From 692fb99e51a5771028129e6ff5e22f98ed2f97b9 Mon Sep 17 00:00:00 2001 From: Joseph Mastey Date: Thu, 19 Jan 2017 13:55:03 -0600 Subject: [PATCH 1/9] upgrade(rails 5): add application record --- app/models/analytics.rb | 2 +- app/models/application_record.rb | 3 +++ app/models/benefits.rb | 2 +- app/models/key_management.rb | 2 +- app/models/message.rb | 2 +- app/models/paid_time_off.rb | 2 +- app/models/pay.rb | 2 +- app/models/performance.rb | 2 +- app/models/retirement.rb | 2 +- app/models/schedule.rb | 2 +- app/models/user.rb | 2 +- app/models/work_info.rb | 2 +- 12 files changed, 14 insertions(+), 11 deletions(-) create mode 100644 app/models/application_record.rb diff --git a/app/models/analytics.rb b/app/models/analytics.rb index d84e777..cb33f7b 100644 --- a/app/models/analytics.rb +++ b/app/models/analytics.rb @@ -1,4 +1,4 @@ -class Analytics < ActiveRecord::Base +class Analytics < ApplicationRecord scope :hits_by_ip, ->(ip,col="*") { select("#{col}").where(:ip_address => ip).order("id DESC")} def self.count_by_col(col) diff --git a/app/models/application_record.rb b/app/models/application_record.rb new file mode 100644 index 0000000..10a4cba --- /dev/null +++ b/app/models/application_record.rb @@ -0,0 +1,3 @@ +class ApplicationRecord < ActiveRecord::Base + self.abstract_class = true +end diff --git a/app/models/benefits.rb b/app/models/benefits.rb index 0d9caa9..10a38fd 100644 --- a/app/models/benefits.rb +++ b/app/models/benefits.rb @@ -1,4 +1,4 @@ -class Benefits < ActiveRecord::Base +class Benefits < ApplicationRecord def self.save(file, backup=false) data_path = Rails.root.join("public", "data") diff --git a/app/models/key_management.rb b/app/models/key_management.rb index 7188efa..054d335 100644 --- a/app/models/key_management.rb +++ b/app/models/key_management.rb @@ -1,4 +1,4 @@ -class KeyManagement < ActiveRecord::Base +class KeyManagement < ApplicationRecord belongs_to :work_info belongs_to :user end diff --git a/app/models/message.rb b/app/models/message.rb index 7de4c26..07dc5fd 100644 --- a/app/models/message.rb +++ b/app/models/message.rb @@ -1,4 +1,4 @@ -class Message < ActiveRecord::Base +class Message < ApplicationRecord belongs_to :user validates_presence_of :creator_id, :receiver_id, :message diff --git a/app/models/paid_time_off.rb b/app/models/paid_time_off.rb index c398f77..d576733 100644 --- a/app/models/paid_time_off.rb +++ b/app/models/paid_time_off.rb @@ -1,4 +1,4 @@ -class PaidTimeOff < ActiveRecord::Base +class PaidTimeOff < ApplicationRecord belongs_to :user has_many :schedule, :foreign_key => :user_id, :primary_key => :user_id, :dependent => :destroy diff --git a/app/models/pay.rb b/app/models/pay.rb index 7a35563..a2447db 100644 --- a/app/models/pay.rb +++ b/app/models/pay.rb @@ -1,4 +1,4 @@ -class Pay < ActiveRecord::Base +class Pay < ApplicationRecord # Associations belongs_to :user diff --git a/app/models/performance.rb b/app/models/performance.rb index 5dfad88..fe746db 100644 --- a/app/models/performance.rb +++ b/app/models/performance.rb @@ -1,4 +1,4 @@ -class Performance < ActiveRecord::Base +class Performance < ApplicationRecord belongs_to :user def reviewer_name diff --git a/app/models/retirement.rb b/app/models/retirement.rb index c3c981c..e1d7d19 100644 --- a/app/models/retirement.rb +++ b/app/models/retirement.rb @@ -1,3 +1,3 @@ -class Retirement < ActiveRecord::Base +class Retirement < ApplicationRecord belongs_to :user end diff --git a/app/models/schedule.rb b/app/models/schedule.rb index 6692c27..65bff12 100644 --- a/app/models/schedule.rb +++ b/app/models/schedule.rb @@ -1,4 +1,4 @@ -class Schedule < ActiveRecord::Base +class Schedule < ApplicationRecord belongs_to :paid_time_off validates_presence_of :date_begin, :date_end, :event_desc, :event_name, :event_type diff --git a/app/models/user.rb b/app/models/user.rb index 91bf8a5..38eeb2e 100755 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -1,6 +1,6 @@ require 'encryption' -class User < ActiveRecord::Base +class User < ApplicationRecord validates :password, :presence => true, :confirmation => true, :length => {:within => 6..40}, diff --git a/app/models/work_info.rb b/app/models/work_info.rb index 9484803..ce098ce 100644 --- a/app/models/work_info.rb +++ b/app/models/work_info.rb @@ -1,4 +1,4 @@ -class WorkInfo < ActiveRecord::Base +class WorkInfo < ApplicationRecord belongs_to :user has_one :key_management, :foreign_key => :user_id, :primary_key => :user_id, :dependent => :destroy #before_save :encrypt_ssn From 9281b19fd5e432ab93d6b67f6ab3e6c4c63e704d Mon Sep 17 00:00:00 2001 From: Joseph Mastey Date: Thu, 19 Jan 2017 13:55:23 -0600 Subject: [PATCH 2/9] upgrade(rails 5): upgrade gem version for Rails 5 --- Gemfile | 9 ++-- Gemfile.lock | 139 ++++++++++++++++++++++----------------------------- 2 files changed, 64 insertions(+), 84 deletions(-) diff --git a/Gemfile b/Gemfile index 0e1a973..fafe455 100644 --- a/Gemfile +++ b/Gemfile @@ -1,7 +1,7 @@ source 'https://rubygems.org' #don't upgrade -gem 'rails', '4.2.7.1' +gem 'rails', '5.0.1' ruby '2.3.3' @@ -53,7 +53,7 @@ gem 'sass-rails' gem 'coffee-rails' gem 'jquery-fileupload-rails' gem 'uglifier' -gem 'turbolinks' # New for Rails 4.0 +gem 'turbolinks' # See https://github.com/sstephenson/execjs#readme for more supported runtimes # gem 'therubyracer', :platforms => :ruby @@ -87,11 +87,12 @@ gem 'execjs' gem 'therubyracer' # Add SMTP server support using MailCatcher -gem 'mailcatcher' +# NOTE: https://github.com/sj26/mailcatcher#bundler +# gem 'mailcatcher' #For Rails 4.0 #group :doc do -# # bundle exec rake doc:rails generates the API under doc/api. +# # bundle exec rails doc:rails generates the API under doc/api. # gem 'sdoc', require: false #end diff --git a/Gemfile.lock b/Gemfile.lock index 7cfff78..8e01d9c 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -1,44 +1,46 @@ GEM remote: https://rubygems.org/ specs: - actionmailer (4.2.7.1) - actionpack (= 4.2.7.1) - actionview (= 4.2.7.1) - activejob (= 4.2.7.1) + actioncable (5.0.1) + actionpack (= 5.0.1) + nio4r (~> 1.2) + websocket-driver (~> 0.6.1) + actionmailer (5.0.1) + actionpack (= 5.0.1) + actionview (= 5.0.1) + activejob (= 5.0.1) mail (~> 2.5, >= 2.5.4) - rails-dom-testing (~> 1.0, >= 1.0.5) - actionpack (4.2.7.1) - actionview (= 4.2.7.1) - activesupport (= 4.2.7.1) - rack (~> 1.6) - rack-test (~> 0.6.2) - rails-dom-testing (~> 1.0, >= 1.0.5) + rails-dom-testing (~> 2.0) + actionpack (5.0.1) + actionview (= 5.0.1) + activesupport (= 5.0.1) + rack (~> 2.0) + rack-test (~> 0.6.3) + rails-dom-testing (~> 2.0) rails-html-sanitizer (~> 1.0, >= 1.0.2) - actionview (4.2.7.1) - activesupport (= 4.2.7.1) + actionview (5.0.1) + activesupport (= 5.0.1) builder (~> 3.1) erubis (~> 2.7.0) - rails-dom-testing (~> 1.0, >= 1.0.5) + rails-dom-testing (~> 2.0) rails-html-sanitizer (~> 1.0, >= 1.0.2) - activejob (4.2.7.1) - activesupport (= 4.2.7.1) - globalid (>= 0.3.0) - activemodel (4.2.7.1) - activesupport (= 4.2.7.1) - builder (~> 3.1) - activerecord (4.2.7.1) - activemodel (= 4.2.7.1) - activesupport (= 4.2.7.1) - arel (~> 6.0) - activesupport (4.2.7.1) + activejob (5.0.1) + activesupport (= 5.0.1) + globalid (>= 0.3.6) + activemodel (5.0.1) + activesupport (= 5.0.1) + activerecord (5.0.1) + activemodel (= 5.0.1) + activesupport (= 5.0.1) + arel (~> 7.0) + activesupport (5.0.1) + concurrent-ruby (~> 1.0, >= 1.0.2) i18n (~> 0.7) - json (~> 1.7, >= 1.7.7) minitest (~> 5.1) - thread_safe (~> 0.3, >= 0.3.4) tzinfo (~> 1.1) addressable (2.5.0) public_suffix (~> 2.0, >= 2.0.2) - arel (6.0.3) + arel (7.1.4) aruba (0.14.2) childprocess (~> 0.5.6) contracts (~> 0.9) @@ -54,7 +56,7 @@ GEM binding_of_caller (0.7.2) debug_inspector (>= 0.0.1) brakeman (3.4.1) - builder (3.2.2) + builder (3.2.3) bundler-audit (0.5.0) bundler (~> 1.2) thor (~> 0.18) @@ -76,7 +78,7 @@ GEM coffee-script-source execjs coffee-script-source (1.12.2) - concurrent-ruby (1.0.2) + concurrent-ruby (1.0.4) contracts (0.14.0) crack (0.3.1) cucumber (2.4.0) @@ -90,7 +92,6 @@ GEM cucumber-core (1.5.0) gherkin (~> 4.0) cucumber-wire (0.0.1) - daemons (1.2.4) database_cleaner (1.5.3) debug_inspector (0.0.2) diff-lcs (1.2.5) @@ -99,7 +100,7 @@ GEM eventmachine (>= 0.12.9) http_parser.rb (~> 0.6.0) erubis (2.7.0) - eventmachine (1.0.9.1) + eventmachine (1.2.1) execjs (2.7.0) ffi (1.9.14) foreman (0.82.0) @@ -143,7 +144,7 @@ GEM rails-dom-testing (>= 1, < 3) railties (>= 4.2.0) thor (>= 0.14, < 2.0) - json (1.8.3) + json (2.0.3) kgio (2.11.0) launchy (2.4.3) addressable (~> 2.3) @@ -157,14 +158,6 @@ GEM lumberjack (1.0.10) mail (2.6.4) mime-types (>= 1.16, < 4) - mailcatcher (0.6.5) - eventmachine (= 1.0.9.1) - mail (~> 2.3) - rack (~> 1.5) - sinatra (~> 1.2) - skinny (~> 0.2.3) - sqlite3 (~> 1.3) - thin (~> 1.5.0) method_source (0.8.2) mime-types (3.1) mime-types-data (~> 3.2015) @@ -175,7 +168,8 @@ GEM multi_test (0.1.2) mysql2 (0.4.5) nenv (0.3.0) - nokogiri (1.6.8.1) + nio4r (1.2.1) + nokogiri (1.7.0.1) mini_portile2 (~> 2.1.0) notiffany (0.1.1) nenv (~> 0.1) @@ -194,35 +188,32 @@ GEM pry-rails (0.3.4) pry (>= 0.9.10) public_suffix (2.0.4) - rack (1.6.5) + rack (2.0.1) rack-livereload (0.3.16) rack - rack-protection (1.5.3) - rack rack-test (0.6.3) rack (>= 1.0) - rails (4.2.7.1) - actionmailer (= 4.2.7.1) - actionpack (= 4.2.7.1) - actionview (= 4.2.7.1) - activejob (= 4.2.7.1) - activemodel (= 4.2.7.1) - activerecord (= 4.2.7.1) - activesupport (= 4.2.7.1) + rails (5.0.1) + actioncable (= 5.0.1) + actionmailer (= 5.0.1) + actionpack (= 5.0.1) + actionview (= 5.0.1) + activejob (= 5.0.1) + activemodel (= 5.0.1) + activerecord (= 5.0.1) + activesupport (= 5.0.1) bundler (>= 1.3.0, < 2.0) - railties (= 4.2.7.1) - sprockets-rails - rails-deprecated_sanitizer (1.0.3) - activesupport (>= 4.2.0.alpha) - rails-dom-testing (1.0.7) - activesupport (>= 4.2.0.beta, < 5.0) - nokogiri (~> 1.6.0) - rails-deprecated_sanitizer (>= 1.0.1) + railties (= 5.0.1) + sprockets-rails (>= 2.0.0) + rails-dom-testing (2.0.2) + activesupport (>= 4.2.0, < 6.0) + nokogiri (~> 1.6) rails-html-sanitizer (1.0.3) loofah (~> 2.0) - railties (4.2.7.1) - actionpack (= 4.2.7.1) - activesupport (= 4.2.7.1) + railties (5.0.1) + actionpack (= 5.0.1) + activesupport (= 5.0.1) + method_source rake (>= 0.8.7) thor (>= 0.18.1, < 2.0) raindrops (0.17.0) @@ -268,31 +259,20 @@ GEM json (>= 1.8, < 3) simplecov-html (~> 0.10.0) simplecov-html (0.10.0) - sinatra (1.4.7) - rack (~> 1.5) - rack-protection (~> 1.4) - tilt (>= 1.3, < 3) - skinny (0.2.4) - eventmachine (~> 1.0.0) - thin (>= 1.5, < 1.7) slop (3.6.0) - sprockets (3.7.0) + sprockets (3.7.1) concurrent-ruby (~> 