team-alpha/railsgoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #202 from OWASP/pr-192

Browse Source 
Pr 192
This commit is contained in:
Ken Johnson
2015-08-19 11:07:49 -04:00
parent 9052b4fcf0 d8f9ba6eef
commit 32df4e0ef7
60 changed files with 542 additions and 315 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.gitignore
+1
View File
@@ -10,3 +10,4 @@
coverage coverage
.tags .tags
/.vagrant /.vagrant
/vendor/ruby
.overcommit.yml
+34
View File
@@ -0,0 +1,34 @@
# Use this file to configure the Overcommit hooks you wish to use. This will
# extend the default configuration defined in:
# https://github.com/brigade/overcommit/blob/master/config/default.yml
#
# At the topmost level of this YAML file is a key representing type of hook
# being run (e.g. pre-commit, commit-msg, etc.). Within each type you can
# customize each hook, such as whether to only run it on certain files (via
# `include`), whether to only display output if it fails (via `quiet`), etc.
#
# For a complete list of hooks, see:
# https://github.com/brigade/overcommit/tree/master/lib/overcommit/hook
#
# For a complete list of options that you can use to customize hooks, see:
# https://github.com/brigade/overcommit#configuration
#
# Uncomment the following lines to make the configuration take effect.
PreCommit:
Rubocop:
enabled: true
on_warn: warn # fail # Treat all warnings as failures
TrailingWhitespace:
enabled: true
exclude:
- '**/db/structure.sql' # Ignore trailing whitespace in generated files
PostCheckout:
enabled: true
ALL: # Special hook name that customizes all hooks of this type
quiet: true # Change all post-checkout hooks to only display output on failure
# IndexTags:
# enabled: true # Generate a tags file with `ctags` each time HEAD changes
.ruby-version
+1 -1
View File
@@ -1 +1 @@
2.1.5 2.2.2
.travis.yml
+1 -1
View File
@@ -1,6 +1,6 @@
language: ruby language: ruby
rvm: rvm:
- "2.1.5" - "2.2.2"
before_script: rake db:setup before_script: rake db:setup
before_script: bundle exec rake db:setup before_script: bundle exec rake db:setup
env: RAILSGOAT_MAINTAINER=true env: RAILSGOAT_MAINTAINER=true
Gemfile
+18 -10
View File
@@ -1,9 +1,9 @@
source 'https://rubygems.org' source 'https://rubygems.org'
#don't upgrade #don't upgrade
gem 'rails', '3.2.21' gem 'rails', '4.2.2'
ruby '2.1.5' ruby '2.2.2'
# Bundle edge Rails instead: # Bundle edge Rails instead:
# gem 'rails', :git => 'git://github.com/rails/rails.git' # gem 'rails', :git => 'git://github.com/rails/rails.git'
@@ -40,6 +40,7 @@ group :development, :test, :mysql do
gem 'database_cleaner' gem 'database_cleaner'
gem 'poltergeist' gem 'poltergeist'
gem 'rspec-rails', '2.14.2' gem 'rspec-rails', '2.14.2'
gem 'test-unit'
end end
group :mysql do group :mysql do
@@ -48,15 +49,16 @@ end
# Gems used only for assets and not required # Gems used only for assets and not required
# in production environments by default. # in production environments by default.
group :assets do gem 'sass-rails'
gem 'sass-rails' gem 'coffee-rails'
gem 'coffee-rails' gem 'jquery-fileupload-rails'
gem 'jquery-fileupload-rails' gem 'uglifier'
# See https://github.com/sstephenson/execjs#readme for more supported runtimes gem 'turbolinks' # New for Rails 4.0
# gem 'therubyracer', :platforms => :ruby
gem 'uglifier' # See https://github.com/sstephenson/execjs#readme for more supported runtimes
end # gem 'therubyracer', :platforms => :ruby
gem 'libv8', '3.16.14.8' # 3.16.14.9 was yanked - temp. fix.
gem 'jquery-rails' gem 'jquery-rails'
@@ -88,3 +90,9 @@ gem 'therubyracer'
# Add SMTP server support using MailCatcher # Add SMTP server support using MailCatcher
gem 'mailcatcher' gem 'mailcatcher'
#For Rails 4.0
#group :doc do
# # bundle exec rake doc:rails generates the API under doc/api.
# gem 'sdoc', require: false
#end
Gemfile.lock
+171 -144
View File
@@ -1,58 +1,66 @@
GEM GEM
remote: https://rubygems.org/ remote: https://rubygems.org/
specs: specs:
actionmailer (3.2.21) actionmailer (4.2.2)
actionpack (= 3.2.21) actionpack (= 4.2.2)
mail (~> 2.5.4) actionview (= 4.2.2)
actionpack (3.2.21) activejob (= 4.2.2)
activemodel (= 3.2.21) mail (~> 2.5, >= 2.5.4)
activesupport (= 3.2.21) rails-dom-testing (~> 1.0, >= 1.0.5)
builder (~> 3.0.0) actionpack (4.2.2)
actionview (= 4.2.2)
activesupport (= 4.2.2)
rack (~> 1.6)
rack-test (~> 0.6.2)
rails-dom-testing (~> 1.0, >= 1.0.5)
rails-html-sanitizer (~> 1.0, >= 1.0.1)
actionview (4.2.2)
activesupport (= 4.2.2)
builder (~> 3.1)
erubis (~> 2.7.0) erubis (~> 2.7.0)
journey (~> 1.0.4) rails-dom-testing (~> 1.0, >= 1.0.5)
rack (~> 1.4.5) rails-html-sanitizer (~> 1.0, >= 1.0.1)
rack-cache (~> 1.2) activejob (4.2.2)
rack-test (~> 0.6.1) activesupport (= 4.2.2)
sprockets (~> 2.2.1) globalid (>= 0.3.0)
activemodel (3.2.21) activemodel (4.2.2)
activesupport (= 3.2.21) activesupport (= 4.2.2)
builder (~> 3.0.0) builder (~> 3.1)
activerecord (3.2.21) activerecord (4.2.2)
activemodel (= 3.2.21) activemodel (= 4.2.2)
activesupport (= 3.2.21) activesupport (= 4.2.2)
arel (~> 3.0.2) arel (~> 6.0)
tzinfo (~> 0.3.29) activesupport (4.2.2)
activeresource (3.2.21) i18n (~> 0.7)
activemodel (= 3.2.21) json (~> 1.7, >= 1.7.7)
activesupport (= 3.2.21) minitest (~> 5.1)
activesupport (3.2.21) thread_safe (~> 0.3, >= 0.3.4)
i18n (~> 0.6, >= 0.6.4) tzinfo (~> 1.1)
multi_json (~> 1.0) addressable (2.3.8)
addressable (2.3.6) arel (6.0.0)
arel (3.0.3) aruba (0.6.2)
aruba (0.5.4)
childprocess (>= 0.3.6) childprocess (>= 0.3.6)
cucumber (>= 1.1.1) cucumber (>= 1.1.1)
rspec-expectations (>= 2.7.0) rspec-expectations (>= 2.7.0)
bcrypt (3.1.9) bcrypt (3.1.10)
better_errors (2.0.0) better_errors (2.1.1)
