Merge pull request #202 from OWASP/pr-192

Pr 192
2015-08-19 11:07:49 -04:00
parent 9052b4fcf0 d8f9ba6eef
commit 32df4e0ef7
60 changed files with 542 additions and 315 deletions
@@ -10,3 +10,4 @@
 coverage
 .tags
 /.vagrant
+/vendor/ruby
@@ -0,0 +1,34 @@
+# Use this file to configure the Overcommit hooks you wish to use. This will
+# extend the default configuration defined in:
+# https://github.com/brigade/overcommit/blob/master/config/default.yml
+#
+# At the topmost level of this YAML file is a key representing type of hook
+# being run (e.g. pre-commit, commit-msg, etc.). Within each type you can
+# customize each hook, such as whether to only run it on certain files (via
+# `include`), whether to only display output if it fails (via `quiet`), etc.
+#
+# For a complete list of hooks, see:
+# https://github.com/brigade/overcommit/tree/master/lib/overcommit/hook
+#
+# For a complete list of options that you can use to customize hooks, see:
+# https://github.com/brigade/overcommit#configuration
+#
+# Uncomment the following lines to make the configuration take effect.
+
+PreCommit:
+  Rubocop:
+    enabled: true
+    on_warn: warn # fail # Treat all warnings as failures
+
+  TrailingWhitespace:
+    enabled: true
+    exclude:
+      - '**/db/structure.sql' # Ignore trailing whitespace in generated files
+
+  PostCheckout:
+    enabled: true
+    ALL: # Special hook name that customizes all hooks of this type
+     quiet: true # Change all post-checkout hooks to only display output on failure
+
+#  IndexTags:
+#    enabled: true # Generate a tags file with `ctags` each time HEAD changes
@@ -1 +1 @@
-2.1.5
+2.2.2
@@ -1,6 +1,6 @@
 language: ruby
 rvm:
-  - "2.1.5"
+  - "2.2.2"
 before_script: rake db:setup
 before_script: bundle exec rake db:setup
 env: RAILSGOAT_MAINTAINER=true
@@ -1,9 +1,9 @@
 source 'https://rubygems.org'

 #don't upgrade
-gem 'rails', '3.2.21'
+gem 'rails', '4.2.2'

-ruby '2.1.5'
+ruby '2.2.2'

 # Bundle edge Rails instead:
 # gem 'rails', :git => 'git://github.com/rails/rails.git'
@@ -40,6 +40,7 @@ group :development, :test, :mysql do
  gem 'database_cleaner'
  gem 'poltergeist'
  gem 'rspec-rails', '2.14.2'
+  gem 'test-unit'
 end

 group :mysql do
@@ -48,15 +49,16 @@ end

 # Gems used only for assets and not required
 # in production environments by default.
-group :assets do
-  gem 'sass-rails'
-  gem 'coffee-rails'
-  gem 'jquery-fileupload-rails'
-  # See https://github.com/sstephenson/execjs#readme for more supported runtimes
-  # gem 'therubyracer', :platforms => :ruby
+gem 'sass-rails'
+gem 'coffee-rails'
+gem 'jquery-fileupload-rails'
+gem 'uglifier'
+gem 'turbolinks' # New for Rails 4.0

-  gem 'uglifier'
-end
+# See https://github.com/sstephenson/execjs#readme for more supported runtimes
+# gem 'therubyracer', :platforms => :ruby
+
+gem 'libv8', '3.16.14.8' # 3.16.14.9 was yanked - temp. fix.

 gem 'jquery-rails'

@@ -88,3 +90,9 @@ gem 'therubyracer'

