705f2a3..a51d0db 100755 --- a/db/schema.rb +++ b/db/schema.rb @@ -11,7 +11,7 @@ # # It's strongly recommended to check this file into your version control system. -ActiveRecord::Schema.define(:version => 20140804171756) do +ActiveRecord::Schema.define(:version => 20140408185601) do create_table "analytics", :force => true do |t| t.string "ip_address" From 47ba36504f0057f00cdff3fd44aea51a96e1f35c Mon Sep 17 00:00:00 2001 From: Al Snow Date: Tue, 23 Dec 2014 13:56:33 -0500 Subject: [PATCH 09/60] Upgraded 2 gems by rebuilding Gemfile.lock file --- Gemfile.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 5516b7c..06e1b20 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -35,7 +35,7 @@ GEM cucumber (>= 1.1.1) rspec-expectations (>= 2.7.0) bcrypt (3.1.9) - better_errors (2.0.0) + better_errors (2.1.0) coderay (>= 1.0.0) erubis (>= 2.6.6) rack (>= 0.9.0) @@ -106,7 +106,7 @@ GEM trollop (~> 2.0) gherkin (2.12.2) multi_json (~> 1.3) - guard (2.10.4) + guard (2.10.5) formatador (>= 0.2.4) listen (~> 2.7) lumberjack (~> 1.0) From 1afe646627f980d4cb5b96d253ac456db0f51ec5 Mon Sep 17 00:00:00 2001 From: Al Snow Date: Sun, 28 Dec 2014 17:30:16 -0500 Subject: [PATCH 10/60] Upgraded rails to 4.0.12 --- Gemfile | 2 +- Gemfile.lock | 40 ++++++++++++++++++++-------------------- 2 files changed, 21 insertions(+), 21 deletions(-) diff --git a/Gemfile b/Gemfile index 92e07c0..9b3796e 100755 --- a/Gemfile +++ b/Gemfile @@ -1,7 +1,7 @@ source 'https://rubygems.org' #don't upgrade -gem 'rails', '4.0.10' +gem 'rails', '4.0.12' ruby '2.1.5' diff --git a/Gemfile.lock b/Gemfile.lock index b7d279e..2737757 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -1,25 +1,25 @@ GEM remote: https://rubygems.org/ specs: - actionmailer (4.0.10) - actionpack (= 4.0.10) + actionmailer (4.0.12) + actionpack (= 4.0.12) mail (~> 2.5, >= 2.5.4) - actionpack (4.0.10) - activesupport (= 4.0.10) + actionpack (4.0.12) + activesupport (= 4.0.12) builder (~> 3.1.0) erubis (~> 2.7.0) rack (~> 1.5.2) rack-test (~> 0.6.2) - activemodel (4.0.10) - activesupport (= 4.0.10) + activemodel (4.0.12) + activesupport (= 4.0.12) builder (~> 3.1.0) - activerecord (4.0.10) - activemodel (= 4.0.10) + activerecord (4.0.12) + activemodel (= 4.0.12) activerecord-deprecated_finders (~> 1.0.2) - activesupport (= 4.0.10) + activesupport (= 4.0.12) arel (~> 4.0.0) activerecord-deprecated_finders (1.0.3) - activesupport (4.0.10) + activesupport (4.0.12) i18n (~> 0.6, >= 0.6.9) minitest (~> 4.2) multi_json (~> 1.3) @@ -187,17 +187,17 @@ GEM rack rack-test (0.6.2) rack (>= 1.0) - rails (4.0.10) - actionmailer (= 4.0.10) - actionpack (= 4.0.10) - activerecord (= 4.0.10) - activesupport (= 4.0.10) + rails (4.0.12) + actionmailer (= 4.0.12) + actionpack (= 4.0.12) + activerecord (= 4.0.12) + activesupport (= 4.0.12) bundler (>= 1.3.0, < 2.0) - railties (= 4.0.10) + railties (= 4.0.12) sprockets-rails (~> 2.0) - railties (4.0.10) - actionpack (= 4.0.10) - activesupport (= 4.0.10) + railties (4.0.12) + actionpack (= 4.0.12) + activesupport (= 4.0.12) rake (>= 0.8.7) thor (>= 0.18.1, < 2.0) raindrops (0.13.0) @@ -325,7 +325,7 @@ DEPENDENCIES powder pry rack-livereload - rails (= 4.0.10) + rails (= 4.0.12) rb-fsevent rspec-rails (= 2.14.2) sass-rails From 38b1391b2bd148b3b57d9060f5c93bf3c80733d3 Mon Sep 17 00:00:00 2001 From: Al Snow Date: Tue, 30 Dec 2014 14:37:00 -0500 Subject: [PATCH 11/60] Upgraded 2 gems by rebuilding Gemfile.lock file --- Gemfile.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 2737757..752a1e0 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -210,7 +210,7 @@ GEM rspec-core (~> 2.14.0) rspec-expectations (~> 2.14.0) rspec-mocks (~> 2.14.0) - rspec-core (2.14.0) + rspec-core (2.14.8) rspec-expectations (2.14.5) diff-lcs (>= 1.1.3, < 2.0) rspec-mocks (2.14.6) @@ -228,7 +228,7 @@ GEM ruby_parser (3.5.0) sexp_processor (~> 4.1) sass (3.4.9) - sass-rails (5.0.0) + sass-rails (5.0.1) railties (>= 4.0.0, < 5.0) sass (~> 3.1) sprockets (>= 2.8, < 4.0) From 7ae98b769bfc04a2b08b63bc2d73a80f44528cd6 Mon Sep 17 00:00:00 2001 From: Al Snow Date: Sat, 31 Jan 2015 18:34:48 -0500 Subject: [PATCH 12/60] Rebuilt Gemfile.lock file --- Gemfile.lock | 50 +++++++++++++++++++++----------------------------- 1 file changed, 21 insertions(+), 29 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 1ade5ae..f771feb 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -31,14 +31,14 @@ GEM childprocess (>= 0.3.6) cucumber (>= 1.1.1) rspec-expectations (>= 2.7.0) - bcrypt (3.1.9) + bcrypt (3.1.10) better_errors (2.1.1) coderay (>= 1.0.0) erubis (>= 2.6.6) rack (>= 0.9.0) binding_of_caller (0.7.2) debug_inspector (>= 0.0.1) - brakeman (3.0.0) + brakeman (3.0.1) erubis (~> 2.6) fastercsv (~> 1.5) haml (>= 3.0, < 5.0) @@ -47,7 +47,6 @@ GEM ruby2ruby (~> 2.1.1) ruby_parser (~> 3.5.0) sass (~> 3.0) - slim (>= 1.3.6, < 3.0) terminal-table (~> 1.4) builder (3.1.4) bundler-audit (0.3.1) @@ -71,7 +70,7 @@ GEM coffee-script (2.3.0) coffee-script-source execjs - coffee-script-source (1.8.0) + coffee-script-source (1.9.0) cucumber (1.3.15) builder (>= 2.1.2) diff-lcs (>= 1.1.3) @@ -115,7 +114,7 @@ GEM guard-brakeman (0.8.3) brakeman (>= 2.1.1) guard (>= 2.0.0) - guard-compat (1.2.0) + guard-compat (1.2.1) guard-livereload (2.4.0) em-websocket (~> 0.5) guard (~> 2.8) @@ -133,14 +132,15 @@ GEM hitimes (1.2.2) http_parser.rb (0.6.0) i18n (0.7.0) - jquery-fileupload-rails (0.4.2) + jquery-fileupload-rails (0.4.4) actionpack (>= 3.1) railties (>= 3.1) + sass (>= 3.2) jquery-rails (3.1.2) railties (>= 3.0, < 5.0) thor (>= 0.14, < 2.0) json (1.8.2) - kgio (2.9.2) + kgio (2.9.3) launchy (2.4.3) addressable (~> 2.3) libv8 (3.16.14.7) @@ -151,16 +151,14 @@ GEM lumberjack (1.0.9) mail (2.6.3) mime-types (>= 1.16, < 3) - mailcatcher (0.2.4) - eventmachine - haml - i18n - json - mail - sinatra - skinny (>= 0.1.2) - sqlite3-ruby - thin + mailcatcher (0.6.0) + activesupport (>= 4.0.0, < 5) + eventmachine (~> 1.0.0) + mail (~> 2.3) + sinatra (~> 1.2) + skinny (~> 0.2.3) + sqlite3 (~> 1.3) + thin (~> 1.5.0) method_source (0.8.2) mime-types (2.4.3) mini_portile (0.5.3) @@ -168,7 +166,7 @@ GEM multi_json (1.10.1) multi_test (0.1.1) mysql2 (0.3.17) - nenv (0.1.1) + nenv (0.2.0) nokogiri (1.6.1) mini_portile (~> 0.5.0) notiffany (0.0.3) @@ -215,7 +213,7 @@ GEM rspec-core (~> 2.14.0) rspec-expectations (~> 2.14.0) rspec-mocks (~> 2.14.0) - rspec-core (2.14.0) + rspec-core (2.14.8) rspec-expectations (2.14.5) diff-lcs (>= 1.1.3, < 2.0) rspec-mocks (2.14.6) @@ -232,14 +230,14 @@ GEM sexp_processor (~> 4.0) ruby_parser (3.5.0) sexp_processor (~> 4.1) - sass (3.4.9) + sass (3.4.11) sass-rails (5.0.1) railties (>= 4.0.0, < 5.0) sass (~> 3.1) sprockets (>= 2.8, < 4.0) sprockets-rails (>= 2.0, < 4.0) tilt (~> 1.1) - sexp_processor (4.4.4) + sexp_processor (4.4.5) shellany (0.0.1) simplecov (0.9.1) docile (~> 1.1.0) @@ -253,23 +251,17 @@ GEM skinny (0.2.3) eventmachine (~> 1.0.0) thin (~> 1.5.0) - slim (2.1.0) - temple (~> 0.6.9) - tilt (>= 1.3.3, < 2.1) slop (3.6.0) sprockets (2.12.3) hike (~> 1.2) multi_json (~> 1.0) rack (~> 1.0) tilt (~> 1.1, != 1.3.0) - sprockets-rails (2.2.2) + sprockets-rails (2.2.4) actionpack (>= 3.0) activesupport (>= 3.0) sprockets (>= 2.8, < 4.0) sqlite3 (1.3.10) - sqlite3-ruby (1.3.3) - sqlite3 (>= 1.3.3) - temple (0.6.10) terminal-table (1.4.5) therubyracer (0.12.1) libv8 (~> 3.16.14.0) @@ -288,7 +280,7 @@ GEM trollop (2.1.1) turbolinks (2.5.3) coffee-rails - tzinfo (0.3.42) + tzinfo (0.3.43) uglifier (2.7.0) execjs (>= 0.3.0) json (>= 1.8.0) From bb6ad2bae9975c5e328de3afc6283334a44c987c Mon Sep 17 00:00:00 2001 From: Al Snow Date: Thu, 26 Feb 2015 09:39:48 -0500 Subject: [PATCH 13/60] Fixed Gemfile.lock file merge conflict --- Gemfile.lock | 4 ---- 1 file changed, 4 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index b5686d0..6f5a8c0 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -70,12 +70,8 @@ GEM coffee-script (2.3.0) coffee-script-source execjs -<<<<<<< HEAD - coffee-script-source (1.9.0) -======= coffee-script-source (1.8.0) crack (0.3.1) ->>>>>>> b2c8e6cf8dbbaf33b548b62aba99aa9512322da9 cucumber (1.3.15) builder (>= 2.1.2) diff-lcs (>= 1.1.3) From 3cb36d99d66539934664ec964814d245e18d681b Mon Sep 17 00:00:00 2001 From: Al Snow Date: Mon, 2 Mar 2015 09:33:11 -0500 Subject: [PATCH 14/60] Rebuilt Gemfile.lock file --- Gemfile.lock | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 6f5a8c0..59f3eba 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -70,7 +70,7 @@ GEM coffee-script (2.3.0) coffee-script-source execjs - coffee-script-source (1.8.0) + coffee-script-source (1.9.1) crack (0.3.1) cucumber (1.3.15) builder (>= 2.1.2) @@ -103,7 +103,7 @@ GEM trollop (~> 2.0) gherkin (2.12.2) multi_json (~> 1.3) - guard (2.12.1) + guard (2.12.4) formatador (>= 0.2.4) listen (~> 2.7) lumberjack (~> 1.0) @@ -165,12 +165,12 @@ GEM mini_portile (0.5.3) minitest (4.7.5) multi_json (1.10.1) - multi_test (0.1.1) - mysql2 (0.3.17) + multi_test (0.1.2) + mysql2 (0.3.18) nenv (0.2.0) nokogiri (1.6.1) mini_portile (~> 0.5.0) - notiffany (0.0.4) + notiffany (0.0.6) nenv (~> 0.1) shellany (~> 0.0) poltergeist (1.6.0) @@ -233,7 +233,7 @@ GEM sexp_processor (~> 4.0) ruby_parser (3.5.0) sexp_processor (~> 4.1) - sass (3.4.11) + sass (3.4.13) sass-rails (5.0.1) railties (>= 4.0.0, < 5.0) sass (~> 3.1) @@ -242,11 +242,11 @@ GEM tilt (~> 1.1) sexp_processor (4.4.5) shellany (0.0.1) - simplecov (0.9.1) + simplecov (0.9.2) docile (~> 1.1.0) multi_json (~> 1.0) - simplecov-html (~> 0.8.0) - simplecov-html (0.8.0) + simplecov-html (~> 0.9.0) + simplecov-html (0.9.0) sinatra (1.4.5) rack (~> 1.4) rack-protection (~> 1.4) @@ -284,16 +284,16 @@ GEM turbolinks (2.5.3) coffee-rails tzinfo (0.3.43) - uglifier (2.7.0) + uglifier (2.7.1) execjs (>= 0.3.0) json (>= 1.8.0) unicorn (4.8.3) kgio (~> 2.6) rack raindrops (~> 0.7) - websocket-driver (0.5.1) + websocket-driver (0.5.3) websocket-extensions (>= 0.1.0) - websocket-extensions (0.1.1) + websocket-extensions (0.1.2) xpath (2.0.0) nokogiri (~> 1.3) From 847d97657b57574588525645b605ffde5c2b64e4 Mon Sep 17 00:00:00 2001 From: Al Snow Date: Fri, 6 Mar 2015 20:30:54 -0500 Subject: [PATCH 15/60] Rebuilt Gemfile.lock file --- Gemfile.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 59f3eba..ceef846 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -89,7 +89,7 @@ GEM http_parser.rb (~> 0.6.0) erubis (2.7.0) eventmachine (1.0.5) - execjs (2.3.0) + execjs (2.4.0) fastercsv (1.5.5) ffi (1.9.6) foreman (0.77.0) @@ -164,7 +164,7 @@ GEM mime-types (2.4.3) mini_portile (0.5.3) minitest (4.7.5) - multi_json (1.10.1) + multi_json (1.11.0) multi_test (0.1.2) mysql2 (0.3.18) nenv (0.2.0) From ea588b8aa683d65900d0f62efd3b3bd4841a21c0 Mon Sep 17 00:00:00 2001 From: Al Snow Date: Mon, 9 Mar 2015 10:44:05 -0400 Subject: [PATCH 16/60] Upgraded 1 gem by rebuilding Gemfile.lock file --- Gemfile.lock | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Gemfile.lock b/Gemfile.lock index ceef846..44498cc 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -145,7 +145,7 @@ GEM launchy (2.4.3) addressable (~> 2.3) libv8 (3.16.14.7) - listen (2.8.5) + listen (2.8.6) celluloid (>= 0.15.2) rb-fsevent (>= 0.9.3) rb-inotify (>= 0.9) From cc25ecd47795bc4915441b0b3a8999154e1c3de7 Mon Sep 17 00:00:00 2001 From: Al Snow Date: Sun, 15 Mar 2015 11:36:45 -0400 Subject: [PATCH 17/60] Upgraded 12 gems by rebuilding Gemfile.lock file --- Gemfile.lock | 26 ++++++++++++-------------- 1 file changed, 12 insertions(+), 14 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 44498cc..13af7a5 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -38,14 +38,14 @@ GEM rack (>= 0.9.0) binding_of_caller (0.7.2) debug_inspector (>= 0.0.1) - brakeman (3.0.1) + brakeman (3.0.2) erubis (~> 2.6) fastercsv (~> 1.5) haml (>= 3.0, < 5.0) highline (~> 1.6.20) multi_json (~> 1.2) ruby2ruby (~> 2.1.1) - ruby_parser (~> 3.5.0) + ruby_parser (~> 3.6.2) sass (~> 3.0) terminal-table (~> 1.4) builder (3.1.4) @@ -78,12 +78,11 @@ GEM gherkin (~> 2.12) multi_json (>= 1.7.5, < 2.0) multi_test (>= 0.1.1) - daemons (1.1.9) - database_cleaner (1.4.0) + daemons (1.2.1) + database_cleaner (1.4.1) debug_inspector (0.0.2) diff-lcs (1.2.5) docile (1.1.5) - dotenv (1.0.2) em-websocket (0.5.1) eventmachine (>= 0.12.9) http_parser.rb (~> 0.6.0) @@ -91,9 +90,8 @@ GEM eventmachine (1.0.5) execjs (2.4.0) fastercsv (1.5.5) - ffi (1.9.6) - foreman (0.77.0) - dotenv (~> 1.0.2) + ffi (1.9.8) + foreman (0.78.0) thor (~> 0.19.1) formatador (0.2.5) gauntlt (1.0.10) @@ -103,7 +101,7 @@ GEM trollop (~> 2.0) gherkin (2.12.2) multi_json (~> 1.3) - guard (2.12.4) + guard (2.12.5) formatador (>= 0.2.4) listen (~> 2.7) lumberjack (~> 1.0) @@ -145,7 +143,7 @@ GEM launchy (2.4.3) addressable (~> 2.3) libv8 (3.16.14.7) - listen (2.8.6) + listen (2.9.0) celluloid (>= 0.15.2) rb-fsevent (>= 0.9.3) rb-inotify (>= 0.9) @@ -231,7 +229,7 @@ GEM ruby2ruby (2.1.3) ruby_parser (~> 3.1) sexp_processor (~> 4.0) - ruby_parser (3.5.0) + ruby_parser (3.6.5) sexp_processor (~> 4.1) sass (3.4.13) sass-rails (5.0.1) @@ -240,7 +238,7 @@ GEM sprockets (>= 2.8, < 4.0) sprockets-rails (>= 2.0, < 4.0) tilt (~> 1.1) - sexp_processor (4.4.5) + sexp_processor (4.5.0) shellany (0.0.1) simplecov (0.9.2) docile (~> 1.1.0) @@ -274,13 +272,13 @@ GEM eventmachine (>= 0.12.6) rack (>= 1.0.0) thor (0.19.1) - thread_safe (0.3.4) + thread_safe (0.3.5) tilt (1.4.1) timers (4.0.1) hitimes travis-lint (2.0.0) json - trollop (2.1.1) + trollop (2.1.2) turbolinks (2.5.3) coffee-rails tzinfo (0.3.43) From 4bf596f95f959a12a81ad1525782a6165f36bea8 Mon Sep 17 00:00:00 2001 From: Al Snow Date: Thu, 19 Mar 2015 16:50:45 -0400 Subject: [PATCH 18/60] Upgraded 1 gem by rebuilding Gemfile.lock file; Added sleep to try to fix fragile spec --- Gemfile.lock | 2 +- spec/vulnerabilities/xss_spec.rb | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 13af7a5..1ae0424 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -78,7 +78,7 @@ GEM gherkin (~> 2.12) multi_json (>= 1.7.5, < 2.0) multi_test (>= 0.1.1) - daemons (1.2.1) + daemons (1.2.2) database_cleaner (1.4.1) debug_inspector (0.0.2) diff-lcs (1.2.5) diff --git a/spec/vulnerabilities/xss_spec.rb b/spec/vulnerabilities/xss_spec.rb index f96148d..196211a 100644 --- a/spec/vulnerabilities/xss_spec.rb +++ b/spec/vulnerabilities/xss_spec.rb @@ -19,6 +19,7 @@ feature 'xss' do end click_on 'Submit' + sleep(1) visit '/' pending(:if => verifying_fixed?) { find('form.button_to input.btn.btn-primary').value.should == 'RailsGoat h4x0r3d' } @@ -26,4 +27,4 @@ feature 'xss' do # might be nice to demonstrate posting cookie contents or somesuch, but # this at least shows the vulnerability still exists. end -end \ No newline at end of file +end From b89eff47bd91ac6bb74257e663c28f37dbc256d8 Mon Sep 17 00:00:00 2001 From: Al Snow Date: Sat, 21 Mar 2015 09:16:52 -0400 Subject: [PATCH 19/60] Upgraded 1 gem by rebuilding Gemfile.lock file --- Gemfile.lock | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Gemfile.lock b/Gemfile.lock index 1ae0424..0c31199 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -131,7 +131,7 @@ GEM hitimes (1.2.2) http_parser.rb (0.6.0) i18n (0.7.0) - jquery-fileupload-rails (0.4.4) + jquery-fileupload-rails (0.4.5) actionpack (>= 3.1) railties (>= 3.1) sass (>= 3.2) From 9c5be894d0baaca3ed70f8a45b66b37da132175c Mon Sep 17 00:00:00 2001 From: Al Snow Date: Mon, 30 Mar 2015 09:08:55 -0400 Subject: [PATCH 20/60] Upgraded 3 gems by Rebuilding Gemfile.lock file --- Gemfile.