coderay (>= 1.0.0) coderay (>= 1.0.0)
erubis (>= 2.6.6) erubis (>= 2.6.6)
rack (>= 0.9.0) rack (>= 0.9.0)
binding_of_caller (0.7.2) binding_of_caller (0.7.2)
debug_inspector (>= 0.0.1) debug_inspector (>= 0.0.1)
brakeman (3.0.3) brakeman (3.0.5)
erubis (~> 2.6) erubis (~> 2.6)
fastercsv (~> 1.5) fastercsv (~> 1.5)
haml (>= 3.0, < 5.0) haml (>= 3.0, < 5.0)
highline (~> 1.6.20) highline (~> 1.6.20)
multi_json (~> 1.2) multi_json (~> 1.2)
ruby2ruby (~> 2.1.1) ruby2ruby (~> 2.1.1)
ruby_parser (~> 3.6.2) ruby_parser (~> 3.7.0)
sass (~> 3.0) sass (~> 3.0)
terminal-table (~> 1.4) terminal-table (~> 1.4)
builder (3.0.4) builder (3.2.2)
bundler-audit (0.3.1) bundler-audit (0.4.0)
bundler (~> 1.2) bundler (~> 1.2)
thor (~> 0.18) thor (~> 0.18)
capybara (2.4.4) capybara (2.4.4)
@@ -61,62 +69,65 @@ GEM
rack (>= 1.0.0) rack (>= 1.0.0)
rack-test (>= 0.5.4) rack-test (>= 0.5.4)
xpath (~> 2.0) xpath (~> 2.0)
celluloid (0.16.0) childprocess (0.5.6)
timers (~> 4.0.0)
childprocess (0.5.5)
ffi (~> 1.0, >= 1.0.11) ffi (~> 1.0, >= 1.0.11)
cliver (0.3.2) cliver (0.3.2)
coderay (1.1.0) coderay (1.1.0)
coffee-rails (3.2.2) coffee-rails (4.1.0)
coffee-script (>= 2.2.0) coffee-script (>= 2.2.0)
railties (~> 3.2.0) railties (>= 4.0.0, < 5.0)
coffee-script (2.3.0) coffee-script (2.4.1)
coffee-script-source coffee-script-source
execjs execjs
coffee-script-source (1.8.0) coffee-script-source (1.9.1.1)
crack (0.3.1) crack (0.3.1)
cucumber (1.3.15) cucumber (2.0.0)
builder (>= 2.1.2) builder (>= 2.1.2)
cucumber-core (~> 1.1.3)
diff-lcs (>= 1.1.3) diff-lcs (>= 1.1.3)
gherkin (~> 2.12) gherkin (~> 2.12)
multi_json (>= 1.7.5, < 2.0) multi_json (>= 1.7.5, < 2.0)
multi_test (>= 0.1.1) multi_test (>= 0.1.2)
daemons (1.1.9) cucumber-core (1.1.3)
database_cleaner (1.3.0) gherkin (~> 2.12.0)
daemons (1.2.3)
database_cleaner (1.4.1)
debug_inspector (0.0.2) debug_inspector (0.0.2)
diff-lcs (1.2.5) diff-lcs (1.2.5)
docile (1.1.5) docile (1.1.5)
dotenv (1.0.2)
em-websocket (0.5.1) em-websocket (0.5.1)
eventmachine (>= 0.12.9) eventmachine (>= 0.12.9)
http_parser.rb (~> 0.6.0) http_parser.rb (~> 0.6.0)
erubis (2.7.0) erubis (2.7.0)
eventmachine (1.0.4) eventmachine (1.0.5)
execjs (2.2.2) execjs (2.5.2)
fastercsv (1.5.5) fastercsv (1.5.5)
ffi (1.9.6) ffi (1.9.10)
foreman (0.76.0) foreman (0.78.0)
dotenv (~> 1.0.2)
thor (~> 0.19.1) thor (~> 0.19.1)
formatador (0.2.5) formatador (0.2.5)
gauntlt (1.0.10) gauntlt (0.1.4)
aruba (= 0.5.4) aruba
cucumber (= 1.3.15) cucumber
nokogiri (= 1.6.1) nokogiri
trollop (~> 2.0) trollop
gherkin (2.12.2) gherkin (2.12.2)
multi_json (~> 1.3) multi_json (~> 1.3)
guard (2.10.4) globalid (0.3.5)
activesupport (>= 4.1.0)
guard (2.12.7)
formatador (>= 0.2.4) formatador (>= 0.2.4)
listen (~> 2.7) listen (>= 2.7, <= 4.0)
lumberjack (~> 1.0) lumberjack (~> 1.0)
nenv (~> 0.1) nenv (~> 0.1)
notiffany (~> 0.0)
pry (>= 0.9.12) pry (>= 0.9.12)
shellany (~> 0.0)
thor (>= 0.18.1) thor (>= 0.18.1)
guard-brakeman (0.8.3) guard-brakeman (0.8.3)
brakeman (>= 2.1.1) brakeman (>= 2.1.1)
guard (>= 2.0.0) guard (>= 2.0.0)
guard-compat (1.2.0) guard-compat (1.2.1)
guard-livereload (2.4.0) guard-livereload (2.4.0)
em-websocket (~> 0.5) em-websocket (~> 0.5)
guard (~> 2.8) guard (~> 2.8)
@@ -130,101 +141,106 @@ GEM
haml (4.0.6) haml (4.0.6)
tilt tilt
highline (1.6.21) highline (1.6.21)
hike (1.2.3)
hitimes (1.2.2)
http_parser.rb (0.6.0) http_parser.rb (0.6.0)
i18n (0.7.0) i18n (0.7.0)
journey (1.0.4) jquery-fileupload-rails (0.4.5)
jquery-fileupload-rails (0.4.1)
actionpack (>= 3.1) actionpack (>= 3.1)
railties (>= 3.1) railties (>= 3.1)
jquery-rails (3.1.2) sass (>= 3.2)
railties (>= 3.0, < 5.0) jquery-rails (4.0.4)
rails-dom-testing (~> 1.0)
railties (>= 4.2.0)
thor (>= 0.14, < 2.0) thor (>= 0.14, < 2.0)
json (1.8.1) json (1.8.3)
kgio (2.9.2) kgio (2.9.3)
launchy (2.4.3) launchy (2.4.3)
addressable (~> 2.3) addressable (~> 2.3)
libv8 (3.16.14.7) libv8 (3.16.14.8)
listen (2.8.4) listen (3.0.1)
celluloid (>= 0.15.2)
rb-fsevent (>= 0.9.3) rb-fsevent (>= 0.9.3)
rb-inotify (>= 0.9) rb-inotify (>= 0.9)
loofah (2.0.2)
nokogiri (>= 1.5.9)
lumberjack (1.0.9) lumberjack (1.0.9)
mail (2.5.4) mail (2.6.3)
mime-types (~> 1.16) mime-types (>= 1.16, < 3)
treetop (~> 1.4.8) mailcatcher (0.6.1)
mailcatcher (0.5.12) activesupport (>= 4.0.0, < 5)
activesupport (~> 3.0) eventmachine (~> 1.0.0, <= 1.0.5)
eventmachine (~> 1.0.0)
haml (>= 3.1, < 5)
mail (~> 2.3) mail (~> 2.3)
sinatra (~> 1.2) sinatra (~> 1.2)
skinny (~> 0.2.3) skinny (~> 0.2.3)
sqlite3 (~> 1.3) sqlite3 (~> 1.3)
thin (~> 1.5.0) thin (~> 1.5.0)
method_source (0.8.2) method_source (0.8.2)
mime-types (1.25.1) mime-types (2.6.1)
mini_portile (0.5.3) mini_portile (0.6.2)
multi_json (1.11.0) minitest (5.7.0)
multi_test (0.1.1) multi_json (1.11.1)
mysql2 (0.3.17) multi_test (0.1.2)
nenv (0.1.1) mysql2 (0.3.18)
nokogiri (1.6.1) nenv (0.2.0)
mini_portile (~> 0.5.0) nokogiri (1.6.6.2)
poltergeist (1.5.1) mini_portile (~> 0.6.0)
notiffany (0.0.6)
nenv (~> 0.1)
shellany (~> 0.0)
poltergeist (1.6.0)
capybara (~> 2.1) capybara (~> 2.1)
cliver (~> 0.3.1) cliver (~> 0.3.1)
multi_json (~> 1.0) multi_json (~> 1.0)
websocket-driver (>= 0.2.0) websocket-driver (>= 0.2.0)
polyglot (0.3.5)
powder (0.3.0) powder (0.3.0)
thor (>= 0.11.5) thor (>= 0.11.5)
power_assert (0.2.3)
pry (0.10.1) pry (0.10.1)
coderay (~> 1.1.0) coderay (~> 1.1.0)
method_source (~> 0.8.1) method_source (~> 0.8.1)
slop (~> 3.4) slop (~> 3.4)
pry-rails (0.3.3) pry-rails (0.3.4)
pry (>= 0.9.10) pry (>= 0.9.10)
rack (1.4.5) rack (1.6.4)
rack-cache (1.2)
rack (>= 0.4)
rack-livereload (0.3.15) rack-livereload (0.3.15)
rack rack
rack-protection (1.5.3) rack-protection (1.5.3)
rack rack