 # Add SMTP server support using MailCatcher
 gem 'mailcatcher'
+
+#For Rails 4.0
+#group :doc do
+#  # bundle exec rake doc:rails generates the API under doc/api.
+#  gem 'sdoc', require: false
+#end
@@ -1,58 +1,66 @@
 GEM
  remote: https://rubygems.org/
  specs:
-    actionmailer (3.2.21)
-      actionpack (= 3.2.21)
-      mail (~> 2.5.4)
-    actionpack (3.2.21)
-      activemodel (= 3.2.21)
-      activesupport (= 3.2.21)
-      builder (~> 3.0.0)
+    actionmailer (4.2.2)
+      actionpack (= 4.2.2)
+      actionview (= 4.2.2)
+      activejob (= 4.2.2)
+      mail (~> 2.5, >= 2.5.4)
+      rails-dom-testing (~> 1.0, >= 1.0.5)
+    actionpack (4.2.2)
+      actionview (= 4.2.2)
+      activesupport (= 4.2.2)
+      rack (~> 1.6)
+      rack-test (~> 0.6.2)
+      rails-dom-testing (~> 1.0, >= 1.0.5)
+      rails-html-sanitizer (~> 1.0, >= 1.0.1)
+    actionview (4.2.2)
+      activesupport (= 4.2.2)
+      builder (~> 3.1)
      erubis (~> 2.7.0)
-      journey (~> 1.0.4)
-      rack (~> 1.4.5)
-      rack-cache (~> 1.2)
-      rack-test (~> 0.6.1)
-      sprockets (~> 2.2.1)
-    activemodel (3.2.21)
-      activesupport (= 3.2.21)
-      builder (~> 3.0.0)
-    activerecord (3.2.21)
-      activemodel (= 3.2.21)
-      activesupport (= 3.2.21)
-      arel (~> 3.0.2)
-      tzinfo (~> 0.3.29)
-    activeresource (3.2.21)
-      activemodel (= 3.2.21)
-      activesupport (= 3.2.21)
-    activesupport (3.2.21)
-      i18n (~> 0.6, >= 0.6.4)
-      multi_json (~> 1.0)
-    addressable (2.3.6)
-    arel (3.0.3)
-    aruba (0.5.4)
+      rails-dom-testing (~> 1.0, >= 1.0.5)
+      rails-html-sanitizer (~> 1.0, >= 1.0.1)
+    activejob (4.2.2)
+      activesupport (= 4.2.2)
+      globalid (>= 0.3.0)
+    activemodel (4.2.2)
+      activesupport (= 4.2.2)
+      builder (~> 3.1)
+    activerecord (4.2.2)
+      activemodel (= 4.2.2)
+      activesupport (= 4.2.2)
+      arel (~> 6.0)
+    activesupport (4.2.2)
+      i18n (~> 0.7)
+      json (~> 1.7, >= 1.7.7)
+      minitest (~> 5.1)
+      thread_safe (~> 0.3, >= 0.3.4)
+      tzinfo (~> 1.1)
+    addressable (2.3.8)
+    arel (6.0.0)
+    aruba (0.6.2)
      childprocess (>= 0.3.6)
      cucumber (>= 1.1.1)
      rspec-expectations (>= 2.7.0)
-    bcrypt (3.1.9)
-    better_errors (2.0.0)
+    bcrypt (3.1.10)
+    better_errors (2.1.1)
      coderay (>= 1.0.0)
      erubis (>= 2.6.6)
      rack (>= 0.9.0)
    binding_of_caller (0.7.2)
      debug_inspector (>= 0.0.1)
-    brakeman (3.0.3)
+    brakeman (3.0.5)
      erubis (~> 2.6)
      fastercsv (~> 1.5)
      haml (>= 3.0, < 5.0)
      highline (~> 1.6.20)
      multi_json (~> 1.2)
      ruby2ruby (~> 2.1.1)
-      ruby_parser (~> 3.6.2)
+      ruby_parser (~> 3.7.0)
      sass (~> 3.0)
      terminal-table (~> 1.4)
-    builder (3.0.4)
-    bundler-audit (0.3.1)
+    builder (3.2.2)
+    bundler-audit (0.4.0)
      bundler (~> 1.2)
      thor (~> 0.18)
    capybara (2.4.4)
@@ -61,62 +69,65 @@ GEM
      rack (>= 1.0.0)
      rack-test (>= 0.5.4)
      xpath (~> 2.0)
-    celluloid (0.16.0)
-      timers (~> 4.0.0)
-    childprocess (0.5.5)
+    childprocess (0.5.6)
      ffi (~> 1.0, >= 1.0.11)
    cliver (0.3.2)
    coderay (1.1.0)
-    coffee-rails (3.2.2)
+    coffee-rails (4.1.0)
      coffee-script (>= 2.2.0)
-      railties (~> 3.2.0)
-    coffee-script (2.3.0)
+      railties (>= 4.0.0, < 5.0)
+    coffee-script (2.4.1)
      coffee-script-source
      execjs
-    coffee-script-source (1.8.0)
+    coffee-script-source (1.9.1.1)
    crack (0.3.1)
-    cucumber (1.3.15)
+    cucumber (2.0.0)
      builder (>= 2.1.2)
+      cucumber-core (~> 1.1.3)
      diff-lcs (>= 1.1.3)
      gherkin (~> 2.12)
      multi_json (>= 1.7.5, < 2.0)
-      multi_test (>= 0.1.1)
-    daemons (1.1.9)
-    database_cleaner (1.3.0)
+      multi_test (>= 0.1.2)
+    cucumber-core (1.1.3)
+      gherkin (~> 2.12.0)
+    daemons (1.2.3)
+    database_cleaner (1.4.1)
    debug_inspector (0.0.2)
    diff-lcs (1.2.5)
    docile (1.1.5)
-    dotenv (1.0.2)
    em-websocket (0.5.1)
      eventmachine (>= 0.12.9)
      http_parser.rb (~> 0.6.0)
    erubis (2.7.0)
-    eventmachine (1.0.4)
-    execjs (2.2.2)
+    eventmachine (1.0.5)
+    execjs (2.5.2)
    fastercsv (1.5.5)
-    ffi (1.9.6)
-    foreman (0.76.0)
-      dotenv (~> 1.0.2)
+    ffi (1.9.10)
+    foreman (0.78.0)
      thor (~> 0.19.1)
    formatador (0.2.5)
-    gauntlt (1.0.10)
-      aruba (= 0.5.4)
-      cucumber (= 1.3.15)
-      nokogiri (= 1.6.1)
-      trollop (~> 2.0)
+    gauntlt (0.1.4)
+      aruba
+      cucumber
+      nokogiri
+      trollop
    gherkin (2.12.2)
      multi_json (~> 1.3)
-    guard (2.10.4)
+    globalid (0.3.5)
+      activesupport (>= 4.1.0)
+    guard (2.12.7)
      formatador (>= 0.2.4)
-      listen (~> 2.7)
+      listen (>= 2.7, <= 4.0)
      lumberjack (~> 1.0)
      nenv (~> 0.1)
+      notiffany (~> 0.0)
      pry (>= 0.9.12)
+      shellany (~> 0.0)
      thor (>= 0.18.1)
    guard-brakeman (0.8.3)
      brakeman (>= 2.1.1)
      guard (>= 2.0.0)
-    guard-compat (1.2.0)
+    guard-compat (1.2.1)
    guard-livereload (2.4.0)
      em-websocket (~> 0.5)
      guard (~> 2.8)
@@ -130,101 +141,106 @@ GEM
    haml (4.0.6)
      tilt
    highline (1.6.21)
-    hike (1.2.3)
-    hitimes (1.2.2)
    http_parser.rb (0.6.0)
    i18n (0.7.0)
-    journey (1.0.4)
-    jquery-fileupload-rails (0.4.1)
+    jquery-fileupload-rails (0.4.5)
      actionpack (>= 3.1)
      railties (>= 3.1)
-    jquery-rails (3.1.2)
-      railties (>= 3.0, < 5.0)
+      sass (>= 3.2)
+    jquery-rails (4.0.4)
+      rails-dom-testing (~> 1.0)
+      railties (>= 4.2.0)
      thor (>= 0.14, < 2.0)
-    json (1.8.1)
-    kgio (2.9.2)
+    json (1.8.3)
+    kgio (2.9.3)
    launchy (2.4.3)
      addressable (~> 2.3)