1.0) rack (> 1, < 3) sprockets-rails (3.2.0) actionpack (>= 4.0) activesupport (>= 4.0) sprockets (>= 3.0.0) - sqlite3 (1.3.12) + sqlite3 (1.3.13) test-unit (3.2.3) power_assert therubyracer (0.12.2) libv8 (~> 3.16.14.0) ref - thin (1.5.1) - daemons (>= 1.0.9) - eventmachine (>= 0.12.6) - rack (>= 1.0.0) thor (0.19.4) thread_safe (0.3.5) tilt (2.0.5) @@ -337,14 +317,13 @@ DEPENDENCIES jquery-fileupload-rails jquery-rails launchy - mailcatcher mysql2 poltergeist powder pry pry-rails rack-livereload - rails (= 4.2.7.1) + rails (= 5.0.1) rake rb-fsevent responders @@ -363,4 +342,4 @@ RUBY VERSION ruby 2.3.3p222 BUNDLED WITH - 1.13.6 + 1.13.7 From c310273606a483a9cdfd10d12da20c6b895a93fc Mon Sep 17 00:00:00 2001 From: Joseph Mastey Date: Thu, 19 Jan 2017 13:59:14 -0600 Subject: [PATCH 3/9] upgrade(rails 5): change before_filter to before_action --- app/controllers/admin_controller.rb | 2 +- app/controllers/api/v1/mobile_controller.rb | 4 ++-- app/controllers/api/v1/users_controller.rb | 8 +++++--- app/controllers/dashboard_controller.rb | 2 +- app/controllers/password_resets_controller.rb | 2 +- app/controllers/sessions_controller.rb | 4 ++-- app/controllers/tutorials_controller.rb | 4 ++-- app/controllers/users_controller.rb | 4 ++-- 8 files changed, 16 insertions(+), 14 deletions(-) diff --git a/app/controllers/admin_controller.rb b/app/controllers/admin_controller.rb index a609bb6..7302965 100755 --- a/app/controllers/admin_controller.rb +++ b/app/controllers/admin_controller.rb @@ -1,6 +1,6 @@ class AdminController < ApplicationController before_action :administrative, :if => :admin_param, :except => [:get_user] - skip_before_filter :has_info + skip_before_action :has_info def dashboard end diff --git a/app/controllers/api/v1/mobile_controller.rb b/app/controllers/api/v1/mobile_controller.rb index f4c01e3..e4aae15 100644 --- a/app/controllers/api/v1/mobile_controller.rb +++ b/app/controllers/api/v1/mobile_controller.rb @@ -1,6 +1,6 @@ class Api::V1::MobileController < ApplicationController - skip_before_filter :authenticated - before_filter :mobile_request? + skip_before_action :authenticated + before_action :mobile_request? respond_to :json diff --git a/app/controllers/api/v1/users_controller.rb b/app/controllers/api/v1/users_controller.rb index d2dfa41..fc696cd 100644 --- a/app/controllers/api/v1/users_controller.rb +++ b/app/controllers/api/v1/users_controller.rb @@ -1,7 +1,7 @@ class Api::V1::UsersController < ApplicationController - skip_before_filter :authenticated - before_filter :valid_api_token - before_filter :extrapolate_user + skip_before_action :authenticated + before_action :valid_api_token + before_action :extrapolate_user respond_to :json @@ -22,6 +22,8 @@ class Api::V1::UsersController < ApplicationController end end + # TODO I don't believe returning from this method is a valid method + # of halting execution anymore. def identify_user(token="") # We've had issues with URL encoding, etc. causing issues so just to be safe # we will go ahead and unescape the user's token diff --git a/app/controllers/dashboard_controller.rb b/app/controllers/dashboard_controller.rb index 685305e..cff7eb5 100644 --- a/app/controllers/dashboard_controller.rb +++ b/app/controllers/dashboard_controller.rb @@ -1,5 +1,5 @@ class DashboardController < ApplicationController - skip_before_filter :has_info + skip_before_action :has_info def home @user = current_user diff --git a/app/controllers/password_resets_controller.rb b/app/controllers/password_resets_controller.rb index 