rack-ssl (1.3.4) rack-test (0.6.3)
rack
rack-test (0.6.2)
rack (>= 1.0) rack (>= 1.0)
rails (3.2.21) rails (4.2.2)
actionmailer (= 3.2.21) actionmailer (= 4.2.2)
actionpack (= 3.2.21) actionpack (= 4.2.2)
activerecord (= 3.2.21) actionview (= 4.2.2)
activeresource (= 3.2.21) activejob (= 4.2.2)
activesupport (= 3.2.21) activemodel (= 4.2.2)
bundler (~> 1.0) activerecord (= 4.2.2)
railties (= 3.2.21) activesupport (= 4.2.2)
railties (3.2.21) bundler (>= 1.3.0, < 2.0)
actionpack (= 3.2.21) railties (= 4.2.2)
activesupport (= 3.2.21) sprockets-rails
rack-ssl (~> 1.3.2) rails-deprecated_sanitizer (1.0.3)
activesupport (>= 4.2.0.alpha)
rails-dom-testing (1.0.6)
activesupport (>= 4.2.0.beta, < 5.0)
nokogiri (~> 1.6.0)
rails-deprecated_sanitizer (>= 1.0.1)
rails-html-sanitizer (1.0.2)
loofah (~> 2.0)
railties (4.2.2)
actionpack (= 4.2.2)
activesupport (= 4.2.2)
rake (>= 0.8.7) rake (>= 0.8.7)
rdoc (~> 3.4) thor (>= 0.18.1, < 2.0)
thor (>= 0.14.6, < 2.0) raindrops (0.14.0)
raindrops (0.13.0)
rake (10.4.2) rake (10.4.2)
rb-fsevent (0.9.4) rb-fsevent (0.9.5)
rb-inotify (0.9.5) rb-inotify (0.9.5)
ffi (>= 0.5.0) ffi (>= 0.5.0)
rdoc (3.12.2)
json (~> 1.4)
ref (1.0.5) ref (1.0.5)
rspec (2.14.1) rspec (2.14.1)
rspec-core (~> 2.14.0) rspec-core (~> 2.14.0)
rspec-expectations (~> 2.14.0) rspec-expectations (~> 2.14.0)
rspec-mocks (~> 2.14.0) rspec-mocks (~> 2.14.0)
rspec-core (2.14.0) rspec-core (2.14.8)
rspec-expectations (2.14.5) rspec-expectations (2.14.5)
diff-lcs (>= 1.1.3, < 2.0) diff-lcs (>= 1.1.3, < 2.0)
rspec-mocks (2.14.6) rspec-mocks (2.14.6)
@@ -239,35 +255,41 @@ GEM
ruby2ruby (2.1.4) ruby2ruby (2.1.4)
ruby_parser (~> 3.1) ruby_parser (~> 3.1)
sexp_processor (~> 4.0) sexp_processor (~> 4.0)
ruby_parser (3.6.6) ruby_parser (3.7.0)
sexp_processor (~> 4.1) sexp_processor (~> 4.1)
sass (3.4.14) sass (3.4.15)
sass-rails (3.2.6) sass-rails (5.0.3)
railties (~> 3.2.0) railties (>= 4.0.0, < 5.0)
sass (>= 3.1.10) sass (~> 3.1)
tilt (~> 1.3) sprockets (>= 2.8, < 4.0)
sprockets-rails (>= 2.0, < 4.0)
tilt (~> 1.1)
sexp_processor (4.6.0) sexp_processor (4.6.0)
simplecov (0.9.1) shellany (0.0.1)
simplecov (0.10.0)
docile (~> 1.1.0) docile (~> 1.1.0)
multi_json (~> 1.0) json (~> 1.8)
simplecov-html (~> 0.8.0) simplecov-html (~> 0.10.0)
simplecov-html (0.8.0) simplecov-html (0.10.0)
sinatra (1.4.5) sinatra (1.4.6)
rack (~> 1.4) rack (~> 1.4)
rack-protection (~> 1.4) rack-protection (~> 1.4)
tilt (~> 1.3, >= 1.3.4) tilt (>= 1.3, < 3)
skinny (0.2.3) skinny (0.2.3)
eventmachine (~> 1.0.0) eventmachine (~> 1.0.0)
thin (~> 1.5.0) thin (~> 1.5.0)
slop (3.6.0) slop (3.6.0)
sprockets (2.2.3) sprockets (3.2.0)
hike (~> 1.2)
multi_json (~> 1.0)
rack (~> 1.0) rack (~> 1.0)
tilt (~> 1.1, != 1.3.0) sprockets-rails (2.3.2)
actionpack (>= 3.0)
activesupport (>= 3.0)
sprockets (>= 2.8, < 4.0)
sqlite3 (1.3.10) sqlite3 (1.3.10)
terminal-table (1.4.5) terminal-table (1.5.2)
therubyracer (0.12.1) test-unit (3.1.2)
power_assert
therubyracer (0.12.2)
libv8 (~> 3.16.14.0) libv8 (~> 3.16.14.0)
ref ref
thin (1.5.1) thin (1.5.1)
@@ -275,26 +297,25 @@ GEM
eventmachine (>= 0.12.6) eventmachine (>= 0.12.6)
rack (>= 1.0.0) rack (>= 1.0.0)
thor (0.19.1) thor (0.19.1)
thread_safe (0.3.5)
tilt (1.4.1) tilt (1.4.1)
timers (4.0.1)
hitimes
travis-lint (2.0.0) travis-lint (2.0.0)
json json
treetop (1.4.15) trollop (2.1.2)
polyglot turbolinks (2.5.3)
polyglot (>= 0.3.1) coffee-rails
trollop (2.0) tzinfo (1.2.2)
tzinfo (0.3.42) thread_safe (~> 0.1)
uglifier (2.6.0) uglifier (2.7.1)
execjs (>= 0.3.0) execjs (>= 0.3.0)
json (>= 1.8.0) json (>= 1.8.0)
unicorn (4.8.3) unicorn (4.9.0)
kgio (~> 2.6) kgio (~> 2.6)
rack rack
raindrops (~> 0.7) raindrops (~> 0.7)
websocket-driver (0.5.1) websocket-driver (0.5.4)
websocket-extensions (>= 0.1.0) websocket-extensions (>= 0.1.0)
websocket-extensions (0.1.1) websocket-extensions (0.1.2)
xpath (2.0.0) xpath (2.0.0)
nokogiri (~> 1.3) nokogiri (~> 1.3)
@@ -322,6 +343,7 @@ DEPENDENCIES
jquery-fileupload-rails jquery-fileupload-rails
jquery-rails jquery-rails
launchy launchy
libv8 (= 3.16.14.8)
mailcatcher mailcatcher
mysql2 mysql2
poltergeist poltergeist
@@ -329,13 +351,18 @@ DEPENDENCIES
pry pry
pry-rails pry-rails
rack-livereload rack-livereload
rails (= 3.2.21) rails (= 4.2.2)
rb-fsevent rb-fsevent
rspec-rails (= 2.14.2) rspec-rails (= 2.14.2)
sass-rails sass-rails
simplecov simplecov
sqlite3 sqlite3
test-unit
therubyracer therubyracer
travis-lint travis-lint
turbolinks
uglifier uglifier
unicorn unicorn
BUNDLED WITH
1.10.5
README.md
+14 -7
View File
@@ -1,42 +1,49 @@
# RailsGoat [![Build Status](https://api.travis-ci.org/OWASP/railsgoat.png?branch=master)](https://travis-ci.org/OWASP/railsgoat) [![Code Climate](https://codeclimate.com/github/OWASP/railsgoat.png)](https://codeclimate.com/github/OWASP/railsgoat) # RailsGoat [![Build Status](https://api.travis-ci.org/OWASP/railsgoat.png?branch=master)](https://travis-ci.org/OWASP/railsgoat) [![Code Climate](https://codeclimate.com/github/OWASP/railsgoat.png)](https://codeclimate.com/github/OWASP/railsgoat)
RailsGoat is a vulnerable version of the Ruby on Rails Framework. It includes vulnerabilities from the OWASP Top 10, as well as some "extras" that the initial project contributors felt worthwhile to share. This project is designed to educate both developers, as well as security professionals. RailsGoat is a vulnerable version of the Ruby on Rails Framework both versions 3 and 4. It includes vulnerabilities from the OWASP Top 10, as well as some "extras" that the initial project contributors felt worthwhile to share. This project is designed to educate both developers, as well as security professionals.