-    libv8 (3.16.14.7)
-    listen (2.8.4)
-      celluloid (>= 0.15.2)
+    libv8 (3.16.14.8)
+    listen (3.0.1)
      rb-fsevent (>= 0.9.3)
      rb-inotify (>= 0.9)
+    loofah (2.0.2)
+      nokogiri (>= 1.5.9)
    lumberjack (1.0.9)
-    mail (2.5.4)
-      mime-types (~> 1.16)
-      treetop (~> 1.4.8)
-    mailcatcher (0.5.12)
-      activesupport (~> 3.0)
-      eventmachine (~> 1.0.0)
-      haml (>= 3.1, < 5)
+    mail (2.6.3)
+      mime-types (>= 1.16, < 3)
+    mailcatcher (0.6.1)
+      activesupport (>= 4.0.0, < 5)
+      eventmachine (~> 1.0.0, <= 1.0.5)
      mail (~> 2.3)
      sinatra (~> 1.2)
      skinny (~> 0.2.3)
      sqlite3 (~> 1.3)
      thin (~> 1.5.0)
    method_source (0.8.2)
-    mime-types (1.25.1)
-    mini_portile (0.5.3)
-    multi_json (1.11.0)
-    multi_test (0.1.1)
-    mysql2 (0.3.17)
-    nenv (0.1.1)
-    nokogiri (1.6.1)
-      mini_portile (~> 0.5.0)
-    poltergeist (1.5.1)
+    mime-types (2.6.1)
+    mini_portile (0.6.2)
+    minitest (5.7.0)
+    multi_json (1.11.1)
+    multi_test (0.1.2)
+    mysql2 (0.3.18)
+    nenv (0.2.0)
+    nokogiri (1.6.6.2)
+      mini_portile (~> 0.6.0)
+    notiffany (0.0.6)
+      nenv (~> 0.1)
+      shellany (~> 0.0)
+    poltergeist (1.6.0)
      capybara (~> 2.1)
      cliver (~> 0.3.1)
      multi_json (~> 1.0)
      websocket-driver (>= 0.2.0)
-    polyglot (0.3.5)
    powder (0.3.0)
      thor (>= 0.11.5)
+    power_assert (0.2.3)
    pry (0.10.1)
      coderay (~> 1.1.0)
      method_source (~> 0.8.1)
      slop (~> 3.4)
-    pry-rails (0.3.3)
+    pry-rails (0.3.4)
      pry (>= 0.9.10)
-    rack (1.4.5)
-    rack-cache (1.2)
-      rack (>= 0.4)
+    rack (1.6.4)
    rack-livereload (0.3.15)
      rack
    rack-protection (1.5.3)
      rack
-    rack-ssl (1.3.4)
-      rack
-    rack-test (0.6.2)
+    rack-test (0.6.3)
      rack (>= 1.0)
-    rails (3.2.21)
-      actionmailer (= 3.2.21)
-      actionpack (= 3.2.21)
-      activerecord (= 3.2.21)
-      activeresource (= 3.2.21)
-      activesupport (= 3.2.21)
-      bundler (~> 1.0)
-      railties (= 3.2.21)
-    railties (3.2.21)
-      actionpack (= 3.2.21)
-      activesupport (= 3.2.21)
-      rack-ssl (~> 1.3.2)
+    rails (4.2.2)
+      actionmailer (= 4.2.2)
+      actionpack (= 4.2.2)
+      actionview (= 4.2.2)
+      activejob (= 4.2.2)
+      activemodel (= 4.2.2)
+      activerecord (= 4.2.2)
+      activesupport (= 4.2.2)
+      bundler (>= 1.3.0, < 2.0)
+      railties (= 4.2.2)
+      sprockets-rails
+    rails-deprecated_sanitizer (1.0.3)
+      activesupport (>= 4.2.0.alpha)
+    rails-dom-testing (1.0.6)
+      activesupport (>= 4.2.0.beta, < 5.0)
+      nokogiri (~> 1.6.0)
+      rails-deprecated_sanitizer (>= 1.0.1)
+    rails-html-sanitizer (1.0.2)
+      loofah (~> 2.0)
+    railties (4.2.2)
+      actionpack (= 4.2.2)
+      activesupport (= 4.2.2)
      rake (>= 0.8.7)
-      rdoc (~> 3.4)
-      thor (>= 0.14.6, < 2.0)
-    raindrops (0.13.0)
+      thor (>= 0.18.1, < 2.0)
+    raindrops (0.14.0)
    rake (10.4.2)
-    rb-fsevent (0.9.4)
+    rb-fsevent (0.9.5)
    rb-inotify (0.9.5)
      ffi (>= 0.5.0)
-    rdoc (3.12.2)
-      json (~> 1.4)
    ref (1.0.5)
    rspec (2.14.1)
      rspec-core (~> 2.14.0)
      rspec-expectations (~> 2.14.0)
      rspec-mocks (~> 2.14.0)
-    rspec-core (2.14.0)
+    rspec-core (2.14.8)
    rspec-expectations (2.14.5)
      diff-lcs (>= 1.1.3, < 2.0)
    rspec-mocks (2.14.6)
@@ -239,35 +255,41 @@ GEM
    ruby2ruby (2.1.4)
      ruby_parser (~> 3.1)
      sexp_processor (~> 4.0)
-    ruby_parser (3.6.6)
+    ruby_parser (3.7.0)
      sexp_processor (~> 4.1)
-    sass (3.4.14)
-    sass-rails (3.2.6)
-      railties (~> 3.2.0)
-      sass (>= 3.1.10)
-      tilt (~> 1.3)
+    sass (3.4.15)
+    sass-rails (5.0.3)
+      railties (>= 4.0.0, < 5.0)
+      sass (~> 3.1)
+      sprockets (>= 2.8, < 4.0)
+      sprockets-rails (>= 2.0, < 4.0)
+      tilt (~> 1.1)
    sexp_processor (4.6.0)
-    simplecov (0.9.1)
+    shellany (0.0.1)
+    simplecov (0.10.0)
      docile (~> 1.1.0)
-      multi_json (~> 1.0)
-      simplecov-html (~> 0.8.0)
-    simplecov-html (0.8.0)
-    sinatra (1.4.5)
+      json (~> 1.8)
+      simplecov-html (~> 0.10.0)
+    simplecov-html (0.10.0)
+    sinatra (1.4.6)
      rack (~> 1.4)
      rack-protection (~> 1.4)
-      tilt (~> 1.3, >= 1.3.4)
+      tilt (>= 1.3, < 3)
    skinny (0.2.3)
      eventmachine (~> 1.0.0)
      thin (~> 1.5.0)
    slop (3.6.0)
-    sprockets (2.2.3)
-      hike (~> 1.2)
-      multi_json (~> 1.0)
+    sprockets (3.2.0)
      rack (~> 1.0)
-      tilt (~> 1.1, != 1.3.0)
+    sprockets-rails (2.3.2)
+      actionpack (>= 3.0)
+      activesupport (>= 3.0)
+      sprockets (>= 2.8, < 4.0)
    sqlite3 (1.3.10)
-    terminal-table (1.4.5)
-    therubyracer (0.12.1)
+    terminal-table (1.5.2)
+    test-unit (3.1.2)
+      power_assert
+    therubyracer (0.12.2)
      libv8 (~> 3.16.14.0)
      ref
    thin (1.5.1)
@@ -275,26 +297,25 @@ GEM
      eventmachine (>= 0.12.6)
      rack (>= 1.0.0)
    thor (0.19.1)
+    thread_safe (0.3.5)
    tilt (1.4.1)
-    timers (4.0.1)
-      hitimes
    travis-lint (2.0.0)
      json
-    treetop (1.4.15)
-      polyglot
-      polyglot (>= 0.3.1)
-    trollop (2.0)
-    tzinfo (0.3.42)
-    uglifier (2.6.0)
+    trollop (2.1.2)
+    turbolinks (2.5.3)
+      coffee-rails
+    tzinfo (1.2.2)
+      thread_safe (~> 0.1)
+    uglifier (2.7.1)
      execjs (>= 0.3.0)
      json (>= 1.8.0)
-    unicorn (4.8.3)
+    unicorn (4.9.0)
      kgio (~> 2.6)
      rack
      raindrops (~> 0.7)
-    websocket-driver (0.5.1)
+    websocket-driver (0.5.4)
      websocket-extensions (>= 0.1.0)
-    websocket-extensions (0.1.1)
+    websocket-extensions (0.1.2)
    xpath (2.0.0)
      nokogiri (~> 1.3)