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 09addc0..e934d87 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -182,7 +182,7 @@ GEM coderay (~> 1.1.0) method_source (~> 0.8.1) slop (~> 3.4) - pry-rails (0.3.3) + pry-rails (0.3.4) pry (>= 0.9.10) rack (1.5.2) rack-livereload (0.3.15) @@ -232,7 +232,7 @@ GEM ruby_parser (3.6.5) sexp_processor (~> 4.1) sass (3.4.13) - sass-rails (5.0.1) + sass-rails (5.0.2) railties (>= 4.0.0, < 5.0) sass (~> 3.1) sprockets (>= 2.8, < 4.0) @@ -289,7 +289,7 @@ GEM kgio (~> 2.6) rack raindrops (~> 0.7) - websocket-driver (0.5.3) + websocket-driver (0.5.4) websocket-extensions (>= 0.1.0) websocket-extensions (0.1.2) xpath (2.0.0) From acb21b01ab0f66737e398ee0c34d2477f89aa81e Mon Sep 17 00:00:00 2001 From: Al Snow Date: Wed, 1 Apr 2015 10:37:45 -0400 Subject: [PATCH 21/60] Upgraded 2 gems by rebuilding Gemfile.lock file --- Gemfile.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index e934d87..d2f6ffc 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -18,7 +18,7 @@ GEM activerecord-deprecated_finders (~> 1.0.2) activesupport (= 4.0.13) arel (~> 4.0.0) - activerecord-deprecated_finders (1.0.3) + activerecord-deprecated_finders (1.0.4) activesupport (4.0.13) i18n (~> 0.6, >= 0.6.9) minitest (~> 4.2) @@ -232,7 +232,7 @@ GEM ruby_parser (3.6.5) sexp_processor (~> 4.1) sass (3.4.13) - sass-rails (5.0.2) + sass-rails (5.0.3) railties (>= 4.0.0, < 5.0) sass (~> 3.1) sprockets (>= 2.8, < 4.0) From 1662cc886caaaef00a328d449023517ed4e73bec Mon Sep 17 00:00:00 2001 From: Al Snow Date: Mon, 6 Apr 2015 16:13:52 -0400 Subject: [PATCH 22/60] Upgraded 2 gems by rebuilding Gemfile.lock file --- Gemfile.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index d2f6ffc..9918e89 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -67,7 +67,7 @@ GEM coffee-rails (4.1.0) coffee-script (>= 2.2.0) railties (>= 4.0.0, < 5.0) - coffee-script (2.3.0) + coffee-script (2.4.1) coffee-script-source execjs coffee-script-source (1.9.1) @@ -88,7 +88,7 @@ GEM http_parser.rb (~> 0.6.0) erubis (2.7.0) eventmachine (1.0.5) - execjs (2.4.0) + execjs (2.5.0) fastercsv (1.5.5) ffi (1.9.8) foreman (0.78.0) From e63a603017f68109cbfae86a3e2c94739d16d7bd Mon Sep 17 00:00:00 2001 From: Al Snow Date: Thu, 9 Apr 2015 15:04:31 -0400 Subject: [PATCH 23/60] Upgraded 3 gems by rebuilding Gemfile.lock file --- Gemfile.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 9918e89..a1c9b0a 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -60,7 +60,7 @@ GEM xpath (~> 2.0) celluloid (0.16.0) timers (~> 4.0.0) - childprocess (0.5.5) + childprocess (0.5.6) ffi (~> 1.0, >= 1.0.11) cliver (0.3.2) coderay (1.1.0) @@ -88,7 +88,7 @@ GEM http_parser.rb (~> 0.6.0) erubis (2.7.0) eventmachine (1.0.5) - execjs (2.5.0) + execjs (2.5.2) fastercsv (1.5.5) ffi (1.9.8) foreman (0.78.0) @@ -264,7 +264,7 @@ GEM sprockets (>= 2.8, < 4.0) sqlite3 (1.3.10) terminal-table (1.4.5) - therubyracer (0.12.1) + therubyracer (0.12.2) libv8 (~> 3.16.14.0) ref thin (1.5.1) From 10014e1378fbe389bd51cb1b9b3cc1e736c7ec1d Mon Sep 17 00:00:00 2001 From: Al Snow Date: Thu, 9 Apr 2015 15:23:40 -0400 Subject: [PATCH 24/60] Fixed configs found during running 'rails server' --- config/environments/development.rb | 16 ++++++---------- config/environments/mysql.rb | 7 ------- config/environments/production.rb | 4 ---- 3 files changed, 6 insertions(+), 21 deletions(-) diff --git a/config/environments/development.rb b/config/environments/development.rb index c632b4d..3e46de3 100644 --- a/config/environments/development.rb +++ b/config/environments/development.rb @@ -6,9 +6,6 @@ Railsgoat::Application.configure do # since you don't have to restart the web server when you make code changes. config.cache_classes = false - # Log error messages when you accidentally call methods on nil. - config.whiny_nils = true - # Show full error reports and disable caching config.consider_all_requests_local = true config.action_controller.perform_caching = false @@ -22,13 +19,6 @@ Railsgoat::Application.configure do # Only use best-standards-support built into browsers config.action_dispatch.best_standards_support = :builtin - # Raise exception on mass assignment protection for Active Record models - config.active_record.mass_assignment_sanitizer = :strict - - # Log the query plan for queries taking more than this (works - # with SQLite, MySQL, and PostgreSQL) - config.active_record.auto_explain_threshold_in_seconds = 0.5 - # Tired of caching causing issues config.middleware.delete Rack::ETag @@ -51,4 +41,10 @@ Railsgoat::Application.configure do # :host => 'railsgoat.dev', # :ignore => [ %r{dont/modify\.html$} ] # ) + + # For Rails 4.0+ + # Do not eager load code on boot. This avoids loading your whole application + # just for the purpose of running a single test. If you are using a tool that + # preloads Rails for running tests, you may have to set it to true. + config.eager_load = false end diff --git a/config/environments/mysql.rb b/config/environments/mysql.rb index 0029db1..47d2452 100755 --- a/config/environments/mysql.rb +++ b/config/environments/mysql.rb @@ -6,9 +6,6 @@ Railsgoat::Application.configure do # since you don't have to restart the web server when you make code changes. config.cache_classes = false - # Log error messages when you accidentally call methods on nil. - config.whiny_nils = true - # Show full error reports and disable caching config.consider_all_requests_local = true config.action_controller.perform_caching = false @@ -22,10 +19,6 @@ Railsgoat::Application.configure do # Only use best-standards-support built into browsers config.action_dispatch.best_standards_support = :builtin - # Log the query plan for queries taking more than this (works - # with SQLite, MySQL, and PostgreSQL) - config.active_record.auto_explain_threshold_in_seconds = 0.5 - # Tired of caching causing issues config.middleware.delete Rack::ETag diff --git a/config/environments/production.rb b/config/environments/production.rb index 69cf20b..4300360 100755 --- a/config/environments/production.rb +++ b/config/environments/production.rb @@ -74,10 +74,6 @@ Railsgoat::Application.configure do # Send deprecation notices to registered listeners. config.active_support.deprecation = :notify - # Log the query plan for queries taking more than this (works - # with SQLite, MySQL, and PostgreSQL) - # config.active_record.auto_explain_threshold_in_seconds = 0.5 - # For Rails 4.0+: Eager load code on boot. This eager loads most of # Rails and your application in memory, allowing both thread web # servers and those relying on copy on write to perform better. From 3db086545d5d43ed586b8b7912eb1da11275544e Mon Sep 17 00:00:00 2001 From: Al Snow Date: Sun, 12 Apr 2015 13:15:05 -0400 Subject: [PATCH 25/60] Upgraded 2 gems by rebuilding Gemfile.lock file --- Gemfile.lock | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index a1c9b0a..7dd3612 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -70,7 +70,7 @@ GEM coffee-script (2.4.1) coffee-script-source execjs - coffee-script-source (1.9.1) + coffee-script-source (1.9.1.1) crack (0.3.1) cucumber (1.3.15) builder (>= 2.1.2) @@ -127,7 +127,6 @@ GEM haml (4.0.6) tilt highline (1.6.21) - hike (1.2.3) hitimes (1.2.2) http_parser.rb (0.6.0) i18n (0.7.0) @@ -253,11 +252,8 @@ GEM eventmachine (~> 1.0.0) thin (~> 1.5.0) slop (3.6.0) - sprockets (2.12.3) - hike (~> 1.2) - multi_json (~> 1.0) + sprockets (3.0.0) rack (~> 1.0) - tilt (~> 1.1, != 1.3.0) sprockets-rails (2.2.4) actionpack (>= 3.0) activesupport (>= 3.0) From 607af793ddab37a32deb0f167d5f180aa5bb3d74 Mon Sep 17 00:00:00 2001 From: Al Snow Date: Wed, 15 Apr 2015 10:44:02 -0400 Subject: [PATCH 26/60] Upgraded 3 gems by rebuilding Gemfile.lock file --- Gemfile.