## Getting Started ## Getting Started
To begin, install the Ruby Version Manager (RVM): To begin, install the Ruby Version Manager (RVM):
``` ```bash
$ curl -L https://get.rvm.io | bash -s stable --autolibs=3 --ruby=2.1.2 $ curl -L https://get.rvm.io | bash -s stable --autolibs=3 --ruby=2.1.2
``` ```
After installing the package, clone this repo: After installing the package, clone this repo:
``` ```bash
$ git clone git@github.com:OWASP/railsgoat.git $ git clone git@github.com:OWASP/railsgoat.git
``` ```
Navigate into the directory and install the dependencies: **NOTE: NOT NECESSARY IF YOU WANT TO WORK WITH RAILS 4.** Otherwise, if you wish to use the Rails 3 version, you'll need to switch branches
```bash
$ cd railsgoat
$ git checkout rails_3_2
``` ```
Navigate into the directory (already there if you followed the previous step) and install the dependencies:
```bash
$ bundle install $ bundle install
``` ```
If you receive an error, make sure you have `bundler` installed: If you receive an error, make sure you have `bundler` installed:
``` ```bash
$ gem install bundler $ gem install bundler
``` ```
Initialize the database: Initialize the database:
``` ```bash
$ rake db:setup $ rake db:setup
``` ```
Start the Thin web server: Start the Thin web server:
``` ```bash
$ rails server $ rails server
``` ```
app/assets/javascripts/application.js
+2
View File
@@ -12,9 +12,11 @@
// //
//= require jquery //= require jquery
//= require jquery_ujs //= require jquery_ujs
//= require turbolinks
//= require wysiwyg/wysihtml5-0.3.0.js //= require wysiwyg/wysihtml5-0.3.0.js
//= require jquery.min.js //= require jquery.min.js
//= require jquery.scrollUp.js //= require jquery.scrollUp.js
//= require bootstrap.js
//= require wysiwyg/bootstrap-wysihtml5.js //= require wysiwyg/bootstrap-wysihtml5.js
//= require bootstrap-colorpicker.js //= require bootstrap-colorpicker.js
//= require date-picker/date.js //= require date-picker/date.js
app/controllers/admin_controller.rb
+1 -1
View File
@@ -1,5 +1,5 @@
class AdminController < ApplicationController class AdminController < ApplicationController
before_filter :administrative, :if => :admin_param, :except => [:get_user] before_action :administrative, :if => :admin_param, :except => [:get_user]
skip_before_filter :has_info skip_before_filter :has_info
def dashboard def dashboard
app/controllers/application_controller.rb
+4 -2
View File
@@ -1,9 +1,11 @@
class ApplicationController < ActionController::Base class ApplicationController < ActionController::Base
before_filter :authenticated, :has_info, :create_analytic, :mailer_options before_action :authenticated, :has_info, :create_analytic, :mailer_options
helper_method :current_user, :is_admin?, :sanitize_font helper_method :current_user, :is_admin?, :sanitize_font
# Our security guy keep talking about sea-surfing, cool story bro. # Our security guy keep talking about sea-surfing, cool story bro.
# protect_from_forgery # Prevent CSRF attacks by raising an exception.
# For APIs, you may want to use :null_session instead.
#protect_from_forgery with: :exception
private private
vendor/plugins/.gitkeep → app/controllers/concerns/.keep
Executable → Regular
View File
app/controllers/messages_controller.rb
+7 -1
View File
@@ -33,4 +33,10 @@ class MessagesController < ApplicationController
end end
end end
end end
end
private
def message_params
params.require(:message).permit(:creator_id, :message, :read, :receiver_id)
end
end
app/controllers/schedule_controller.rb
+7 -1
View File
@@ -4,7 +4,7 @@ class ScheduleController < ApplicationController
message = false message = false
if params[:schedule][:event_type] == "pto" if params[:schedule][:event_type] == "pto"
sched = Schedule.new(params[:schedule]) sched = Schedule.new(schedule_params)
sched.date_begin, sched.date_end = format_schedule_date(params[:date_range1]) sched.date_begin, sched.date_end = format_schedule_date(params[:date_range1])
sched.user_id = current_user.user_id sched.user_id = current_user.user_id
a = sched.date_end a = sched.date_end
@@ -56,4 +56,10 @@ class ScheduleController < ApplicationController
end end
return vals return vals
end end
private
def schedule_params
params.require(:schedule).permit(:date_begin, :date_end, :event_desc, :event_name, :event_type)
end
end end
app/controllers/sessions_controller.rb
+1 -1
View File
@@ -25,7 +25,7 @@ class SessionsController < ApplicationController
redirect_to path redirect_to path
else else
# Removed this code, just doesn't seem specific enough! # Removed this code, just doesn't seem specific enough!
# flash[:error] = "Either your username and password is incorrect" # flash[:error] = "Either your username and password is incorrect"
flash[:error] = e.message flash[:error] = e.message
render "new" render "new"
end end
app/controllers/users_controller.rb
+15 -3
View File
@@ -7,7 +7,7 @@ class UsersController < ApplicationController
end end
def create def create
user = User.new(params[:user]) user = User.new(user_params)
user.build_benefits_data user.build_benefits_data
if user.save if user.save
session[:user_id] = user.user_id session[:user_id] = user.user_id
@@ -31,11 +31,12 @@ class UsersController < ApplicationController
# Still an Insecure DoR vulnerability # Still an Insecure DoR vulnerability
#user = User.find(:first, :conditions => ["user_id = ?", "#{params[:user][:user_id]}"]) #user = User.find(:first, :conditions => ["user_id = ?", "#{params[:user][:user_id]}"])
user = User.find(:first, :conditions => "user_id = '#{params[:user][:user_id]}'") # user = User.find(:first, :conditions => "user_id = '#{params[:user][:user_id]}'")
user = User.where("user_id = '#{params[:user][:user_id]}'").first
if user if user
user.skip_user_id_assign = true user.skip_user_id_assign = true
user.skip_hash_password = true user.skip_hash_password = true
user.update_attributes(params[:user].reject { |k| %w(password password_confirmation user_id).include? k }) user.update_attributes(user_params_without_password)
if !(params[:user][:password].empty?) && (params[:user][:password] == params[:user][:password_confirmation]) if !(params[:user][:password].empty?) && (params[:user][:password] == params[:user][:password_confirmation])
user.skip_hash_password = false user.skip_hash_password = false
user.password = params[:user][:password] user.password = params[:user][:password]
@@ -50,4 +51,15 @@ class UsersController < ApplicationController
redirect_to user_account_settings_path(:user_id => current_user.user_id) redirect_to user_account_settings_path(:user_id => current_user.user_id)
end end
end end
private
def user_params
params.require(:user).permit!