@@ -322,6 +343,7 @@ DEPENDENCIES
  jquery-fileupload-rails
  jquery-rails
  launchy
+  libv8 (= 3.16.14.8)
  mailcatcher
  mysql2
  poltergeist
@@ -329,13 +351,18 @@ DEPENDENCIES
  pry
  pry-rails
  rack-livereload
-  rails (= 3.2.21)
+  rails (= 4.2.2)
  rb-fsevent
  rspec-rails (= 2.14.2)
  sass-rails
  simplecov
  sqlite3
+  test-unit
  therubyracer
  travis-lint
+  turbolinks
  uglifier
  unicorn
+
+BUNDLED WITH
+   1.10.5
@@ -1,42 +1,49 @@
 # RailsGoat [![Build Status](https://api.travis-ci.org/OWASP/railsgoat.png?branch=master)](https://travis-ci.org/OWASP/railsgoat) [![Code Climate](https://codeclimate.com/github/OWASP/railsgoat.png)](https://codeclimate.com/github/OWASP/railsgoat)

-RailsGoat is a vulnerable version of the Ruby on Rails Framework. It includes vulnerabilities from the OWASP Top 10, as well as some "extras" that the initial project contributors felt worthwhile to share. This project is designed to educate both developers, as well as security professionals.
+RailsGoat is a vulnerable version of the Ruby on Rails Framework both versions 3 and 4. It includes vulnerabilities from the OWASP Top 10, as well as some "extras" that the initial project contributors felt worthwhile to share. This project is designed to educate both developers, as well as security professionals.

 ## Getting Started

 To begin, install the Ruby Version Manager (RVM):

-```
+```bash
 $ curl -L https://get.rvm.io | bash -s stable --autolibs=3 --ruby=2.1.2
 ```

 After installing the package, clone this repo:

-```
+```bash
 $ git clone git@github.com:OWASP/railsgoat.git
 ```

-Navigate into the directory and install the dependencies:
+**NOTE: NOT NECESSARY IF YOU WANT TO WORK WITH RAILS 4.** Otherwise, if you wish to use the Rails 3 version, you'll need to switch branches 

+```bash
+$ cd railsgoat
+$ git checkout rails_3_2
 ```
+
+Navigate into the directory (already there if you followed the previous step) and install the dependencies:
+
+```bash
 $ bundle install
 ```

 If you receive an error, make sure you have `bundler` installed:

-```
+```bash
 $ gem install bundler
 ```

 Initialize the database:

-```
+```bash
 $ rake db:setup
 ```

 Start the Thin web server:

-```
+```bash
 $ rails server
 ```

@@ -12,9 +12,11 @@
 //
 //= require jquery
 //= require jquery_ujs
+//= require turbolinks
 //= require wysiwyg/wysihtml5-0.3.0.js
 //= require jquery.min.js
 //= require jquery.scrollUp.js
+//= require bootstrap.js
 //= require wysiwyg/bootstrap-wysihtml5.js
 //= require bootstrap-colorpicker.js
 //= require date-picker/date.js
@@ -1,5 +1,5 @@
 class AdminController < ApplicationController
-  before_filter :administrative, :if => :admin_param, :except => [:get_user]
+  before_action :administrative, :if => :admin_param, :except => [:get_user]
  skip_before_filter :has_info

  def dashboard
@@ -1,9 +1,11 @@
 class ApplicationController < ActionController::Base
-  before_filter :authenticated, :has_info, :create_analytic, :mailer_options
+  before_action :authenticated, :has_info, :create_analytic, :mailer_options
  helper_method :current_user, :is_admin?, :sanitize_font

  # Our security guy keep talking about sea-surfing, cool story bro.
-  # protect_from_forgery
+  # Prevent CSRF attacks by raising an exception.
+  # For APIs, you may want to use :null_session instead.
+  #protect_from_forgery with: :exception

  private

@@ -33,4 +33,10 @@ class MessagesController < ApplicationController
      end
    end
  end
+
+  private
+
+  def message_params
+    params.require(:message).permit(:creator_id, :message, :read, :receiver_id)
+  end
 end
@@ -4,7 +4,7 @@ class ScheduleController < ApplicationController
    message = false

      if params[:schedule][:event_type] == "pto"
-        sched = Schedule.new(params[:schedule])
+        sched = Schedule.new(schedule_params)
        sched.date_begin, sched.date_end = format_schedule_date(params[:date_range1])
        sched.user_id = current_user.user_id
        a = sched.date_end
@@ -56,4 +56,10 @@ class ScheduleController < ApplicationController
   end
     return vals
  end
+
+  private
+
+  def schedule_params
+    params.require(:schedule).permit(:date_begin, :date_end, :event_desc, :event_name, :event_type)
+  end
 end
@@ -7,7 +7,7 @@ class UsersController < ApplicationController
  end

  def create
-    user = User.new(params[:user])
+    user = User.new(user_params)
    user.build_benefits_data
    if user.save
      session[:user_id] = user.user_id
@@ -31,11 +31,12 @@ class UsersController < ApplicationController
    # Still an Insecure DoR vulnerability
    #user = User.find(:first, :conditions => ["user_id = ?", "#{params[:user][:user_id]}"])

-    user = User.find(:first, :conditions => "user_id = '#{params[:user][:user_id]}'")
+    # user = User.find(:first, :conditions => "user_id = '#{params[:user][:user_id]}'")
+    user = User.where("user_id = '#{params[:user][:user_id]}'").first
    if user
      user.skip_user_id_assign = true
      user.skip_hash_password = true
-      user.update_attributes(params[:user].reject { |k| %w(password password_confirmation user_id).include? k })
+      user.update_attributes(user_params_without_password)
      if !(params[:user][:password].empty?) && (params[:user][:password] == params[:user][:password_confirmation])
        user.skip_hash_password = false
        user.password = params[:user][:password]
@@ -50,4 +51,15 @@ class UsersController < ApplicationController
      redirect_to user_account_settings_path(:user_id => current_user.user_id)
    end
  end
+
+  private
+
+  def user_params
+    params.require(:user).permit!
+  end
+
+  # unpermitted attributes are ignored in production
+  def user_params_without_password
+    params.require(:user).permit(:email, :admin, :first_name, :last_name)
+  end
 end
@@ -1,6 +1,4 @@
 class Analytics < ActiveRecord::Base
-  attr_accessible :ip_address, :referrer, :user_agent
-
  scope :hits_by_ip, ->(ip,col="*") { select("#{col}").where(:ip_address => ip).order("id DESC")}

  def self.count_by_col(col)
@@ -1,5 +1,4 @@
 class Benefits < ActiveRecord::Base
-  attr_accessor :backup

  def self.save(file, backup=false)
    data_path = Rails.root.join("public", "data")
@@ -1,5 +1,4 @@
 class KeyManagement < ActiveRecord::Base
-  attr_accessible :iv, :user_id
  belongs_to :work_info
  belongs_to :user
 end
@@ -1,6 +1,5 @@
 class Message < ActiveRecord::Base
  belongs_to :user
-  attr_accessible :creator_id, :message, :read, :receiver_id
  validates_presence_of :creator_id, :receiver_id, :message

  def creator_name
@@ -1,5 +1,4 @@
 class PaidTimeOff < ActiveRecord::Base
-  attr_accessible :pto_earned, :pto_taken, :sick_days_earned, :sick_days_taken
  belongs_to :user
  has_many :schedule, :foreign_key => :user_id, :primary_key => :user_id, :dependent => :destroy

@@ -1,7 +1,4 @@
 class Pay < ActiveRecord::Base
-  # mass-assignable attributes
-  attr_accessible :bank_account_num, :bank_routing_num, :percent_of_deposit
-
  # Associations
  belongs_to :user

@@ -1,5 +1,4 @@
 class Performance < ActiveRecord::Base
-  attr_accessible :comments, :date_submitted, :reviewer, :score
  belongs_to :user

  def reviewer_name
@@ -1,4 +1,3 @@
 class Retirement < ActiveRecord::Base
-  attr_accessible :employee_contrib, :employer_contrib, :total
  belongs_to :user
 end
@@ -1,5 +1,4 @@
 class Schedule < ActiveRecord::Base
-  attr_accessible :date_begin, :date_end, :event_desc, :event_name, :event_type
  belongs_to :paid_time_off

  validates_presence_of :date_begin, :date_end, :event_desc, :event_name, :event_type
@@ -1,7 +1,6 @@
 require 'encryption'

 class User < ActiveRecord::Base
-  attr_accessible :email, :admin, :first_name, :last_name, :user_id, :password, :password_confirmation
  validates :password, :presence => true,
                       :confirmation => true,
                       :length => {:within => 6..40},
@@ -1,5 +1,4 @@
 class WorkInfo < ActiveRecord::Base
-  attr_accessible :DoB, :SSN, :bonuses, :income, :years_worked
  belongs_to :user
  has_one :key_management, :foreign_key => :user_id, :primary_key => :user_id, :dependent => :destroy
  #before_save :encrypt_ssn
@@ -2,8 +2,8 @@
 <html>
 <head>
  <title>RailsGoat</title>
-  <%= stylesheet_link_tag    "application", :media => "all" %>
-  <%= javascript_include_tag "application" %>
+  <%= stylesheet_link_tag    "application", media: "all", "data-turbolinks-track" => true %>
+  <%= javascript_include_tag "application", "data-turbolinks-track" => true %>
  <%= csrf_meta_tags %> <!-- <~ What is this for? I hear it helps w/ JS and Sea-surfing.....whatevz -->
  <!-- bootstrap css -->
 <%
@@ -1,4 +1,5 @@
 <% flash.each do |name, msg| %>
+  <% name = name.to_sym %>
  <% if name == :error %>
    <div class="alert alert-error">
      <a class="close" data-dismiss="alert" href="#">×</a>
@@ -1,4 +1,4 @@
 # This file is used by Rack-based servers to start the application.

 require ::File.expand_path('../config/environment',  __FILE__)
-run Railsgoat::Application
+run Rails.application