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 7dd3612..c777b7f 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -225,10 +225,10 @@ GEM rspec-core (~> 2.14.0) rspec-expectations (~> 2.14.0) rspec-mocks (~> 2.14.0) - ruby2ruby (2.1.3) + ruby2ruby (2.1.4) ruby_parser (~> 3.1) sexp_processor (~> 4.0) - ruby_parser (3.6.5) + ruby_parser (3.6.6) sexp_processor (~> 4.1) sass (3.4.13) sass-rails (5.0.3) @@ -252,7 +252,7 @@ GEM eventmachine (~> 1.0.0) thin (~> 1.5.0) slop (3.6.0) - sprockets (3.0.0) + sprockets (3.0.1) rack (~> 1.0) sprockets-rails (2.2.4) actionpack (>= 3.0) From 6834386c4918a31f5fa4cfa173761c4b3733f359 Mon Sep 17 00:00:00 2001 From: Al Snow Date: Mon, 20 Apr 2015 09:49:53 -0400 Subject: [PATCH 27/60] Upgraded 3 gems by rebuilding Gemfile.lock file --- Gemfile.lock | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index c777b7f..5e56acf 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -239,11 +239,11 @@ GEM tilt (~> 1.1) sexp_processor (4.5.0) shellany (0.0.1) - simplecov (0.9.2) + simplecov (0.10.0) docile (~> 1.1.0) - multi_json (~> 1.0) - simplecov-html (~> 0.9.0) - simplecov-html (0.9.0) + json (~> 1.8) + simplecov-html (~> 0.10.0) + simplecov-html (0.10.0) sinatra (1.4.6) rack (~> 1.4) rack-protection (~> 1.4) From b32bc191afaa224304d12bd7367423e2f4d8c7ba Mon Sep 17 00:00:00 2001 From: Al Snow Date: Fri, 24 Apr 2015 15:06:32 -0400 Subject: [PATCH 28/60] Upgraded 2 gems by rebuilding Gemfile.lock file --- Gemfile.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 5e56acf..e3f93c7 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -252,7 +252,7 @@ GEM eventmachine (~> 1.0.0) thin (~> 1.5.0) slop (3.6.0) - sprockets (3.0.1) + sprockets (3.0.2) rack (~> 1.0) sprockets-rails (2.2.4) actionpack (>= 3.0) @@ -281,7 +281,7 @@ GEM uglifier (2.7.1) execjs (>= 0.3.0) json (>= 1.8.0) - unicorn (4.8.3) + unicorn (4.9.0) kgio (~> 2.6) rack raindrops (~> 0.7) From faef79c0b71aec8b29eef1ad3aea293aa77976b5 Mon Sep 17 00:00:00 2001 From: Al Snow Date: Sat, 25 Apr 2015 09:34:44 -0400 Subject: [PATCH 29/60] Upgraded 2 gems by rebuilding Gemfile.lock file --- Gemfile.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index e3f93c7..261f381 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -158,7 +158,7 @@ GEM sqlite3 (~> 1.3) thin (~> 1.5.0) method_source (0.8.2) - mime-types (2.4.3) + mime-types (2.5) mini_portile (0.5.3) minitest (4.7.5) multi_json (1.11.0) @@ -277,7 +277,7 @@ GEM trollop (2.1.2) turbolinks (2.5.3) coffee-rails - tzinfo (0.3.43) + tzinfo (0.3.44) uglifier (2.7.1) execjs (>= 0.3.0) json (>= 1.8.0) From c49fa60d57e5b3840521ab3e8767bf7ba67663ad Mon Sep 17 00:00:00 2001 From: Al Snow Date: Mon, 27 Apr 2015 22:23:36 -0400 Subject: [PATCH 30/60] Upgraded 1 gem by rebuilding Gemfile.lock file --- Gemfile.lock | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Gemfile.lock b/Gemfile.lock index 261f381..ad2ef3e 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -237,7 +237,7 @@ GEM sprockets (>= 2.8, < 4.0) sprockets-rails (>= 2.0, < 4.0) tilt (~> 1.1) - sexp_processor (4.5.0) + sexp_processor (4.5.1) shellany (0.0.1) simplecov (0.10.0) docile (~> 1.1.0) From b96a1721fc05f08c0eb078689a4789bec2cf4762 Mon Sep 17 00:00:00 2001 From: Al Snow Date: Tue, 28 Apr 2015 09:55:39 -0400 Subject: [PATCH 31/60] Upgraded 1 gem by rebuilding Gemfile.lock file --- Gemfile.lock | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Gemfile.lock b/Gemfile.lock index ad2ef3e..f4de2ec 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -252,7 +252,7 @@ GEM eventmachine (~> 1.0.0) thin (~> 1.5.0) slop (3.6.0) - sprockets (3.0.2) + sprockets (3.0.3) rack (~> 1.0) sprockets-rails (2.2.4) actionpack (>= 3.0) From 9f8414bf34fa55d768dcfd6c848095ab8cc41f6b Mon Sep 17 00:00:00 2001 From: Al Snow Date: Fri, 1 May 2015 18:02:09 -0400 Subject: [PATCH 32/60] Upgraded 1 gem by rebuilding Gemfile.lock file --- .overcommit.yml | 32 ++++++++++++++++++++++++++++++++ Gemfile.lock | 2 +- 2 files changed, 33 insertions(+), 1 deletion(-) create mode 100644 .overcommit.yml diff --git a/.overcommit.yml b/.overcommit.yml new file mode 100644 index 0000000..8bf12d0 --- /dev/null +++ b/.overcommit.yml @@ -0,0 +1,32 @@ +# Use this file to configure the Overcommit hooks you wish to use. This will +# extend the default configuration defined in: +# https://github.com/brigade/overcommit/blob/master/config/default.yml +# +# At the topmost level of this YAML file is a key representing type of hook +# being run (e.g. pre-commit, commit-msg, etc.). Within each type you can +# customize each hook, such as whether to only run it on certain files (via +# `include`), whether to only display output if it fails (via `quiet`), etc. +# +# For a complete list of hooks, see: +# https://github.com/brigade/overcommit/tree/master/lib/overcommit/hook +# +# For a complete list of options that you can use to customize hooks, see: +# https://github.com/brigade/overcommit#configuration +# +# Uncomment the following lines to make the configuration take effect. + +PreCommit: + Rubocop: + enabled: true + on_warn: warn # fail # Treat all warnings as failures + + TrailingWhitespace: + exclude: + - '**/db/structure.sql' # Ignore trailing whitespace in generated files + + PostCheckout: + ALL: # Special hook name that customizes all hooks of this type + quiet: true # Change all post-checkout hooks to only display output on failure + +# IndexTags: +# enabled: true # Generate a tags file with `ctags` each time HEAD changes diff --git a/Gemfile.lock b/Gemfile.lock index f4de2ec..34748fa 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -38,7 +38,7 @@ GEM rack (>= 0.9.0) binding_of_caller (0.7.2) debug_inspector (>= 0.0.1) - brakeman (3.0.2) + brakeman (3.0.3) erubis (~> 2.6) fastercsv (~> 1.5) haml (>= 3.0, < 5.0) From af04ed5d43cfd20d62ef3f18b3c47c05e13f4754 Mon Sep 17 00:00:00 2001 From: Al Snow Date: Fri, 1 May 2015 18:02:50 -0400 Subject: [PATCH 33/60] Fixed .overcommit.yml file --- .overcommit.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.overcommit.yml b/.overcommit.yml index 8bf12d0..14fa1d1 100644 --- a/.overcommit.yml +++ b/.overcommit.yml @@ -21,10 +21,12 @@ PreCommit: on_warn: warn # fail # Treat all warnings as failures TrailingWhitespace: + enabled: true exclude: - '**/db/structure.sql' # Ignore trailing whitespace in generated files PostCheckout: + enabled: true ALL: # Special hook name that customizes all hooks of this type quiet: true # Change all post-checkout hooks to only display output on failure From 19e40cab25adcac7d0717eb7a47fc030ae45e84f Mon Sep 17 00:00:00 2001 From: Al Snow Date: Thu, 7 May 2015 19:15:29 -0400 Subject: [PATCH 34/60] Upgraded 2 gems by rebuilding Gemfile.lock file --- Gemfile.