end
# unpermitted attributes are ignored in production
def user_params_without_password
params.require(:user).permit(:email, :admin, :first_name, :last_name)
end
end end
app/models/analytics.rb
-2
View File
@@ -1,6 +1,4 @@
class Analytics < ActiveRecord::Base class Analytics < ActiveRecord::Base
attr_accessible :ip_address, :referrer, :user_agent
scope :hits_by_ip, ->(ip,col="*") { select("#{col}").where(:ip_address => ip).order("id DESC")} scope :hits_by_ip, ->(ip,col="*") { select("#{col}").where(:ip_address => ip).order("id DESC")}
def self.count_by_col(col) def self.count_by_col(col)
app/models/benefits.rb
-1
View File
@@ -1,5 +1,4 @@
class Benefits < ActiveRecord::Base class Benefits < ActiveRecord::Base
attr_accessor :backup
def self.save(file, backup=false) def self.save(file, backup=false)
data_path = Rails.root.join("public", "data") data_path = Rails.root.join("public", "data")
app/models/concerns/.keep
View File
app/models/key_management.rb
-1
View File
@@ -1,5 +1,4 @@
class KeyManagement < ActiveRecord::Base class KeyManagement < ActiveRecord::Base
attr_accessible :iv, :user_id
belongs_to :work_info belongs_to :work_info
belongs_to :user belongs_to :user
end end
app/models/message.rb
-1
View File
@@ -1,6 +1,5 @@
class Message < ActiveRecord::Base class Message < ActiveRecord::Base
belongs_to :user belongs_to :user
attr_accessible :creator_id, :message, :read, :receiver_id
validates_presence_of :creator_id, :receiver_id, :message validates_presence_of :creator_id, :receiver_id, :message
def creator_name def creator_name
app/models/paid_time_off.rb
-1
View File
@@ -1,5 +1,4 @@
class PaidTimeOff < ActiveRecord::Base class PaidTimeOff < ActiveRecord::Base
attr_accessible :pto_earned, :pto_taken, :sick_days_earned, :sick_days_taken
belongs_to :user belongs_to :user
has_many :schedule, :foreign_key => :user_id, :primary_key => :user_id, :dependent => :destroy has_many :schedule, :foreign_key => :user_id, :primary_key => :user_id, :dependent => :destroy
app/models/pay.rb
-3
View File
@@ -1,7 +1,4 @@
class Pay < ActiveRecord::Base class Pay < ActiveRecord::Base
# mass-assignable attributes
attr_accessible :bank_account_num, :bank_routing_num, :percent_of_deposit
# Associations # Associations
belongs_to :user belongs_to :user
app/models/performance.rb
-1
View File
@@ -1,5 +1,4 @@
class Performance < ActiveRecord::Base class Performance < ActiveRecord::Base
attr_accessible :comments, :date_submitted, :reviewer, :score
belongs_to :user belongs_to :user
def reviewer_name def reviewer_name
app/models/retirement.rb
-1
View File
@@ -1,4 +1,3 @@
class Retirement < ActiveRecord::Base class Retirement < ActiveRecord::Base
attr_accessible :employee_contrib, :employer_contrib, :total
belongs_to :user belongs_to :user
end end
app/models/schedule.rb
-1
View File
@@ -1,5 +1,4 @@
class Schedule < ActiveRecord::Base class Schedule < ActiveRecord::Base
attr_accessible :date_begin, :date_end, :event_desc, :event_name, :event_type
belongs_to :paid_time_off belongs_to :paid_time_off
validates_presence_of :date_begin, :date_end, :event_desc, :event_name, :event_type validates_presence_of :date_begin, :date_end, :event_desc, :event_name, :event_type
app/models/user.rb
-1
View File
@@ -1,7 +1,6 @@
require 'encryption' require 'encryption'
class User < ActiveRecord::Base class User < ActiveRecord::Base
attr_accessible :email, :admin, :first_name, :last_name, :user_id, :password, :password_confirmation
validates :password, :presence => true, validates :password, :presence => true,
:confirmation => true, :confirmation => true,
:length => {:within => 6..40}, :length => {:within => 6..40},
app/models/work_info.rb
-1
View File
@@ -1,5 +1,4 @@
class WorkInfo < ActiveRecord::Base class WorkInfo < ActiveRecord::Base
attr_accessible :DoB, :SSN, :bonuses, :income, :years_worked
belongs_to :user belongs_to :user
has_one :key_management, :foreign_key => :user_id, :primary_key => :user_id, :dependent => :destroy has_one :key_management, :foreign_key => :user_id, :primary_key => :user_id, :dependent => :destroy
#before_save :encrypt_ssn #before_save :encrypt_ssn
app/views/layouts/application.html.erb
+2 -2
View File
@@ -2,8 +2,8 @@
<html> <html>
<head> <head>
<title>RailsGoat</title> <title>RailsGoat</title>
<%= stylesheet_link_tag "application", :media => "all" %> <%= stylesheet_link_tag "application", media: "all", "data-turbolinks-track" => true %>
<%= javascript_include_tag "application" %> <%= javascript_include_tag "application", "data-turbolinks-track" => true %>
<%= csrf_meta_tags %> <!-- <~ What is this for? I hear it helps w/ JS and Sea-surfing.....whatevz --> <%= csrf_meta_tags %> <!-- <~ What is this for? I hear it helps w/ JS and Sea-surfing.....whatevz -->
<!-- bootstrap css --> <!-- bootstrap css -->
<% <%
app/views/layouts/shared/_header.html.erb
+9 -9
View File
@@ -31,11 +31,11 @@
</ul> </ul>
<ul class="mini-nav"> <ul class="mini-nav">
<li> <li>
<%= button_to "Visit Tutorial", nil, <%= button_to "Visit Tutorial", nil,
{ {
:class => "btn", :class => "btn",
:method => "get", :method => "get",
:onclick => "window.open('https://github.com/OWASP/railsgoat/wiki/tutorials', '_blank')" :onclick => "window.open('https://github.com/OWASP/railsgoat/wiki/tutorials', '_blank')"
} %> } %>
</li> </li>
</ul> </ul>
@@ -60,16 +60,16 @@
</ul> </ul>
<ul class="mini-nav"> <ul class="mini-nav">
<li> <li>
<%= button_to "Visit Tutorial", nil, <%= button_to "Visit Tutorial", nil,
{ {
:class => "btn", :class => "btn",
:method => "get", :method => "get",
:onclick => "window.open('https://github.com/OWASP/railsgoat/wiki/tutorials', '_blank')" :onclick => "window.open('https://github.com/OWASP/railsgoat/wiki/tutorials', '_blank')"
} %> } %>
</li> </li>
</ul> </ul>
</header> </header>
<div id="modal_div" class="modal hide fade" tabindex="-1" role="dialog" aria-labelledby="myAlert" aria-hidden="true"> <div id="modal_div" class="modal hide fade" tabindex="-1" role="dialog" aria-labelledby="myAlert" aria-hidden="true">
</div> </div>
app/views/layouts/shared/_messages.html.erb
+1
View File
@@ -1,4 +1,5 @@
<% flash.each do |name, msg| %> <% flash.each do |name, msg| %>
<% name = name.to_sym %>
<% if name == :error %> <% if name == :error %>
<div class="alert alert-error"> <div class="alert alert-error">
<a class="close" data-dismiss="alert" href="#">×</a> <a class="close" data-dismiss="alert" href="#">×</a>
config.ru
+1 -1
View File
@@ -1,4 +1,4 @@
# This file is used by Rack-based servers to start the application. # This file is used by Rack-based servers to start the application.
require ::File.expand_path('../config/environment', __FILE__) require ::File.expand_path('../config/environment', __FILE__)
run Railsgoat::Application run Rails.application
config/application.rb
+3 -12
View File
@@ -2,12 +2,9 @@ require File.expand_path('../boot', __FILE__)
require 'rails/all' require 'rails/all'
if defined?(Bundler) # Require the gems listed in Gemfile, including any gems
# If you precompile assets before deploying to production, use this line # you've limited to :test, :development, or :production.