@@ -2,12 +2,9 @@ require File.expand_path('../boot', __FILE__)

 require 'rails/all'

-if defined?(Bundler)
-  # If you precompile assets before deploying to production, use this line
-  Bundler.require(*Rails.groups(:assets => %w(development test mysql)))
-  # If you want your assets lazily compiled in production, use this line
-  # Bundler.require(:default, :assets, Rails.env)
-end
+# Require the gems listed in Gemfile, including any gems
+# you've limited to :test, :development, or :production.
+Bundler.require(:default, Rails.env)

 module Railsgoat
  class Application < Rails::Application
@@ -47,12 +44,6 @@ module Railsgoat
    # like if you have constraints or database-specific column types
    # config.active_record.schema_format = :sql

-    # Enforce whitelist mode for mass assignment.
-    # This will create an empty whitelist of attributes available for mass-assignment for all models
-    # in your app. As such, your models will need to explicitly whitelist or blacklist accessible
-    # parameters by using an attr_accessible or attr_protected declaration.
-    config.active_record.whitelist_attributes = false
-
    # Enable the asset pipeline
    config.assets.enabled = true
    
@@ -1,5 +1,3 @@
-require 'rubygems'
-
 # Set up gems listed in the Gemfile.
 ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../../Gemfile', __FILE__)

@@ -1,5 +1,5 @@
-# Load the rails application
+# Load the Rails application.
 require File.expand_path('../application', __FILE__)

-# Initialize the rails application
+# Initialize the Rails application.
 Railsgoat::Application.initialize!
@@ -6,9 +6,6 @@ Railsgoat::Application.configure do
  # since you don't have to restart the web server when you make code changes.
  config.cache_classes = false

-  # Log error messages when you accidentally call methods on nil.
-  config.whiny_nils = true
-
  # Show full error reports and disable caching
  config.consider_all_requests_local       = true
  config.action_controller.perform_caching = false
@@ -22,13 +19,6 @@ Railsgoat::Application.configure do
  # Only use best-standards-support built into browsers
  config.action_dispatch.best_standards_support = :builtin

-  # Raise exception on mass assignment protection for Active Record models
-  config.active_record.mass_assignment_sanitizer = :strict
-
-  # Log the query plan for queries taking more than this (works
-  # with SQLite, MySQL, and PostgreSQL)
-  config.active_record.auto_explain_threshold_in_seconds = 0.5
-
  # Tired of caching causing issues
  config.middleware.delete Rack::ETag

@@ -51,4 +41,10 @@ Railsgoat::Application.configure do
 #      :host => 'railsgoat.dev',
 #      :ignore => [ %r{dont/modify\.html$} ]
 # )
+
+  # For Rails 4.0+
+  # Do not eager load code on boot. This avoids loading your whole application
+  # just for the purpose of running a single test. If you are using a tool that
+  # preloads Rails for running tests, you may have to set it to true.
+  config.eager_load = false
 end
@@ -6,9 +6,6 @@ Railsgoat::Application.configure do
  # since you don't have to restart the web server when you make code changes.
  config.cache_classes = false

-  # Log error messages when you accidentally call methods on nil.
-  config.whiny_nils = true
-
  # Show full error reports and disable caching
  config.consider_all_requests_local       = true
  config.action_controller.perform_caching = false
@@ -22,13 +19,6 @@ Railsgoat::Application.configure do
  # Only use best-standards-support built into browsers
  config.action_dispatch.best_standards_support = :builtin

-  # Raise exception on mass assignment protection for Active Record models
-  config.active_record.mass_assignment_sanitizer = :strict
-
-  # Log the query plan for queries taking more than this (works
-  # with SQLite, MySQL, and PostgreSQL)
-  config.active_record.auto_explain_threshold_in_seconds = 0.5
-  
  # Tired of caching causing issues
  config.middleware.delete Rack::ETag

@@ -1,37 +1,50 @@
 Railsgoat::Application.configure do
  # Settings specified here will take precedence over those in config/application.rb

-  # Code is not reloaded between requests
+  # Code is not reloaded between requests.
  config.cache_classes = true

-  # Full error reports are disabled and caching is turned on
+  # Full error reports are disabled and caching is turned on.
  config.consider_all_requests_local       = false
  config.action_controller.perform_caching = true

-  # Disable Rails's static asset server (Apache or nginx will already do this)
+  # Enable Rack::Cache to put a simple HTTP cache in front of your application
+  # Add `rack-cache` to your Gemfile before enabling this.
+  # For large-scale production use, consider using a caching
+  # reverse proxy like nginx, varnish or squid.
+  # config.action_dispatch.rack_cache = true
+
+  # Disable Rails's static asset server (Apache or nginx will already do this).
  config.serve_static_assets = false

  # Compress JavaScripts and CSS
  config.assets.compress = true

-  # Don't fallback to assets pipeline if a precompiled asset is missed
-  config.assets.compile = true
+  # Compress JavaScripts and CSS.
+  config.assets.js_compressor = :uglifier
+  # config.assets.css_compressor = :sass

-  # Generate digests for assets URLs
+  # Do not fallback to assets pipeline if a precompiled asset is missed.
+  config.assets.compile = true # default is false
+
+  # Generate digests for assets URLs.
  config.assets.digest = true

+  # For Rails 4.0+: Version of your assets, change this if you want to expire all your assets.
+  config.assets.version = '1.0'
+
  # Defaults to nil and saved in location specified by config.assets.prefix
  # config.assets.manifest = YOUR_PATH

-  # Specifies the header that your server uses for sending files
+  # Specifies the header that your server uses for sending files.
  # config.action_dispatch.x_sendfile_header = "X-Sendfile" # for apache
  # config.action_dispatch.x_sendfile_header = 'X-Accel-Redirect' # for nginx

  # Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
  # config.force_ssl = true

-  # See everything in the log (default is :info)
-  # config.log_level = :debug
+  # Set to :debug to see everything in the log.
+  config.log_level = :info

  # Prepend all log lines with the following tags
  # config.log_tags = [ :subdomain, :uuid ]
@@ -55,13 +68,41 @@ Railsgoat::Application.configure do
  # config.threadsafe!

  # Enable locale fallbacks for I18n (makes lookups for any locale fall back to
-  # the I18n.default_locale when a translation can not be found)
+  # the I18n.default_locale when a translation can not be found).
  config.i18n.fallbacks = true

-  # Send deprecation notices to registered listeners
+  # Send deprecation notices to registered listeners.
  config.active_support.deprecation = :notify