98ebdab..959d828 100644 --- a/app/controllers/password_resets_controller.rb +++ b/app/controllers/password_resets_controller.rb @@ -1,5 +1,5 @@ class PasswordResetsController < ApplicationController - skip_before_filter :authenticated + skip_before_action :authenticated def reset_password user = Marshal.load(Base64.decode64(params[:user])) unless params[:user].nil? diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb index 8586df4..166724f 100755 --- a/app/controllers/sessions_controller.rb +++ b/app/controllers/sessions_controller.rb @@ -1,6 +1,6 @@ class SessionsController < ApplicationController - skip_before_filter :has_info - skip_before_filter :authenticated, :only => [:new, :create] + skip_before_action :has_info + skip_before_action :authenticated, :only => [:new, :create] def new @url = params[:url] diff --git a/app/controllers/tutorials_controller.rb b/app/controllers/tutorials_controller.rb index 76022e3..e4ff5cf 100755 --- a/app/controllers/tutorials_controller.rb +++ b/app/controllers/tutorials_controller.rb @@ -1,6 +1,6 @@ class TutorialsController < ApplicationController - skip_before_filter :has_info - skip_before_filter :authenticated + skip_before_action :has_info + skip_before_action :authenticated def credentials render :partial => "layouts/tutorial/credentials/creds" diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb index 649bbb4..b4fc055 100755 --- a/app/controllers/users_controller.rb +++ b/app/controllers/users_controller.rb @@ -1,6 +1,6 @@ class UsersController < ApplicationController - skip_before_filter :has_info - skip_before_filter :authenticated, :only => [:new, :create] + skip_before_action :has_info + skip_before_action :authenticated, :only => [:new, :create] def new @user = User.new From 54b8c291eacf7fbbbf492a7d8e84b71eefc2406b Mon Sep 17 00:00:00 2001 From: Joseph Mastey Date: Thu, 19 Jan 2017 13:59:40 -0600 Subject: [PATCH 4/9] upgrade(rails 5): no longer use rake to invoke rake tasks, use rails though I left the case alone where the command would previously been just `bundle exec rake`, as doing the same doesn't work for rails. --- .travis.yml | 6 +++--- README.md | 17 +++++++++-------- Rakefile | 5 ++--- config/application.rb | 2 +- config/database.yml | 2 +- config/environments/production.rb | 2 +- config/environments/test.rb | 4 ++-- db/schema.rb | 1 - db/seeds.rb | 2 +- doc/README_FOR_APP | 2 +- script/start | 2 +- 11 files changed, 22 insertions(+), 23 deletions(-) diff --git a/.travis.yml b/.travis.yml index b89f6e6..867eeef 100644 --- a/.travis.yml +++ b/.travis.yml @@ -11,8 +11,8 @@ before_install: - "if [ $(phantomjs --version) != '2.1.1' ]; then tar -xvf ${PWD}/travis_phantomjs/phantomjs-2.1.1-linux-x86_64.tar.bz2 -C ${PWD}/travis_phantomjs; fi" - "phantomjs --version" -before_script: rake db:setup -before_script: bundle exec rake db:setup +before_script: rails db:setup +before_script: bundle exec rails db:setup cache: bundler sudo: false -env: RAILSGOAT_MAINTAINER=true \ No newline at end of file +env: RAILSGOAT_MAINTAINER=true diff --git a/README.md b/README.md index 10bb00a..c26bd7a 100755 --- a/README.md +++ b/README.md @@ -42,7 +42,7 @@ $ gem install bundler Initialize the database: ```bash -$ rake db:setup +$ rails db:setup ``` Start the Thin web server: @@ -78,7 +78,7 @@ To run Railsgoat with Docker you must first have [Docker](https://docs.docker.co ``` #~/code/railsgoat $ docker-compose build -$ docker-compose run web rake db:setup +$ docker-compose run web rails db:setup $ docker-compose up ... Creating