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 34748fa..6ac2025 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -183,7 +183,7 @@ GEM slop (~> 3.4) pry-rails (0.3.4) pry (>= 0.9.10) - rack (1.5.2) + rack (1.5.3) rack-livereload (0.3.15) rack rack-protection (1.5.3) @@ -254,7 +254,7 @@ GEM slop (3.6.0) sprockets (3.0.3) rack (~> 1.0) - sprockets-rails (2.2.4) + sprockets-rails (2.3.0) actionpack (>= 3.0) activesupport (>= 3.0) sprockets (>= 2.8, < 4.0) From 72cc8a53e2e5e7d4451899b3b0b4b0db97f1d37c Mon Sep 17 00:00:00 2001 From: Al Snow Date: Mon, 11 May 2015 09:55:27 -0400 Subject: [PATCH 35/60] Upgraded 1 gem by rebuilding Gemfile.lock file --- Gemfile.lock | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Gemfile.lock b/Gemfile.lock index 6ac2025..7189636 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -252,7 +252,7 @@ GEM eventmachine (~> 1.0.0) thin (~> 1.5.0) slop (3.6.0) - sprockets (3.0.3) + sprockets (3.1.0) rack (~> 1.0) sprockets-rails (2.3.0) actionpack (>= 3.0) From 510247efcfb8b6c915c34eeee5bd353f06312252 Mon Sep 17 00:00:00 2001 From: Al Snow Date: Tue, 12 May 2015 17:02:12 -0400 Subject: [PATCH 36/60] Upgraded 1 gem by rebuilding Gemfile.lock file --- Gemfile.lock | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Gemfile.lock b/Gemfile.lock index 7189636..e85c930 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -254,7 +254,7 @@ GEM slop (3.6.0) sprockets (3.1.0) rack (~> 1.0) - sprockets-rails (2.3.0) + sprockets-rails (2.3.1) actionpack (>= 3.0) activesupport (>= 3.0) sprockets (>= 2.8, < 4.0) From 4af6cced173826e9c754d6c21b61143ef862088c Mon Sep 17 00:00:00 2001 From: Al Snow Date: Sat, 23 May 2015 12:04:11 -0400 Subject: [PATCH 37/60] Upgraded Ruby to 2.1.6; Rebuild Gemfile.lock file --- .ruby-version | 2 +- .travis.yml | 2 +- Gemfile | 2 +- Gemfile.lock | 4 ++-- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.ruby-version b/.ruby-version index c5864dc..b6da512 100644 --- a/.ruby-version +++ b/.ruby-version @@ -1 +1 @@ -2.1.5 \ No newline at end of file +2.1.6 \ No newline at end of file diff --git a/.travis.yml b/.travis.yml index 2a2a6ea..463a82f 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,6 +1,6 @@ language: ruby rvm: - - "2.1.5" + - "2.1.6" before_script: rake db:setup before_script: bundle exec rake db:setup env: RAILSGOAT_MAINTAINER=true \ No newline at end of file diff --git a/Gemfile b/Gemfile index b1b9cfe..af47580 100755 --- a/Gemfile +++ b/Gemfile @@ -3,7 +3,7 @@ source 'https://rubygems.org' #don't upgrade gem 'rails', '4.0.13' -ruby '2.1.5' +ruby '2.1.6' # Bundle edge Rails instead: # gem 'rails', :git => 'git://github.com/rails/rails.git' diff --git a/Gemfile.lock b/Gemfile.lock index e85c930..0c7b889 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -205,7 +205,7 @@ GEM thor (>= 0.18.1, < 2.0) raindrops (0.13.0) rake (10.4.2) - rb-fsevent (0.9.4) + rb-fsevent (0.9.5) rb-inotify (0.9.5) ffi (>= 0.5.0) ref (1.0.5) @@ -230,7 +230,7 @@ GEM sexp_processor (~> 4.0) ruby_parser (3.6.6) sexp_processor (~> 4.1) - sass (3.4.13) + sass (3.4.14) sass-rails (5.0.3) railties (>= 4.0.0, < 5.0) sass (~> 3.1) From bb13ead5b9e6e64da867618682e548e9f84e397d Mon Sep 17 00:00:00 2001 From: Al Snow Date: Mon, 25 May 2015 15:48:18 -0400 Subject: [PATCH 38/60] Upgraded 1 gem by rebuilding Gemfile.lock file --- Gemfile.lock | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Gemfile.lock b/Gemfile.lock index 0c7b889..9d9359c 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -158,7 +158,7 @@ GEM sqlite3 (~> 1.3) thin (~> 1.5.0) method_source (0.8.2) - mime-types (2.5) + mime-types (2.6.1) mini_portile (0.5.3) minitest (4.7.5) multi_json (1.11.0) From 27ce213eeda97f1630a30bde9a0639f4f3b5cc5a Mon Sep 17 00:00:00 2001 From: Al Snow Date: Fri, 29 May 2015 10:08:08 -0400 Subject: [PATCH 39/60] Upgraded 1 gem by rebuilding Gemfile.lock file --- Gemfile.lock | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Gemfile.lock b/Gemfile.lock index 9d9359c..76bae61 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -237,7 +237,7 @@ GEM sprockets (>= 2.8, < 4.0) sprockets-rails (>= 2.0, < 4.0) tilt (~> 1.1) - sexp_processor (4.5.1) + sexp_processor (4.6.0) shellany (0.0.1) simplecov (0.10.0) docile (~> 1.1.0) From 7c05c79cb10a52658d47f9ddcf83230adccb7c56 Mon Sep 17 00:00:00 2001 From: Al Snow Date: Wed, 3 Jun 2015 17:53:30 -0400 Subject: [PATCH 40/60] Upgraded 2 gems by rebuilding Gemfile.lock file --- Gemfile.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 76bae61..3878751 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -137,7 +137,7 @@ GEM jquery-rails (3.1.2) railties (>= 3.0, < 5.0) thor (>= 0.14, < 2.0) - json (1.8.2) + json (1.8.3) kgio (2.9.3) launchy (2.4.3) addressable (~> 2.3) @@ -252,7 +252,7 @@ GEM eventmachine (~> 1.0.0) thin (~> 1.5.0) slop (3.6.0) - sprockets (3.1.0) + sprockets (3.2.0) rack (~> 1.0) sprockets-rails (2.3.1) actionpack (>= 3.0) From 401c69b8150611049221d84a69bc991071478524 Mon Sep 17 00:00:00 2001 From: Al Snow Date: Tue, 16 Jun 2015 17:53:24 -0400 Subject: [PATCH 41/60] Upgraded 2 gems by rebuilding Gemfile.lock file --- Gemfile.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index c60239d..fa62db6 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -134,7 +134,7 @@ GEM actionpack (>= 3.1) railties (>= 3.1) sass (>= 3.2) - jquery-rails (3.1.2) + jquery-rails (3.1.3) railties (>= 3.0, < 5.0) thor (>= 0.14, < 2.0) json (1.8.3) @@ -183,7 +183,7 @@ GEM slop (~> 3.4) pry-rails (0.3.4) pry (>= 0.9.10) - rack (1.5.3) + rack (1.5.4) rack-livereload (0.3.15) rack rack-protection (1.5.3) From 26124739da042138053f01cc5904551e3885e729 Mon Sep 17 00:00:00 2001 From: Al Snow Date: Wed, 17 Jun 2015 15:22:24 -0400 Subject: [PATCH 42/60] Upgraded Ruby to 2.2.2 plus rebuild Gemfile.lock file --- .ruby-version | 2 +- Gemfile | 3 ++- Gemfile.lock | 32 ++++++++++++++++++++------------ 3 files changed, 23 insertions(+), 14 deletions(-) diff --git a/.ruby-version b/.ruby-version index b6da512..7e541ae 100644 --- a/.ruby-version +++ b/.ruby-version @@ -1 +1 @@ -2.1.6 \ No newline at end of file +2.2.2 \ No newline at end of file diff --git a/Gemfile b/Gemfile index af47580..7b630fe 100755 --- a/Gemfile +++ b/Gemfile @@ -3,7 +3,7 @@ source 'https://rubygems.org' #don't upgrade gem 'rails', '4.0.13' -ruby '2.1.6' +ruby '2.2.2' # Bundle edge Rails instead: # gem 'rails', :git => 'git://github.com/rails/rails.git' @@ -40,6 +40,7 @@ group :development, :test, :mysql do gem 'database_cleaner' gem 'poltergeist' gem 'rspec-rails', '2.14.2' + gem 'test-unit' end group :mysql do diff --git a/Gemfile.lock b/Gemfile.lock index fa62db6..321c71c 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -27,7 +27,7 @@ GEM tzinfo (~> 0.3.37) addressable (2.3.8) arel (4.0.2) - aruba (0.5.4) + aruba (0.6.2) childprocess (>= 0.3.6) cucumber (>= 1.1.1) rspec-expectations (>= 2.7.0) @@ -72,12 +72,15 @@ GEM execjs coffee-script-source (1.9.1.1) crack (0.3.1) - cucumber (1.3.15) + cucumber (2.0.0) builder (>= 2.1.2) + cucumber-core (~> 1.1.3) diff-lcs (>= 1.1.3) gherkin (~> 2.12) multi_json (>= 1.7.5, < 2.0) - multi_test (>= 0.1.1) + multi_test (>= 0.1.2) + cucumber-core (1.1.3) + gherkin (~> 2.12.0) daemons (1.2.2) database_cleaner (1.4.1) debug_inspector (0.0.2) @@ -94,11 +97,11 @@ GEM foreman (0.78.0) thor (~> 0.19.1) formatador (0.2.5) - gauntlt (1.0.10) - aruba (= 0.5.4) - cucumber (= 1.3.15) - nokogiri (= 1.6.1) - trollop (~> 2.0) + gauntlt (1.0.6) + aruba + cucumber + nokogiri (~> 1.5.0) + trollop gherkin (2.12.2) multi_json (~> 1.3) guard (2.12.6) @@ -142,7 +145,7 @@ GEM launchy (2.4.3) addressable (~> 2.3) libv8 (3.16.14.7) - listen (2.10.0) + listen (2.10.1) celluloid (~> 0.16.0) rb-fsevent (>= 0.9.3) rb-inotify (>= 0.9) @@ -159,14 +162,12 @@ GEM thin (~> 1.5.0) method_source (0.8.2) mime-types (2.6.1) - mini_portile (0.5.3) minitest (4.7.5) multi_json (1.11.1) multi_test (0.1.2) mysql2 (0.3.18) nenv (0.2.0) - nokogiri (1.6.1) - mini_portile (~> 0.5.0) + nokogiri (1.5.11) notiffany (0.0.6) nenv (~> 0.1) shellany (~> 0.0) @@ -177,6 +178,7 @@ GEM websocket-driver (>= 0.2.0) powder (0.3.0) thor (>= 0.11.5) + power_assert (0.2.3) pry (0.10.1) coderay (~> 1.1.0) method_source (~> 0.8.1) @@ -260,6 +262,8 @@ GEM sprockets (>= 2.8, < 4.0) sqlite3 (1.3.10) terminal-table (1.4.5) + test-unit (3.1.2) + power_assert therubyracer (0.12.2) libv8 (~> 3.16.14.0) ref @@ -328,8 +332,12 @@ DEPENDENCIES sass-rails simplecov sqlite3 + test-unit therubyracer travis-lint turbolinks uglifier unicorn + +BUNDLED WITH + 1.10.4 From 9b2355de9efe90f4da268742b79b50424f4acb85 Mon Sep 17 00:00:00 2001 From: Al Snow Date: Wed, 17 Jun 2015 18:24:09 -0400 Subject: [PATCH 43/60] Fixed ruby version to 2.2.2 in .travis.yml file --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 463a82f..2138832 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,6 +1,6 @@ language: ruby rvm: - - "2.1.6" + - "2.2.2" before_script: rake db:setup before_script: bundle exec rake db:setup env: RAILSGOAT_MAINTAINER=true \ No newline at end of file From 258e5ae9350d46ee2f1c4df0b419ad4f29871eb8 Mon Sep 17 00:00:00 2001 From: Al Snow Date: Thu, 18 Jun 2015 18:42:15 -0400 Subject: [PATCH 44/60] Upgraded 4 gems by rebuilding Gemfile.lock file --- Gemfile.lock | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 321c71c..ccde2c2 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -38,14 +38,14 @@ GEM rack (>= 0.9.0) binding_of_caller (0.7.2) debug_inspector (>= 0.0.1) - brakeman (3.0.3) + brakeman (3.0.4) erubis (~> 2.6) fastercsv (~> 1.5) haml (>= 3.0, < 5.0) highline (~> 1.6.20) multi_json (~> 1.2) ruby2ruby (~> 2.1.1) - ruby_parser (~> 3.6.2) + ruby_parser (~> 3.7.0) sass (~> 3.0) terminal-table (~> 1.4) builder (3.1.4) @@ -185,7 +185,7 @@ GEM slop (~> 3.4) pry-rails (0.3.4) pry (>= 0.9.10) - rack (1.5.4) + rack (1.5.5) rack-livereload (0.3.15) rack rack-protection (1.5.3) @@ -230,7 +230,7 @@ GEM ruby2ruby (2.1.4) ruby_parser (~> 3.1) sexp_processor (~> 4.0) - ruby_parser (3.6.6) + ruby_parser (3.7.0) sexp_processor (~> 4.1) sass (3.4.14) sass-rails (5.0.3) From ab3d5af132882083de00a0c34ce3b39cb97aee5d Mon Sep 17 00:00:00 2001 From: Al Snow Date: Mon, 22 Jun 2015 22:48:14 -0400 Subject: [PATCH 45/60] Upgraded 2 gems by rebuilding Gemfile.lock file --- Gemfile.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index ccde2c2..dfdd3bb 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -38,7 +38,7 @@ GEM rack (>= 0.9.0) binding_of_caller (0.7.2) debug_inspector (>= 0.0.1) - brakeman (3.0.4) + brakeman (3.0.5) erubis (~> 2.6) fastercsv (~> 1.5) haml (>= 3.0, < 5.0) @@ -232,7 +232,7 @@ GEM sexp_processor (~> 4.0) ruby_parser (3.7.0) sexp_processor (~> 4.1) - sass (3.4.14) + sass (3.4.15) sass-rails (5.0.3) railties (>= 4.0.0, < 5.0) sass (~> 3.1) From 6c62bba08483e830ca501ee75a60491e0cb192f0 Mon Sep 17 00:00:00 2001 From: Al Snow Date: Fri, 26 Jun 2015 12:18:43 -0400 Subject: [PATCH 46/60] Upgraded 3 gems by rebuilding Gemfile.lock file --- Gemfile.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index dfdd3bb..f8576c6 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -81,7 +81,7 @@ GEM multi_test (>= 0.1.2) cucumber-core (1.1.3) gherkin (~> 2.12.0) - daemons (1.2.2) + daemons (1.2.3) database_cleaner (1.4.1) debug_inspector (0.0.2) diff-lcs (1.2.5) @@ -205,7 +205,7 @@ GEM activesupport (= 4.0.13) rake (>= 0.8.7) thor (>= 0.18.1, < 2.0) - raindrops (0.13.0) + raindrops (0.14.0) rake (10.4.2) rb-fsevent (0.9.5) rb-inotify (0.9.5) @@ -256,7 +256,7 @@ GEM slop (3.6.0) sprockets (3.2.0) rack (~> 1.0) - sprockets-rails (2.3.1) + sprockets-rails (2.3.2) actionpack (>= 3.0) activesupport (>= 3.0) sprockets (>= 2.8, < 4.0) From 1a12743c3445533694f7160df748351bf439e51e Mon Sep 17 00:00:00 2001 From: Al Snow Date: Sat, 27 Jun 2015 08:40:19 -0400 Subject: [PATCH 47/60] Upgraded 6+ gems by rebuilding Gemfile.lock file --- Gemfile.lock | 18 ++++++------------ 1 file changed, 6 insertions(+), 12 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index f8576c6..0b3b51b 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -58,8 +58,6 @@ GEM rack (>= 1.0.0) rack-test (>= 0.5.4) xpath (~> 2.0) - celluloid (0.16.0) - timers (~> 4.0.0) childprocess (0.5.6) ffi (~> 1.0, >= 1.0.11) cliver (0.3.2) @@ -93,7 +91,7 @@ GEM eventmachine (1.0.5) execjs (2.5.2) fastercsv (1.5.5) - ffi (1.9.8) + ffi (1.9.9) foreman (0.78.0) thor (~> 0.19.1) formatador (0.2.5) @@ -104,9 +102,9 @@ GEM trollop gherkin (2.12.2) multi_json (~> 1.3) - guard (2.12.6) + guard (2.12.7) formatador (>= 0.2.4) - listen (~> 2.7) + listen (>= 2.7, <= 4.0) lumberjack (~> 1.0) nenv (~> 0.1) notiffany (~> 0.0) @@ -130,7 +128,6 @@ GEM haml (4.0.6) tilt highline (1.6.21) - hitimes (1.2.2) http_parser.rb (0.6.0) i18n (0.7.0) jquery-fileupload-rails (0.4.5) @@ -144,9 +141,8 @@ GEM kgio (2.9.3) launchy (2.4.3) addressable (~> 2.3) - libv8 (3.16.14.7) - listen (2.10.1) - celluloid (~> 0.16.0) + libv8 (3.16.14.9) + listen (3.0.0) rb-fsevent (>= 0.9.3) rb-inotify (>= 0.9) lumberjack (1.0.9) @@ -261,7 +257,7 @@ GEM activesupport (>= 3.0) sprockets (>= 2.8, < 4.0) sqlite3 (1.3.10) - terminal-table (1.4.5) + terminal-table (1.5.0) test-unit (3.1.2) power_assert therubyracer (0.12.2) @@ -274,8 +270,6 @@ GEM thor (0.19.1) thread_safe (0.3.5) tilt (1.4.1) - timers (4.0.1) - hitimes travis-lint (2.0.0) json trollop (2.1.2) From 6ba7bdb1589c09c250eabed9131ffb117cb82782 Mon Sep 17 00:00:00 2001 From: Al Snow Date: Mon, 29 Jun 2015 16:12:28 -0400 Subject: [PATCH 48/60] Upgraded 1 gem by rebuilding Gemfile.lock file --- Gemfile.lock | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Gemfile.lock b/Gemfile.lock index 0b3b51b..2c7138a 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -257,7 +257,7 @@ GEM activesupport (>= 3.0) sprockets (>= 2.8, < 4.0) sqlite3 (1.3.10) - terminal-table (1.5.0) + terminal-table (1.5.2) test-unit (3.1.2) power_assert therubyracer (0.12.2) From c44d0470985b50538d64040b46fad3c86c6110f5 Mon Sep 17 00:00:00 2001 From: Al Snow Date: Tue, 30 Jun 2015 22:26:40 -0400 Subject: [PATCH 49/60] Upgraded 3 gems; Locked down libv8 as temp fix --- Gemfile | 2 ++ Gemfile.lock | 7 ++++--- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/Gemfile b/Gemfile index 7b630fe..25bb777 100755 --- a/Gemfile +++ b/Gemfile @@ -58,6 +58,8 @@ gem 'turbolinks' # New for Rails 4.0 # See https://github.com/sstephenson/execjs#readme for more supported runtimes # gem 'therubyracer', :platforms => :ruby +gem 'libv8', '3.16.14.8' # 3.16.14.9 was yanked - temp. fix. + gem 'jquery-rails' # To use ActiveModel has_secure_password diff --git a/Gemfile.lock b/Gemfile.lock index 2c7138a..2b3ce19 