Bundler.require(*Rails.groups(:assets => %w(development test mysql))) Bundler.require(:default, Rails.env)
# If you want your assets lazily compiled in production, use this line
# Bundler.require(:default, :assets, Rails.env)
end
module Railsgoat module Railsgoat
class Application < Rails::Application class Application < Rails::Application
@@ -47,12 +44,6 @@ module Railsgoat
# like if you have constraints or database-specific column types # like if you have constraints or database-specific column types
# config.active_record.schema_format = :sql # config.active_record.schema_format = :sql
# Enforce whitelist mode for mass assignment.
# This will create an empty whitelist of attributes available for mass-assignment for all models
# in your app. As such, your models will need to explicitly whitelist or blacklist accessible
# parameters by using an attr_accessible or attr_protected declaration.
config.active_record.whitelist_attributes = false
# Enable the asset pipeline # Enable the asset pipeline
config.assets.enabled = true config.assets.enabled = true
config/boot.rb
-2
View File
@@ -1,5 +1,3 @@
require 'rubygems'
# Set up gems listed in the Gemfile. # Set up gems listed in the Gemfile.
ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../../Gemfile', __FILE__) ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../../Gemfile', __FILE__)
config/environment.rb
+2 -2
View File
@@ -1,5 +1,5 @@
# Load the rails application # Load the Rails application.
require File.expand_path('../application', __FILE__) require File.expand_path('../application', __FILE__)
# Initialize the rails application # Initialize the Rails application.
Railsgoat::Application.initialize! Railsgoat::Application.initialize!
config/environments/development.rb
Executable → Regular
+6 -10
View File
@@ -6,9 +6,6 @@ Railsgoat::Application.configure do
# since you don't have to restart the web server when you make code changes. # since you don't have to restart the web server when you make code changes.
config.cache_classes = false config.cache_classes = false
# Log error messages when you accidentally call methods on nil.
config.whiny_nils = true
# Show full error reports and disable caching # Show full error reports and disable caching
config.consider_all_requests_local = true config.consider_all_requests_local = true
config.action_controller.perform_caching = false config.action_controller.perform_caching = false
@@ -22,13 +19,6 @@ Railsgoat::Application.configure do
# Only use best-standards-support built into browsers # Only use best-standards-support built into browsers
config.action_dispatch.best_standards_support = :builtin config.action_dispatch.best_standards_support = :builtin
# Raise exception on mass assignment protection for Active Record models
config.active_record.mass_assignment_sanitizer = :strict
# Log the query plan for queries taking more than this (works
# with SQLite, MySQL, and PostgreSQL)
config.active_record.auto_explain_threshold_in_seconds = 0.5
# Tired of caching causing issues # Tired of caching causing issues
config.middleware.delete Rack::ETag config.middleware.delete Rack::ETag
@@ -51,4 +41,10 @@ Railsgoat::Application.configure do
# :host => 'railsgoat.dev', # :host => 'railsgoat.dev',
# :ignore => [ %r{dont/modify\.html$} ] # :ignore => [ %r{dont/modify\.html$} ]
# ) # )
# For Rails 4.0+
# Do not eager load code on boot. This avoids loading your whole application
# just for the purpose of running a single test. If you are using a tool that
# preloads Rails for running tests, you may have to set it to true.
config.eager_load = false
end end
config/environments/mysql.rb
-10
View File
@@ -6,9 +6,6 @@ Railsgoat::Application.configure do
# since you don't have to restart the web server when you make code changes. # since you don't have to restart the web server when you make code changes.
config.cache_classes = false config.cache_classes = false
# Log error messages when you accidentally call methods on nil.
config.whiny_nils = true
# Show full error reports and disable caching # Show full error reports and disable caching
config.consider_all_requests_local = true config.consider_all_requests_local = true
config.action_controller.perform_caching = false config.action_controller.perform_caching = false
@@ -22,13 +19,6 @@ Railsgoat::Application.configure do
# Only use best-standards-support built into browsers # Only use best-standards-support built into browsers
config.action_dispatch.best_standards_support = :builtin config.action_dispatch.best_standards_support = :builtin
# Raise exception on mass assignment protection for Active Record models
config.active_record.mass_assignment_sanitizer = :strict
# Log the query plan for queries taking more than this (works
# with SQLite, MySQL, and PostgreSQL)
config.active_record.auto_explain_threshold_in_seconds = 0.5
# Tired of caching causing issues # Tired of caching causing issues
config.middleware.delete Rack::ETag config.middleware.delete Rack::ETag
config/environments/production.rb
+55 -14
View File
@@ -1,37 +1,50 @@
Railsgoat::Application.configure do Railsgoat::Application.configure do
# Settings specified here will take precedence over those in config/application.rb # Settings specified here will take precedence over those in config/application.rb
# Code is not reloaded between requests # Code is not reloaded between requests.
config.cache_classes = true config.cache_classes = true
# Full error reports are disabled and caching is turned on # Full error reports are disabled and caching is turned on.
config.consider_all_requests_local = false config.consider_all_requests_local = false
config.action_controller.perform_caching = true config.action_controller.perform_caching = true
# Disable Rails's static asset server (Apache or nginx will already do this) # Enable Rack::Cache to put a simple HTTP cache in front of your application
# Add `rack-cache` to your Gemfile before enabling this.
# For large-scale production use, consider using a caching
# reverse proxy like nginx, varnish or squid.
# config.action_dispatch.rack_cache = true
# Disable Rails's static asset server (Apache or nginx will already do this).
config.serve_static_assets = false config.serve_static_assets = false
# Compress JavaScripts and CSS # Compress JavaScripts and CSS
config.assets.compress = true config.assets.compress = true
# Don't fallback to assets pipeline if a precompiled asset is missed # Compress JavaScripts and CSS.
config.assets.compile = true config.assets.js_compressor = :uglifier
# config.assets.css_compressor = :sass
# Generate digests for assets URLs # Do not fallback to assets pipeline if a precompiled asset is missed.
config.assets.compile = true # default is false
# Generate digests for assets URLs.
config.assets.digest = true config.assets.digest = true
# For Rails 4.0+: Version of your assets, change this if you want to expire all your assets.
config.assets.version = '1.0'
# Defaults to nil and saved in location specified by config.assets.prefix # Defaults to nil and saved in location specified by config.assets.prefix
# config.assets.manifest = YOUR_PATH # config.assets.manifest = YOUR_PATH
# Specifies the header that your server uses for sending files # Specifies the header that your server uses for sending files.
# config.action_dispatch.x_sendfile_header = "X-Sendfile" # for apache # config.action_dispatch.x_sendfile_header = "X-Sendfile" # for apache
# config.action_dispatch.x_sendfile_header = 'X-Accel-Redirect' # for nginx # config.action_dispatch.x_sendfile_header = 'X-Accel-Redirect' # for nginx
# Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies. # Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
# config.force_ssl = true # config.force_ssl = true
# See everything in the log (default is :info) # Set to :debug to see everything in the log.
# config.log_level = :debug config.log_level = :info
# Prepend all log lines with the following tags # Prepend all log lines with the following tags
# config.log_tags = [ :subdomain, :uuid ] # config.log_tags = [ :subdomain, :uuid ]
@@ -55,13 +68,41 @@ Railsgoat::Application.configure do
# config.threadsafe! # config.threadsafe!
# Enable locale fallbacks for I18n (makes lookups for any locale fall back to # Enable locale fallbacks for I18n (makes lookups for any locale fall back to
# the I18n.default_locale when a translation can not be found) # the I18n.default_locale when a translation can not be found).
config.i18n.fallbacks = true config.i18n.fallbacks = true
# Send deprecation notices to registered listeners # Send deprecation notices to registered listeners.
config.active_support.deprecation = :notify config.active_support.deprecation = :notify
# Log the query plan for queries taking more than this (works # For Rails 4.0+: Eager load code on boot. This eager loads most of
# with SQLite, MySQL, and PostgreSQL) # Rails and your application in memory, allowing both thread web
# config.active_record.auto_explain_threshold_in_seconds = 0.5 # servers and those relying on copy on write to perform better.
# Rake tasks automatically ignore this option for performance.
config.eager_load = true
# For Rails 4.0+: Use default logging formatter so that PID and timestamp are not suppressed.
config.log_formatter = ::Logger::Formatter.new
# For Rails 4.0+: Disable automatic flushing of the log to improve performance.
# config.autoflush_log = false
# Prepend all log lines with the following tags.
# config.log_tags = [ :subdomain, :uuid ]
# Use a different logger for distributed setups.
# config.logger = ActiveSupport::TaggedLogging.new(SyslogLogger.new)
# Use a different cache store in production.
# config.cache_store = :mem_cache_store
# Enable serving of images, stylesheets, and JavaScripts from an asset server.
# config.action_controller.asset_host = "http://assets.example.com"
# Precompile additional assets.
# application.js, application.css, and all non-JS/CSS in app/assets folder are already added.
# config.assets.precompile += %w( search.js )
# Ignore bad email addresses and do not raise email delivery errors.
# Set this to true and configure the email server for immediate delivery to raise delivery errors.
# config.action_mailer.raise_delivery_errors = false
end end
config/environments/test.rb
+10 -10
View File
@@ -7,18 +7,15 @@ Railsgoat::Application.configure do
# and recreated between test runs. Don't rely on the data there! # and recreated between test runs. Don't rely on the data there!