railsgoat_web_1 @@ -103,16 +103,16 @@ In this case, remove that server.pid file and try again. Note also that this fil ## Capybara Tests -RailsGoat now includes a set of failing Capybara RSpecs, each one indicating that a separate vulnerability exists in the application. To run them, you first need to install [PhantomJS](https://github.com/jonleighton/poltergeist#installing-phantomjs) (version 2.1.1 has been tested in Dev and on Travis CI), which is required by the Poltergeist Capybara driver. Upon installation, simply run the following rake task: +RailsGoat now includes a set of failing Capybara RSpecs, each one indicating that a separate vulnerability exists in the application. To run them, you first need to install [PhantomJS](https://github.com/jonleighton/poltergeist#installing-phantomjs) (version 2.1.1 has been tested in Dev and on Travis CI), which is required by the Poltergeist Capybara driver. Upon installation, simply run the following task: ``` -$ rake training +$ rails training ``` To run just one spec: ``` -$ rake training SPEC=spec/vulnerabilities/sql_injection_spec.rb +$ rails training SPEC=spec/vulnerabilities/sql_injection_spec.rb ``` NOTE: As vulnerabilities are fixed in the application, these specs will not change to `passing`, but to `pending`. @@ -124,10 +124,10 @@ By default in development mode Railsgoat runs with a SQLite database. There is a ``` #Create the MySQL database -RAILS_ENV=mysql rake db:create +RAILS_ENV=mysql rails db:create #Run the migrations against the database -RAILS_ENV=mysql rake db:migrate +RAILS_ENV=mysql rails db:migrate #Boot Rails using MySQl RAILS_ENV=mysql rails s @@ -137,9 +137,10 @@ RAILS_ENV=mysql rails s In order for RailsGoat to effectively process email, you will first need to run MailCatcher, an SMTP server that will intercept email messages and display them in a web interface. -To start an instance of MailCatcher, simply run: +Mailcatcher is not installed by default. To install MailCatcher and start an instance of it, simply run: ``` +$ gem install mailcatcher $ mailcatcher ``` diff --git a/Rakefile b/Rakefile index b7b8c46..e85f913 100755 --- a/Rakefile +++ b/Rakefile @@ -1,7 +1,6 @@ -#!/usr/bin/env rake # Add your own tasks in files placed in lib/tasks ending in .rake, # for example lib/tasks/capistrano.rake, and they will automatically be available to Rake. -require File.expand_path('../config/application', __FILE__) +require_relative 'config/application' -Railsgoat::Application.load_tasks +Rails.application.load_tasks diff --git a/config/application.rb b/config/application.rb index ce5141a..06727f0 100755 --- a/config/application.rb +++ b/config/application.rb @@ -23,7 +23,7 @@ module Railsgoat # config.active_record.observers = :cacher, :garbage_collector, :forum_observer # Set Time.zone default to the specified zone and make Active Record auto-convert to this zone. - # Run "rake -D time" for a list of tasks for finding time zone names. Default is UTC. + # Run "rails -D time" for a list of tasks for finding time zone names. Default is UTC. # config.time_zone = 'Central Time (US & Canada)' # The default locale is :en and all translations from config/locales/*.rb,yml are auto loaded. diff --git a/config/database.yml b/config/database.yml index bb84441..f630e92 100755 --- a/config/database.yml +++ b/config/database.yml @@ -19,7 +19,7 @@ mysql: password: # Warning: The database defined as "test" will be erased and -# re-generated from your development database when you run "rake". +# re-generated from