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -49,7 +49,7 @@ GEM sass (~> 3.0) terminal-table (~> 1.4) builder (3.1.4) - bundler-audit (0.3.1) + bundler-audit (0.4.0) bundler (~> 1.2) thor (~> 0.18) capybara (2.4.4) @@ -141,8 +141,8 @@ GEM kgio (2.9.3) launchy (2.4.3) addressable (~> 2.3) - libv8 (3.16.14.9) - listen (3.0.0) + libv8 (3.16.14.8) + listen (3.0.1) rb-fsevent (>= 0.9.3) rb-inotify (>= 0.9) lumberjack (1.0.9) @@ -313,6 +313,7 @@ DEPENDENCIES jquery-fileupload-rails jquery-rails launchy + libv8 (= 3.16.14.8) mailcatcher mysql2 poltergeist From 8dac4925e3b836125bcfd2ae80ff6269ce1601e9 Mon Sep 17 00:00:00 2001 From: Al Snow Date: Wed, 1 Jul 2015 11:40:21 -0400 Subject: [PATCH 50/60] Upgraded 2 gems by rebuilding Gemfile.lock file --- Gemfile.lock | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Gemfile.lock b/Gemfile.lock index 2b3ce19..d834ed1 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -91,7 +91,7 @@ GEM eventmachine (1.0.5) execjs (2.5.2) fastercsv (1.5.5) - ffi (1.9.9) + ffi (1.9.10) foreman (0.78.0) thor (~> 0.19.1) formatador (0.2.5) @@ -158,6 +158,7 @@ GEM thin (~> 1.5.0) method_source (0.8.2) mime-types (2.6.1) + mini_portile (0.6.2) minitest (4.7.5) multi_json (1.11.1) multi_test (0.1.2) From 144a6eed2aea17023e27dea7cf3bb77759eb4844 Mon Sep 17 00:00:00 2001 From: cktricky Date: Fri, 3 Jul 2015 10:52:29 -0400 Subject: [PATCH 51/60] updated gemfile --- Gemfile | 2 +- Gemfile.lock | 117 ++++++++++++++++++++++++++++++++------------------- 2 files changed, 74 insertions(+), 45 deletions(-) diff --git a/Gemfile b/Gemfile index 25bb777..c78f5cc 100755 --- a/Gemfile +++ b/Gemfile @@ -1,7 +1,7 @@ source 'https://rubygems.org' #don't upgrade -gem 'rails', '4.0.13' +gem 'rails', '4.2.2' ruby '2.2.2' diff --git a/Gemfile.lock b/Gemfile.lock index d834ed1..7bd6b59 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -1,32 +1,43 @@ GEM remote: https://rubygems.org/ specs: - actionmailer (4.0.13) - actionpack (= 4.0.13) + actionmailer (4.2.2) + actionpack (= 4.2.2) + actionview (= 4.2.2) + activejob (= 4.2.2) mail (~> 2.5, >= 2.5.4) - actionpack (4.0.13) - activesupport (= 4.0.13) - builder (~> 3.1.0) - erubis (~> 2.7.0) - rack (~> 1.5.2) + rails-dom-testing (~> 1.0, >= 1.0.5) + actionpack (4.2.2) + actionview (= 4.2.2) + activesupport (= 4.2.2) + rack (~> 1.6) rack-test (~> 0.6.2) - activemodel (4.0.13) - activesupport (= 4.0.13) - builder (~> 3.1.0) - activerecord (4.0.13) - activemodel (= 4.0.13) - activerecord-deprecated_finders (~> 1.0.2) - activesupport (= 4.0.13) - arel (~> 4.0.0) - activerecord-deprecated_finders (1.0.4) - activesupport (4.0.13) - i18n (~> 0.6, >= 0.6.9) - minitest (~> 4.2) - multi_json (~> 1.3) - thread_safe (~> 0.1) - tzinfo (~> 0.3.37) + rails-dom-testing (~> 1.0, >= 1.0.5) + rails-html-sanitizer (~> 1.0, >= 1.0.1) + actionview (4.2.2) + activesupport (= 4.2.2) + builder (~> 3.1) + erubis (~> 2.7.0) + rails-dom-testing (~> 1.0, >= 1.0.5) + rails-html-sanitizer (~> 1.0, >= 1.0.1) + activejob (4.2.2) + activesupport (= 4.2.2) + globalid (>= 0.3.0) + activemodel (4.2.2) + activesupport (= 4.2.2) + builder (~> 3.1) + activerecord (4.2.2) + activemodel (= 4.2.2) + activesupport (= 4.2.2) + arel (~> 6.0) + activesupport (4.2.2) + i18n (~> 0.7) + json (~> 1.7, >= 1.7.7) + minitest (~> 5.1) + thread_safe (~> 0.3, >= 0.3.4) + tzinfo (~> 1.1) addressable (2.3.8) - arel (4.0.2) + arel (6.0.0) aruba (0.6.2) childprocess (>= 0.3.6) cucumber (>= 1.1.1) @@ -48,7 +59,7 @@ GEM ruby_parser (~> 3.7.0) sass (~> 3.0) terminal-table (~> 1.4) - builder (3.1.4) + builder (3.2.2) bundler-audit (0.4.0) bundler (~> 1.2) thor (~> 0.18) @@ -95,13 +106,15 @@ GEM foreman (0.78.0) thor (~> 0.19.1) formatador (0.2.5) - gauntlt (1.0.6) + gauntlt (0.1.4) aruba cucumber - nokogiri (~> 1.5.0) + nokogiri trollop gherkin (2.12.2) multi_json (~> 1.3) + globalid (0.3.5) + activesupport (>= 4.1.0) guard (2.12.7) formatador (>= 0.2.4) listen (>= 2.7, <= 4.0) @@ -134,8 +147,9 @@ GEM actionpack (>= 3.1) railties (>= 3.1) sass (>= 3.2) - jquery-rails (3.1.3) - railties (>= 3.0, < 5.0) + jquery-rails (4.0.4) + rails-dom-testing (~> 1.0) + railties (>= 4.2.0) thor (>= 0.14, < 2.0) json (1.8.3) kgio (2.9.3) @@ -145,6 +159,8 @@ GEM listen (3.0.1) rb-fsevent (>= 0.9.3) rb-inotify (>= 0.9) + loofah (2.0.2) + nokogiri (>= 1.5.9) lumberjack (1.0.9) mail (2.6.3) mime-types (>= 1.16, < 3) @@ -159,12 +175,13 @@ GEM method_source (0.8.2) mime-types (2.6.1) mini_portile (0.6.2) - minitest (4.7.5) + minitest (5.7.0) multi_json (1.11.1) multi_test (0.1.2) mysql2 (0.3.18) nenv (0.2.0) - nokogiri (1.5.11) + nokogiri (1.6.6.2) + mini_portile (~> 0.6.0) notiffany (0.0.6) nenv (~> 0.1) shellany (~> 0.0) @@ -182,24 +199,35 @@ GEM slop (~> 3.4) pry-rails (0.3.4) pry (>= 0.9.10) - rack (1.5.5) + rack (1.6.4) rack-livereload (0.3.15) rack rack-protection (1.5.3) rack rack-test (0.6.3) rack (>= 1.0) - rails (4.0.13) - actionmailer (= 4.0.13) - actionpack (= 4.0.13) - activerecord (= 4.0.13) - activesupport (= 4.0.13) + rails (4.2.2) + actionmailer (= 4.2.2) + actionpack (= 4.2.2) + actionview (= 4.2.2) + activejob (= 4.2.2) + activemodel (= 4.2.2) + activerecord (= 4.2.2) + activesupport (= 4.2.2) bundler (>= 1.3.0, < 2.0) - railties (= 4.0.13) - sprockets-rails (~> 2.0) - railties (4.0.13) - actionpack (= 4.0.13) - activesupport (= 4.0.13) + railties (= 4.2.2) + sprockets-rails + rails-deprecated_sanitizer (1.0.3) + activesupport (>= 4.2.0.alpha) + rails-dom-testing (1.0.6) + activesupport (>= 4.2.0.beta, < 5.0) + nokogiri (~> 1.6.0) + rails-deprecated_sanitizer (>= 1.0.1) + rails-html-sanitizer (1.0.2) + loofah (~> 2.0) + railties (4.2.2) + actionpack (= 4.2.2) + activesupport (= 4.2.2) rake (>= 0.8.7) thor (>= 0.18.1, < 2.0) raindrops (0.14.0) @@ -276,7 +304,8 @@ GEM trollop (2.1.2) turbolinks (2.5.3) coffee-rails - tzinfo (0.3.44) + tzinfo (1.2.2) + thread_safe (~> 0.1) uglifier (2.7.1) execjs (>= 0.3.0) json (>= 1.8.0) @@ -322,7 +351,7 @@ DEPENDENCIES pry pry-rails rack-livereload - rails (= 4.0.13) + rails (= 4.2.2) rb-fsevent rspec-rails (= 2.14.2) sass-rails @@ -336,4 +365,4 @@ DEPENDENCIES unicorn BUNDLED WITH - 1.10.4 + 1.10.5 From 58fb4025c925a5b4fd30fdc00f5998460d525f84 Mon Sep 17 00:00:00 2001 From: cktricky Date: Fri, 3 Jul 2015 11:37:02 -0400 Subject: [PATCH 52/60] kinda cant do much without bootstrap --- app/assets/javascripts/application.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/assets/javascripts/application.js b/app/assets/javascripts/application.js index f58ec86..aa51d07 100755 --- a/app/assets/javascripts/application.js +++ b/app/assets/javascripts/application.js @@ -16,6 +16,7 @@ //= require wysiwyg/wysihtml5-0.3.0.js //= require jquery.min.js //= require jquery.scrollUp.js +//= require bootstrap.js //= require wysiwyg/bootstrap-wysihtml5.js //= require bootstrap-colorpicker.js //= require date-picker/date.js @@ -32,7 +33,6 @@ //= require jsapi //= html5.js - function rubyCodeFormat() { From 5945b4956d8c9996279a65395e9c2c449c0c0187 Mon Sep 17 00:00:00 2001 From: cktricky Date: Fri, 3 Jul 2015 11:49:10 -0400 Subject: [PATCH 53/60] better spacing while troubleshooting --- app/controllers/sessions_controller.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb index fdf2edc..f9172d9 100755 --- a/app/controllers/sessions_controller.rb +++ b/app/controllers/sessions_controller.rb @@ -25,7 +25,7 @@ class SessionsController < ApplicationController redirect_to path else # Removed this code, just doesn't seem specific enough! - # flash[:error] = "Either your username and password is incorrect" + # flash[:error] = "Either your username and password is incorrect" flash[:error] = e.message render "new" end From f6f3af918a204dbdd3c1570dd861852f449a5ce9 Mon Sep 17 00:00:00 2001 From: cktricky Date: Fri, 3 Jul 2015 12:10:58 -0400 Subject: [PATCH 54/60] fixes change show that error messages display and the broken auth tests are not failing. Basically in Rails 4 each error messages name value is no longer a symbol but a string --- app/views/layouts/shared/_messages.html.erb | 1 + 1 file changed, 1 insertion(+) diff --git a/app/views/layouts/shared/_messages.html.erb b/app/views/layouts/shared/_messages.html.erb index 76785d5..08ef212 100755 --- a/app/views/layouts/shared/_messages.html.erb +++ b/app/views/layouts/shared/_messages.html.erb @@ -1,4 +1,5 @@ <% flash.each do |name, msg| %> + <% name = name.to_sym %> <% if name == :error %>