-  # Log the query plan for queries taking more than this (works
-  # with SQLite, MySQL, and PostgreSQL)
-  # config.active_record.auto_explain_threshold_in_seconds = 0.5
+  # For Rails 4.0+: Eager load code on boot. This eager loads most of
+  # Rails and your application in memory, allowing both thread web
+  # servers and those relying on copy on write to perform better.
+  # Rake tasks automatically ignore this option for performance.
+  config.eager_load = true
+
+  # For Rails 4.0+: Use default logging formatter so that PID and timestamp are not suppressed.
+  config.log_formatter = ::Logger::Formatter.new
+
+  # For Rails 4.0+: Disable automatic flushing of the log to improve performance.
+  # config.autoflush_log = false
+
+  # Prepend all log lines with the following tags.
+  # config.log_tags = [ :subdomain, :uuid ]
+
+  # Use a different logger for distributed setups.
+  # config.logger = ActiveSupport::TaggedLogging.new(SyslogLogger.new)
+
+  # Use a different cache store in production.
+  # config.cache_store = :mem_cache_store
+
+  # Enable serving of images, stylesheets, and JavaScripts from an asset server.
+  # config.action_controller.asset_host = "http://assets.example.com"
+
+  # Precompile additional assets.
+  # application.js, application.css, and all non-JS/CSS in app/assets folder are already added.
+  # config.assets.precompile += %w( search.js )
+
+  # Ignore bad email addresses and do not raise email delivery errors.
+  # Set this to true and configure the email server for immediate delivery to raise delivery errors.
+  # config.action_mailer.raise_delivery_errors = false
 end
@@ -7,18 +7,15 @@ Railsgoat::Application.configure do
  # and recreated between test runs. Don't rely on the data there!
  config.cache_classes = true

-  # Configure static asset server for tests with Cache-Control for performance
+  # Configure static asset server for tests with Cache-Control for performance.
  config.serve_static_assets = true
  config.static_cache_control = "public, max-age=3600"

-  # Log error messages when you accidentally call methods on nil
-  config.whiny_nils = true
-
-  # Show full error reports and disable caching
+  # Show full error reports and disable caching.
  config.consider_all_requests_local       = true
  config.action_controller.perform_caching = false

-  # Raise exceptions instead of rendering exception templates
+  # Raise exceptions instead of rendering exception templates.
  config.action_dispatch.show_exceptions = false

  # Disable request forgery protection in test environment
@@ -29,9 +26,12 @@ Railsgoat::Application.configure do
  # ActionMailer::Base.deliveries array.
  config.action_mailer.delivery_method = :test

-  # Raise exception on mass assignment protection for Active Record models
-  config.active_record.mass_assignment_sanitizer = :strict
-
-  # Print deprecation notices to the stderr
+  # Print deprecation notices to the stderr.
  config.active_support.deprecation = :stderr
+
+  # For Rails 4.0+
+  # Do not eager load code on boot. This avoids loading your whole application
+  # just for the purpose of running a single test. If you are using a tool that
+  # preloads Rails for running tests, you may have to set it to true.
+  config.eager_load = false
 end
@@ -0,0 +1,4 @@
+# Be sure to restart your server when you modify this file.
+
+# Configure sensitive parameters which will be filtered from the log file.
+Rails.application.config.filter_parameters += [:password]
@@ -1,15 +1,16 @@
 # Be sure to restart your server when you modify this file.

-# Add new inflection rules using the following format
-# (all these examples are active by default):
-# ActiveSupport::Inflector.inflections do |inflect|
+# Add new inflection rules using the following format. Inflections
+# are locale specific, and you may define rules for as many different
+# locales as you wish. All of these examples are active by default:
+# ActiveSupport::Inflector.inflections(:en) do |inflect|
 #   inflect.plural /^(ox)$/i, '\1en'
 #   inflect.singular /^(ox)en/i, '\1'
 #   inflect.irregular 'person', 'people'
 #   inflect.uncountable %w( fish sheep )
 # end
-#
+
 # These inflection rules are supported but not enabled by default:
-# ActiveSupport::Inflector.inflections do |inflect|
+# ActiveSupport::Inflector.inflections(:en) do |inflect|
 #   inflect.acronym 'RESTful'
 # end
@@ -5,3 +5,4 @@
 # Make sure the secret is at least 30 characters and all random,
 # no regular words or you'll be exposed to dictionary attacks.
 Railsgoat::Application.config.secret_token = '2f1d90a26236c3245d96f5606c201a780dc9ca687e5ed82b45e211bb5dc84c1870f61ca9e002dad5dd8a149c9792d8f07f31a9575065cca064bd6af44f8750e4'
+Railsgoat::Application.config.secret_key_base = '2f1d90a26236c3245d96f5606c201a780dc9ca687e5ed82b45e211bb5dc84c1870f61ca9e002dad5dd8a149c9792d8f07f31a9575065cca064bd6af44f8750e4'
@@ -1,8 +1,3 @@
 # Be sure to restart your server when you modify this file.

 Railsgoat::Application.config.session_store :cookie_store, key: '_railsgoat_session', httponly: false
-
-# Use the database for sessions instead of the cookie-based default,
-# which shouldn't be used to store highly confidential information
-# (create the session table with "rails generate session_migration")
-# Railsgoat::Application.config.session_store :active_record_store
@@ -0,0 +1 @@
+ActiveRecord::Base.send(:include, ActiveModel::ForbiddenAttributesProtection)
@@ -5,7 +5,7 @@

 # Enable parameter wrapping for JSON. You can disable this by setting :format to an empty array.
 ActiveSupport.on_load(:action_controller) do
-  wrap_parameters format: [:json]
+  wrap_parameters format: [:json] if respond_to?(:wrap_parameters)
 end

 # Disable root element in JSON by default.
@@ -1,5 +1,23 @@
-# Sample localization file for English. Add more files in this directory for other locales.
-# See https://github.com/svenfuchs/rails-i18n/tree/master/rails%2Flocale for starting points.
+# Files in the config/locales directory are used for internationalization
+# and are automatically loaded by Rails. If you want to use locales other
+# than English, add the necessary files in this directory.
+#
+# To use the locales, use `I18n.t`:
+#
+#     I18n.t 'hello'
+#
+# In views, this is aliased to just `t`:
+#
+#     <%= t('hello') %>
+#
+# To use a different locale, set it with `I18n.locale`:
+#
+#     I18n.locale = :es
+#
+# This would use the information in config/locales/es.yml.
+#
+# To learn more, please read the Rails Internationalization guide
+# available at http://guides.rubyonrails.org/i18n.html.

 en:
  hello: "Hello world"
@@ -3,7 +3,7 @@ Railsgoat::Application.routes.draw do
  get "login" => "sessions#new"
  get "signup" => "users#new"
  get "logout" => "sessions#destroy"
-  match "forgot_password" => "password_resets#forgot_password"
