diff --git a/spec/support/capybara_shared.rb b/spec/support/capybara_shared.rb index 9a0ebe9..5838f92 100644 --- a/spec/support/capybara_shared.rb +++ b/spec/support/capybara_shared.rb @@ -26,7 +26,7 @@ def verifying_fixed? **NOTE: The RSpec pending feature is used to toggle the outcome of these specs between Training mode and RailsGoat Maintainer mode. When the vulnerabilities - are removed, the specs will not "pass," but rather go into a "pending" state. + are removed, the specs will pass instead. Try to get a fully passing suite. ****************************************************************************** NOTICE diff --git a/spec/vulnerabilities/broken_auth_spec.rb b/spec/vulnerabilities/broken_auth_spec.rb index 65b4775..8a1f347 100644 --- a/spec/vulnerabilities/broken_auth_spec.rb +++ b/spec/vulnerabilities/broken_auth_spec.rb @@ -13,28 +13,28 @@ feature "broken_auth" do scenario "one\nTutorial: https://github.com/OWASP/railsgoat/wiki/A2-Credential-Enumeration" do wrong_email = normal_user.email + "not" - visit '/' - within('.signup') do - fill_in 'email', with: wrong_email - fill_in 'password', with: normal_user.clear_password + visit "/" + within(".signup") do + fill_in "email", with: wrong_email + fill_in "password", with: normal_user.clear_password end within(".actions") do click_on "Login" end - expect(find('div#flash_notice').text).not_to include(wrong_email) + expect(find("div#flash_notice").text).not_to include(wrong_email) end scenario "two\nTutorial: https://github.com/OWASP/railsgoat/wiki/A2-Credential-Enumeration" do - visit '/' - within('.signup') do - fill_in 'email', with: normal_user.email - fill_in 'password', with: normal_user.clear_password + 'not' + visit "/" + within(".signup") do + fill_in "email", with: normal_user.email + fill_in "password", with: normal_user.clear_password + "not" end within(".actions") do click_on "Login" end - expect(find('div#flash_notice').text).not_to include('Incorrect Password!') + expect(find("div#flash_notice").text).not_to include("Incorrect Password!") end end diff --git a/spec/vulnerabilities/command_injection_spec.rb b/spec/vulnerabilities/command_injection_spec.rb index 1249cd3..a2a99ce 100644 --- a/spec/vulnerabilities/command_injection_spec.rb +++ b/spec/vulnerabilities/command_injection_spec.rb @@ -22,11 +22,11 @@ feature "command injection" do File.open(hackety_file, "w") { |f| f.print "mwahaha" } within(".new_benefits") do attach_file "benefits_upload", hackety_file - find(:xpath, "//input[@id='benefits_backup']", visible: false).set 'true' + find(:xpath, "//input[@id='benefits_backup']", visible: false).set "true" end click_on "Start Upload" end - expect(File.exists?(legit_file)).to be_truthy + expect(File.exist?(legit_file)).to be_truthy end end diff --git a/spec/vulnerabilities/insecure_dor_spec.rb b/spec/vulnerabilities/insecure_dor_spec.rb index 018aace..476f280 100644 --- a/spec/vulnerabilities/insecure_dor_spec.rb +++ b/spec/vulnerabilities/insecure_dor_spec.rb @@ -10,15 +10,15 @@ feature "insecure direct object reference" do pending unless verifying_fixed? end - scenario 'attack one' do + scenario "attack one" do login(normal_user) visit "/users/#{normal_user.user_id}/benefit_forms" - download_url = first('.widget-body a')[:href] - visit download_url.sub(/name=(.*?)&/, 'name=config/database.yml&') + download_url = first(".widget-body a")[:href] + visit download_url.sub(/name=(.*?)&/, "name=config/database.yml&") expect(page.status_code).not_to eq(200) - expect(page.response_headers['Content-Disposition']).not_to include('database.yml') + expect(page.response_headers["Content-Disposition"]).not_to include("database.yml") end scenario "attack two\nTutorial: https://github.com/OWASP/railsgoat/wiki/A4-Insecure-Direct-Object-Reference" do @@ -26,7 +26,7 @@ feature "insecure direct object reference" do visit "/users/#{another_user.user_id}/work_info" - expect(first('td').text).not_to include(another_user.name) - expect(first('td').text).to include(normal_user.name) + expect(first("td").text).not_to include(another_user.name) + expect(first("td").text).to include(normal_user.name) end end