× From a2c4f46c2614a7115426cea08a0d030f4d081923 Mon Sep 17 00:00:00 2001 From: cktricky Date: Mon, 6 Jul 2015 13:25:46 -0400 Subject: [PATCH 55/60] I have changed the second visit statement from the root path (/) to the account settings page. The reason is that the submit button is changed via JS but you need to be at the account settings page to see that change --- spec/vulnerabilities/xss_spec.rb | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/spec/vulnerabilities/xss_spec.rb b/spec/vulnerabilities/xss_spec.rb index 325da0b..9549f4d 100644 --- a/spec/vulnerabilities/xss_spec.rb +++ b/spec/vulnerabilities/xss_spec.rb @@ -20,10 +20,11 @@ feature 'xss' do click_on 'Submit' sleep(1) - visit '/' - - pending(:if => verifying_fixed?) { find('div input.btn').value.should == 'RailsGoat h4x0r3d' } - + + visit "/users/#{@normal_user.user_id}/account_settings" + + pending(:if => verifying_fixed?) { find('#submit_button').value.should == 'RailsGoat h4x0r3d' } + # might be nice to demonstrate posting cookie contents or somesuch, but # this at least shows the vulnerability still exists. end From b89f520a7dabc5139a8d0e013177e10e6bb471fe Mon Sep 17 00:00:00 2001 From: cktricky Date: Fri, 10 Jul 2015 17:38:37 -0400 Subject: [PATCH 56/60] not sure why this was removed in the first place --- app/controllers/users_controller.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb index 5d812df..bcea95b 100755 --- a/app/controllers/users_controller.rb +++ b/app/controllers/users_controller.rb @@ -32,7 +32,7 @@ class UsersController < ApplicationController #user = User.find(:first, :conditions => ["user_id = ?", "#{params[:user][:user_id]}"]) # user = User.find(:first, :conditions => "user_id = '#{params[:user][:user_id]}'") - user = User.where("user_id = '#{params[:user][:user_id]}'").first + user = User.find(:first, :conditions => "user_id = '#{params[:user][:user_id]}'") if user user.skip_user_id_assign = true user.skip_hash_password = true From 1e5962a1ca7fc1fbbef38892c405350b441a3ae7 Mon Sep 17 00:00:00 2001 From: cktricky Date: Fri, 10 Jul 2015 17:52:37 -0400 Subject: [PATCH 57/60] Revert "not sure why this was removed in the first place" This reverts commit b89f520a7dabc5139a8d0e013177e10e6bb471fe. --- app/controllers/users_controller.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb index bcea95b..5d812df 100755 --- a/app/controllers/users_controller.rb +++ b/app/controllers/users_controller.rb @@ -32,7 +32,7 @@ class UsersController < ApplicationController #user = User.find(:first, :conditions => ["user_id = ?", "#{params[:user][:user_id]}"]) # user = User.find(:first, :conditions => "user_id = '#{params[:user][:user_id]}'") - user = User.find(:first, :conditions => "user_id = '#{params[:user][:user_id]}'") + user = User.where("user_id = '#{params[:user][:user_id]}'").first if user user.skip_user_id_assign = true user.skip_hash_password = true From 5c62c1b0216c9118964d9fb496d7459d3858c51f Mon Sep 17 00:00:00 2001 From: cktricky Date: Tue, 18 Aug 2015 12:27:20 -0400 Subject: [PATCH 58/60] the setting was incorrect and did not match what we show in the tutorial --- config/initializers/session_store.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/initializers/session_store.rb b/config/initializers/session_store.rb index a60be40..caf4a5b 100755 --- a/config/initializers/session_store.rb +++ b/config/initializers/session_store.rb @@ -1,3 +1,3 @@ # Be sure to restart your server when you modify this file. -Railsgoat::Application.config.session_store :cookie_store, key: '_railsgoat_session' +Railsgoat::Application.config.session_store :cookie_store, key: '_railsgoat_session', httponly: false From cdbf2d7d92adb8bb688a9ef5afaaf7e5d9f35f3b Mon Sep 17 00:00:00 2001 From: cktricky Date: Tue, 18 Aug 2015 20:23:35 -0400 Subject: [PATCH 59/60] mass assignment vulnerability, how it manifests in Rails 4 --- app/controllers/users_controller.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb index 5d812df..58ca211 100755 --- a/app/controllers/users_controller.rb +++ b/app/controllers/users_controller.rb @@ -55,7 +55,7 @@ class UsersController < ApplicationController private def user_params - params.require(:user).permit(:email, :admin, :first_name, :last_name, :user_id, :password, :password_confirmation) + params.require(:user).permit! end # unpermitted attributes are ignored in production From d8f9ba6eefb9444adb9966e5be47676bb4a5fc05 Mon Sep 17 00:00:00 2001 From: cktricky Date: Tue, 18 Aug 2015 21:29:39 -0400 Subject: [PATCH 60/60] updated to reflect the rails 3 deprecation --- README.md | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index cd37342..f39a479 100755 --- a/README.md +++ b/README.md @@ -1,42 +1,49 @@ # RailsGoat [![Build Status](https://api.travis-ci.org/OWASP/railsgoat.png?branch=master)](https://travis-ci.org/OWASP/railsgoat) [![Code Climate](https://codeclimate.com/github/OWASP/railsgoat.png)](https://codeclimate.com/github/OWASP/railsgoat) -RailsGoat is a vulnerable version of the Ruby on Rails Framework. It includes vulnerabilities from the OWASP Top 10, as well as some "extras" that the initial project contributors felt worthwhile to share. This project is designed to educate both developers, as well as security professionals. +RailsGoat is a vulnerable version of the Ruby on Rails Framework both versions 3 and 4. It includes vulnerabilities from the OWASP Top 10, as well as some "extras" that the initial project contributors felt worthwhile to share. This project is designed to educate both developers, as well as security professionals. ## Getting Started To begin, install the Ruby Version Manager (RVM): -``` +```bash $ curl -L https://get.rvm.io | bash -s stable --autolibs=3 --ruby=2.1.2 ``` After installing the package, clone this repo: -``` +```bash $ git clone git@github.com:OWASP/railsgoat.git ``` -Navigate into the directory and install the dependencies: +**NOTE: NOT NECESSARY IF YOU WANT TO WORK WITH RAILS 4.** Otherwise, if you wish to use the Rails 3 version, you'll need to switch branches +```bash +$ cd railsgoat +$ git checkout rails_3_2 ``` + +Navigate into the directory (already there if you followed the previous step) and install the dependencies: + +```bash $ bundle install ``` If you receive an error, make sure you have `bundler` installed: -``` +```bash $ gem install bundler ``` Initialize the database: -``` +```bash $ rake db:setup ``` Start the Thin web server: -``` +```bash $ rails server ```