+  get "forgot_password" => "password_resets#forgot_password"
  get "password_resets" => "password_resets#confirm_token"
  post "password_resets" => "password_resets#reset_password"
  get "dashboard/doc" => "dashboard#doc"
@@ -63,7 +63,7 @@ Railsgoat::Application.routes.draw do
    get "dashboard"
    get "get_user"
    post "delete_user"
-    put "update_user"
+    patch "update_user"
    get "get_all_users"
    get "analytics"
  end
@@ -11,7 +11,7 @@
 #
 # It's strongly recommended to check this file into your version control system.

-ActiveRecord::Schema.define(:version => 20140804171756) do
+ActiveRecord::Schema.define(:version => 20140408185601) do

  create_table "analytics", :force => true do |t|
    t.string   "ip_address"
@@ -2,17 +2,48 @@
 <html>
 <head>
  <title>The page you were looking for doesn't exist (404)</title>
-  <style type="text/css">
-    body { background-color: #fff; color: #666; text-align: center; font-family: arial, sans-serif; }
+  <style>
+  body {
+    background-color: #EFEFEF;
+    color: #2E2F30;
+    text-align: center;
+    font-family: arial, sans-serif;
+  }
+
  div.dialog {
    width: 25em;
-      padding: 0 4em;
    margin: 4em auto 0 auto;
-      border: 1px solid #ccc;
+    border: 1px solid #CCC;
+    border-right-color: #999;
+    border-left-color: #999;
+    border-bottom-color: #BBB;
+    border-top: #B00100 solid 4px;
+    border-top-left-radius: 9px;
+    border-top-right-radius: 9px;
+    background-color: white;
+    padding: 7px 4em 0 4em;
+  }
+
+  h1 {
+    font-size: 100%;
+    color: #730E15;
+    line-height: 1.5em;
+  }
+
+  body > p {
+    width: 33em;
+    margin: 0 auto 1em;
+    padding: 1em 0;
+    background-color: #F7F7F7;
+    border: 1px solid #CCC;
    border-right-color: #999;
    border-bottom-color: #999;
+    border-bottom-left-radius: 4px;
+    border-bottom-right-radius: 4px;
+    border-top-color: #DADADA;
+    color: #666;
+    box-shadow:0 3px 8px rgba(50, 50, 50, 0.17);
  }
-    h1 { font-size: 100%; color: #f00; line-height: 1.5em; }
  </style>
 </head>

@@ -22,5 +53,6 @@
    <h1>The page you were looking for doesn't exist.</h1>
    <p>You may have mistyped the address or the page may have moved.</p>
  </div>
+  <p>If you are the application owner check the logs for more information.</p>
 </body>
 </html>
@@ -2,17 +2,48 @@
 <html>
 <head>
  <title>The change you wanted was rejected (422)</title>
-  <style type="text/css">
-    body { background-color: #fff; color: #666; text-align: center; font-family: arial, sans-serif; }
+  <style>
+  body {
+    background-color: #EFEFEF;
+    color: #2E2F30;
+    text-align: center;
+    font-family: arial, sans-serif;
+  }
+
  div.dialog {
    width: 25em;
-      padding: 0 4em;
    margin: 4em auto 0 auto;
-      border: 1px solid #ccc;
+    border: 1px solid #CCC;
+    border-right-color: #999;
+    border-left-color: #999;
+    border-bottom-color: #BBB;
+    border-top: #B00100 solid 4px;
+    border-top-left-radius: 9px;
+    border-top-right-radius: 9px;
+    background-color: white;
+    padding: 7px 4em 0 4em;
+  }
+
+  h1 {
+    font-size: 100%;
+    color: #730E15;
+    line-height: 1.5em;
+  }
+
+  body > p {
+    width: 33em;
+    margin: 0 auto 1em;
+    padding: 1em 0;
+    background-color: #F7F7F7;
+    border: 1px solid #CCC;
    border-right-color: #999;
    border-bottom-color: #999;
+    border-bottom-left-radius: 4px;
+    border-bottom-right-radius: 4px;
+    border-top-color: #DADADA;
+    color: #666;
+    box-shadow:0 3px 8px rgba(50, 50, 50, 0.17);
  }
-    h1 { font-size: 100%; color: #f00; line-height: 1.5em; }
  </style>
 </head>

@@ -22,5 +53,6 @@
    <h1>The change you wanted was rejected.</h1>
    <p>Maybe you tried to change something you didn't have access to.</p>
  </div>
+  <p>If you are the application owner check the logs for more information.</p>
 </body>
 </html>
@@ -2,17 +2,48 @@
 <html>
 <head>
  <title>We're sorry, but something went wrong (500)</title>
-  <style type="text/css">
-    body { background-color: #fff; color: #666; text-align: center; font-family: arial, sans-serif; }
+  <style>
+  body {
+    background-color: #EFEFEF;
+    color: #2E2F30;
+    text-align: center;
+    font-family: arial, sans-serif;
+  }
+
  div.dialog {
    width: 25em;
-      padding: 0 4em;
    margin: 4em auto 0 auto;
-      border: 1px solid #ccc;
+    border: 1px solid #CCC;
+    border-right-color: #999;
+    border-left-color: #999;
+    border-bottom-color: #BBB;
+    border-top: #B00100 solid 4px;
+    border-top-left-radius: 9px;
+    border-top-right-radius: 9px;
+    background-color: white;
+    padding: 7px 4em 0 4em;
+  }
+
+  h1 {
+    font-size: 100%;
+    color: #730E15;
+    line-height: 1.5em;
+  }
+
+  body > p {
+    width: 33em;
+    margin: 0 auto 1em;
+    padding: 1em 0;
+    background-color: #F7F7F7;
+    border: 1px solid #CCC;
    border-right-color: #999;
    border-bottom-color: #999;
+    border-bottom-left-radius: 4px;
+    border-bottom-right-radius: 4px;
+    border-top-color: #DADADA;
+    color: #666;
+    box-shadow:0 3px 8px rgba(50, 50, 50, 0.17);
  }
-    h1 { font-size: 100%; color: #f00; line-height: 1.5em; }
  </style>
 </head>

@@ -21,5 +52,6 @@
  <div class="dialog">
    <h1>We're sorry, but something went wrong.</h1>
  </div>
+  <p>If you are the application owner check the logs for more information.</p>
 </body>
 </html>
@@ -1,5 +1,5 @@
 # See http://www.robotstxt.org/wc/norobots.html for documentation on how to use the robots.txt file
 #
 # To ban all spiders from the entire site uncomment the next two lines:
-# User-Agent: *
+# User-agent: *
 # Disallow: /
@@ -20,9 +20,10 @@ feature 'xss' do
    click_on 'Submit'
    
    sleep(1)
-    visit '/'
    
-    pending(:if => verifying_fixed?) { find('div input.btn').value.should == 'RailsGoat h4x0r3d' }
+    visit "/users/#{@normal_user.user_id}/account_settings"
+    
+    pending(:if => verifying_fixed?) { find('#submit_button').value.should == 'RailsGoat h4x0r3d' }
    
    # might be nice to demonstrate posting cookie contents or somesuch, but
    # this at least shows the vulnerability still exists.
@@ -1,4 +1,4 @@
-ENV["RAILS_ENV"] = "test"
+ENV["RAILS_ENV"] ||= "test"

 # To use simplecov, do this: COVERAGE=true rake
 require 'simplecov'
@@ -8,6 +8,8 @@ require File.expand_path('../../config/environment', __FILE__)
 require 'rails/test_help'

 class ActiveSupport::TestCase
+  # Maybe for Rails 4.0: ActiveRecord::Migration.check_pending!
+
  # Setup all fixtures in test/fixtures/*.(yml|csv) for all tests in alphabetical order.
  #
  # Note: You'll currently still have to declare fixtures explicitly in integration tests
@@ -1 +1 @@
 .1.5
 .2.2
				`@@ -0,0 +1 @@`
				`ActiveRecord::Base.send(:include, ActiveModel::ForbiddenAttributesProtection)`