config.cache_classes = true config.cache_classes = true
# Configure static asset server for tests with Cache-Control for performance # Configure static asset server for tests with Cache-Control for performance.
config.serve_static_assets = true config.serve_static_assets = true
config.static_cache_control = "public, max-age=3600" config.static_cache_control = "public, max-age=3600"
# Log error messages when you accidentally call methods on nil # Show full error reports and disable caching.
config.whiny_nils = true
# Show full error reports and disable caching
config.consider_all_requests_local = true config.consider_all_requests_local = true
config.action_controller.perform_caching = false config.action_controller.perform_caching = false
# Raise exceptions instead of rendering exception templates # Raise exceptions instead of rendering exception templates.
config.action_dispatch.show_exceptions = false config.action_dispatch.show_exceptions = false
# Disable request forgery protection in test environment # Disable request forgery protection in test environment
@@ -29,9 +26,12 @@ Railsgoat::Application.configure do
# ActionMailer::Base.deliveries array. # ActionMailer::Base.deliveries array.
config.action_mailer.delivery_method = :test config.action_mailer.delivery_method = :test
# Raise exception on mass assignment protection for Active Record models # Print deprecation notices to the stderr.
config.active_record.mass_assignment_sanitizer = :strict
# Print deprecation notices to the stderr
config.active_support.deprecation = :stderr config.active_support.deprecation = :stderr
# For Rails 4.0+
# Do not eager load code on boot. This avoids loading your whole application
# just for the purpose of running a single test. If you are using a tool that
# preloads Rails for running tests, you may have to set it to true.
config.eager_load = false
end end
config/initializers/filter_parameter_logging.rb
+4
View File
@@ -0,0 +1,4 @@
# Be sure to restart your server when you modify this file.
# Configure sensitive parameters which will be filtered from the log file.
Rails.application.config.filter_parameters += [:password]
config/initializers/inflections.rb
+6 -5
View File
@@ -1,15 +1,16 @@
# Be sure to restart your server when you modify this file. # Be sure to restart your server when you modify this file.
# Add new inflection rules using the following format # Add new inflection rules using the following format. Inflections
# (all these examples are active by default): # are locale specific, and you may define rules for as many different
# ActiveSupport::Inflector.inflections do |inflect| # locales as you wish. All of these examples are active by default:
# ActiveSupport::Inflector.inflections(:en) do |inflect|
# inflect.plural /^(ox)$/i, '\1en' # inflect.plural /^(ox)$/i, '\1en'
# inflect.singular /^(ox)en/i, '\1' # inflect.singular /^(ox)en/i, '\1'
# inflect.irregular 'person', 'people' # inflect.irregular 'person', 'people'
# inflect.uncountable %w( fish sheep ) # inflect.uncountable %w( fish sheep )
# end # end
#
# These inflection rules are supported but not enabled by default: # These inflection rules are supported but not enabled by default:
# ActiveSupport::Inflector.inflections do |inflect| # ActiveSupport::Inflector.inflections(:en) do |inflect|
# inflect.acronym 'RESTful' # inflect.acronym 'RESTful'
# end # end
config/initializers/secret_token.rb
+1
View File
@@ -5,3 +5,4 @@
# Make sure the secret is at least 30 characters and all random, # Make sure the secret is at least 30 characters and all random,
# no regular words or you'll be exposed to dictionary attacks. # no regular words or you'll be exposed to dictionary attacks.
Railsgoat::Application.config.secret_token = '2f1d90a26236c3245d96f5606c201a780dc9ca687e5ed82b45e211bb5dc84c1870f61ca9e002dad5dd8a149c9792d8f07f31a9575065cca064bd6af44f8750e4' Railsgoat::Application.config.secret_token = '2f1d90a26236c3245d96f5606c201a780dc9ca687e5ed82b45e211bb5dc84c1870f61ca9e002dad5dd8a149c9792d8f07f31a9575065cca064bd6af44f8750e4'
Railsgoat::Application.config.secret_key_base = '2f1d90a26236c3245d96f5606c201a780dc9ca687e5ed82b45e211bb5dc84c1870f61ca9e002dad5dd8a149c9792d8f07f31a9575065cca064bd6af44f8750e4'
config/initializers/session_store.rb
-5
View File
@@ -1,8 +1,3 @@
# Be sure to restart your server when you modify this file. # Be sure to restart your server when you modify this file.
Railsgoat::Application.config.session_store :cookie_store, key: '_railsgoat_session', httponly: false Railsgoat::Application.config.session_store :cookie_store, key: '_railsgoat_session', httponly: false
# Use the database for sessions instead of the cookie-based default,
# which shouldn't be used to store highly confidential information
# (create the session table with "rails generate session_migration")
# Railsgoat::Application.config.session_store :active_record_store
config/initializers/strong_parameters.rb
+1
View File
@@ -0,0 +1 @@
ActiveRecord::Base.send(:include, ActiveModel::ForbiddenAttributesProtection)
config/initializers/wrap_parameters.rb
+1 -1
View File
@@ -5,7 +5,7 @@
# Enable parameter wrapping for JSON. You can disable this by setting :format to an empty array. # Enable parameter wrapping for JSON. You can disable this by setting :format to an empty array.
ActiveSupport.on_load(:action_controller) do ActiveSupport.on_load(:action_controller) do
wrap_parameters format: [:json] wrap_parameters format: [:json] if respond_to?(:wrap_parameters)
end end
# Disable root element in JSON by default. # Disable root element in JSON by default.
config/locales/en.yml
+20 -2
View File
@@ -1,5 +1,23 @@
# Sample localization file for English. Add more files in this directory for other locales. # Files in the config/locales directory are used for internationalization
# See https://github.com/svenfuchs/rails-i18n/tree/master/rails%2Flocale for starting points. # and are automatically loaded by Rails. If you want to use locales other
# than English, add the necessary files in this directory.
#
# To use the locales, use `I18n.t`:
#
# I18n.t 'hello'
#
# In views, this is aliased to just `t`:
#
# <%= t('hello') %>
#
# To use a different locale, set it with `I18n.locale`:
#
# I18n.locale = :es
#
# This would use the information in config/locales/es.yml.
#
# To learn more, please read the Rails Internationalization guide
# available at http://guides.rubyonrails.org/i18n.html.
en: en:
hello: "Hello world" hello: "Hello world"
config/routes.rb
+2 -2
View File
@@ -3,7 +3,7 @@ Railsgoat::Application.routes.draw do
get "login" => "sessions#new" get "login" => "sessions#new"
get "signup" => "users#new" get "signup" => "users#new"
get "logout" => "sessions#destroy" get "logout" => "sessions#destroy"
match "forgot_password" => "password_resets#forgot_password" get "forgot_password" => "password_resets#forgot_password"
get "password_resets" => "password_resets#confirm_token" get "password_resets" => "password_resets#confirm_token"
post "password_resets" => "password_resets#reset_password" post "password_resets" => "password_resets#reset_password"
get "dashboard/doc" => "dashboard#doc" get "dashboard/doc" => "dashboard#doc"
@@ -63,7 +63,7 @@ Railsgoat::Application.routes.draw do
get "dashboard" get "dashboard"
get "get_user" get "get_user"
post "delete_user" post "delete_user"
put "update_user" patch "update_user"
get "get_all_users" get "get_all_users"
get "analytics" get "analytics"
end end
db/schema.rb
+1 -1
View File
@@ -11,7 +11,7 @@
# #
# It's strongly recommended to check this file into your version control system. # It's strongly recommended to check this file into your version control system.
ActiveRecord::Schema.define(:version => 20140804171756) do ActiveRecord::Schema.define(:version => 20140408185601) do
create_table "analytics", :force => true do |t| create_table "analytics", :force => true do |t|
t.string "ip_address" t.string "ip_address"
public/404.html
+43 -11
View File
@@ -2,17 +2,48 @@
<html> <html>
<head> <head>
<title>The page you were looking for doesn't exist (404)</title> <title>The page you were looking for doesn't exist (404)</title>
<style type="text/css"> <style>
body { background-color: #fff; color: #666; text-align: center; font-family: arial, sans-serif; } body {
div.dialog { background-color: #EFEFEF;
width: 25em; color: #2E2F30;
padding: 0 4em; text-align: center;
margin: 4em auto 0 auto; font-family: arial, sans-serif;
border: 1px solid #ccc; }
border-right-color: #999;
border-bottom-color: #999; div.dialog {
} width: 25em;
h1 { font-size: 100%; color: #f00; line-height: 1.5em; } margin: 4em auto 0 auto;
border: 1px solid #CCC;
border-right-color: #999;
border-left-color: #999;
border-bottom-color: #BBB;
border-top: #B00100 solid 4px;
border-top-left-radius: 9px;
border-top-right-radius: 9px;
background-color: white;
padding: 7px 4em 0 4em;
}
h1 {
font-size: 100%;
color: #730E15;
line-height: 1.5em;
}
body > p {
width: 33em;
margin: 0 auto 1em;
padding: 1em 0;
background-color: #F7F7F7;
border: 1px solid #CCC;
border-right-color: #999;
border-bottom-color: #999;
border-bottom-left-radius: 4px;
border-bottom-right-radius: 4px;
border-top-color: #DADADA;
color: #666;
box-shadow:0 3px 8px rgba(50, 50, 50, 0.17);
}
</style> </style>
</head> </head>
@@ -22,5 +53,6 @@
<h1>The page you were looking for doesn't exist.</h1> <h1>The page you were looking for doesn't exist.</h1>
<p>You may have mistyped the address or the page may have moved.</p> <p>You may have mistyped the address or the page may have moved.</p>
</div> </div>
<p>If you are the application owner check the logs for more information.</p>
</body> </body>
</html> </html>
public/422.html
+43 -11
View File
@@ -2,17 +2,48 @@
<html> <html>
<head> <head>
<title>The change you wanted was rejected (422)</title> <title>The change you wanted was rejected (422)</title>
<style type="text/css"> <style>
body { background-color: #fff; color: #666; text-align: center; font-family: arial, sans-serif; } body {
div.dialog { background-color: #EFEFEF;
width: 25em; color: #2E2F30;
padding: 0 4em; text-align: center;
margin: 4em auto 0 auto; font-family: arial, sans-serif;
border: 1px solid #ccc; }
border-right-color: #999;
border-bottom-color: #999; div.dialog {
} width: 25em;
h1 { font-size: 100%; color: #f00; line-height: 1.5em; } margin: 4em auto 0 auto;
border: 1px solid #CCC;
border-right-color: #999;
border-left-color: #999;
border-bottom-color: #BBB;
border-top: #B00100 solid 4px;
border-top-left-radius: 9px;
border-top-right-radius: 9px;
background-color: white;
padding: 7px 4em 0 4em;
}
h1 {
font-size: 100%;
color: #730E15;
line-height: 1.5em;
}
body > p {
width: 33em;
margin: 0 auto 1em;
padding: 1em 0;
background-color: #F7F7F7;
border: 1px solid #CCC;
border-right-color: #999;
border-bottom-color: #999;
border-bottom-left-radius: 4px;
border-bottom-right-radius: 4px;
border-top-color: #DADADA;
color: #666;
box-shadow:0 3px 8px rgba(50, 50, 50, 0.17);
}
</style> </style>
</head> </head>
@@ -22,5 +53,6 @@
<h1>The change you wanted was rejected.</h1> <h1>The change you wanted was rejected.</h1>
<p>Maybe you tried to change something you didn't have access to.</p> <p>Maybe you tried to change something you didn't have access to.</p>
</div> </div>
<p>If you are the application owner check the logs for more information.</p>
</body> </body>
</html> </html>
public/500.html
+43 -11
View File
@@ -2,17 +2,48 @@
<html> <html>
<head> <head>
<title>We're sorry, but something went wrong (500)</title> <title>We're sorry, but something went wrong (500)</title>
<style type="text/css"> <style>
body { background-color: #fff; color: #666; text-align: center; font-family: arial, sans-serif; } body {
div.dialog { background-color: #EFEFEF;
width: 25em; color: #2E2F30;
padding: 0 4em; text-align: center;
margin: 4em auto 0 auto; font-family: arial, sans-serif;
border: 1px solid #ccc; }
border-right-color: #999;
border-bottom-color: #999; div.dialog {
} width: 25em;
h1 { font-size: 100%; color: #f00; line-height: 1.5em; } margin: 4em auto 0 auto;
border: 1px solid #CCC;
border-right-color: #999;
border-left-color: #999;
border-bottom-color: #BBB;
border-top: #B00100 solid 4px;
border-top-left-radius: 9px;
border-top-right-radius: 9px;
background-color: white;
padding: 7px 4em 0 4em;
}
h1 {
font-size: 100%;
color: #730E15;
line-height: 1.5em;
}
body > p {
width: 33em;
margin: 0 auto 1em;
padding: 1em 0;
background-color: #F7F7F7;
border: 1px solid #CCC;
border-right-color: #999;
border-bottom-color: #999;
border-bottom-left-radius: 4px;
border-bottom-right-radius: 4px;
border-top-color: #DADADA;
color: #666;
box-shadow:0 3px 8px rgba(50, 50, 50, 0.17);
}
</style> </style>
</head> </head>
@@ -21,5 +52,6 @@
<div class="dialog"> <div class="dialog">
<h1>We're sorry, but something went wrong.</h1> <h1>We're sorry, but something went wrong.</h1>
</div> </div>
<p>If you are the application owner check the logs for more information.</p>
</body> </body>
</html> </html>
public/robots.txt
+1 -1
View File
@@ -1,5 +1,5 @@
# See http://www.robotstxt.org/wc/norobots.html for documentation on how to use the robots.txt file # See http://www.robotstxt.org/wc/norobots.html for documentation on how to use the robots.txt file
# #
# To ban all spiders from the entire site uncomment the next two lines: # To ban all spiders from the entire site uncomment the next two lines:
# User-Agent: * # User-agent: *
# Disallow: / # Disallow: /
spec/vulnerabilities/insecure_dor_spec.rb
+1 -1
View File
@@ -28,4 +28,4 @@ feature 'insecure direct object reference' do
pending(:if => verifying_fixed?) { first('td').text.should == 'Jack Mannino' } pending(:if => verifying_fixed?) { first('td').text.should == 'Jack Mannino' }
end end
end end
spec/vulnerabilities/xss_spec.rb
+6 -5
View File
@@ -20,11 +20,12 @@ feature 'xss' do
click_on 'Submit' click_on 'Submit'
sleep(1) sleep(1)
visit '/'
visit "/users/#{@normal_user.user_id}/account_settings"
pending(:if => verifying_fixed?) { find('div input.btn').value.should == 'RailsGoat h4x0r3d' }
pending(:if => verifying_fixed?) { find('#submit_button').value.should == 'RailsGoat h4x0r3d' }
# might be nice to demonstrate posting cookie contents or somesuch, but # might be nice to demonstrate posting cookie contents or somesuch, but
# this at least shows the vulnerability still exists. # this at least shows the vulnerability still exists.
end end
end end
test/controllers/.keep
View File
test/fixtures/.keep
Vendored
View File
test/helpers/.keep
View File
test/integration/.keep
View File
test/mailers/.keep
View File
test/models/.keep
View File
test/test_helper.rb
+3 -1
View File
@@ -1,4 +1,4 @@
ENV["RAILS_ENV"] = "test" ENV["RAILS_ENV"] ||= "test"
# To use simplecov, do this: COVERAGE=true rake # To use simplecov, do this: COVERAGE=true rake
require 'simplecov' require 'simplecov'
@@ -8,6 +8,8 @@ require File.expand_path('../../config/environment', __FILE__)
require 'rails/test_help' require 'rails/test_help'
class ActiveSupport::TestCase class ActiveSupport::TestCase
# Maybe for Rails 4.0: ActiveRecord::Migration.check_pending!
# Setup all fixtures in test/fixtures/*.(yml|csv) for all tests in alphabetical order. # Setup all fixtures in test/fixtures/*.(yml|csv) for all tests in alphabetical order.
# #
# Note: You'll currently still have to declare fixtures explicitly in integration tests # Note: You'll currently still have to declare fixtures explicitly in integration tests