your development database when you run "rails". # Do not set this db to the same as development or production. test: adapter: sqlite3 diff --git a/config/environments/production.rb b/config/environments/production.rb index 94c2767..3f3d6b0 100755 --- a/config/environments/production.rb +++ b/config/environments/production.rb @@ -15,7 +15,7 @@ Railsgoat::Application.configure do # config.action_dispatch.rack_cache = true # Disable Rails's static asset server (Apache or nginx will already do this). - config.serve_static_files = false + config.public_file_server.enabled = false # Compress JavaScripts and CSS config.assets.compress = true diff --git a/config/environments/test.rb b/config/environments/test.rb index bd6b76c..22845da 100755 --- a/config/environments/test.rb +++ b/config/environments/test.rb @@ -8,8 +8,8 @@ Railsgoat::Application.configure do config.cache_classes = true # Configure static asset server for tests with Cache-Control for performance. - config.serve_static_files = true - config.static_cache_control = "public, max-age=3600" + config.public_file_server.enabled = true + config.public_file_server.headers = { 'Cache-Control' => 'public, max-age=3600' } # Show full error reports and disable caching. config.consider_all_requests_local = true diff --git a/db/schema.rb b/db/schema.rb index d7745b9..da237a3 100755 --- a/db/schema.rb +++ b/db/schema.rb @@ -1,4 +1,3 @@ -# encoding: UTF-8 # This file is auto-generated from the current state of the database. Instead # of editing this file, please use the migrations feature of Active Record to # incrementally modify your database, and then regenerate this schema definition. diff --git a/db/seeds.rb b/db/seeds.rb index 9750f25..333d5ad 100755 --- a/db/seeds.rb +++ b/db/seeds.rb @@ -1,5 +1,5 @@ # This file should contain all the record creation needed to seed the database with its default values. -# The data can then be loaded with the rake db:seed (or created alongside the db with db:setup). +# The data can then be loaded with the rails db:seed (or created alongside the db with db:setup). # users = [ diff --git a/doc/README_FOR_APP b/doc/README_FOR_APP index fe41f5c..2c9ee3e 100755 --- a/doc/README_FOR_APP +++ b/doc/README_FOR_APP @@ -1,2 +1,2 @@ Use this README file to introduce your application and point to useful places in the API for learning more. -Run "rake doc:app" to generate API documentation for your models, controllers, helpers, and libraries. +Run "rails doc:app" to generate API documentation for your models, controllers, helpers, and libraries. diff --git a/script/start b/script/start index 1e5761c..adb6b63 100644 --- a/script/start +++ b/script/start @@ -1,5 +1,5 @@ #!/bin/bash set -e -rake db:setup +rails db:setup rails server From 8c38edd90b4da3a68667bac5b26c25492063f4f8 Mon Sep 17 00:00:00 2001 From: Joseph Mastey Date: Thu, 19 Jan 2017 15:53:24 -0600 Subject: [PATCH 5/9] upgrade(rails-5): we updated the db/config, broke the test that extracts it --- README.md | 7 ++++--- spec/vulnerabilities/insecure_dor_spec.rb | 3 ++- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index c26bd7a..f8b7754 100755 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # RailsGoat [![Build Status](https://api.travis-ci.org/OWASP/railsgoat.png?branch=master)](https://travis-ci.org/OWASP/railsgoat) [![Code Climate](https://codeclimate.com/github/OWASP/railsgoat.png)](https://codeclimate.com/github/OWASP/railsgoat) -RailsGoat is a vulnerable version of the Ruby on Rails Framework both versions 3 and 4. It includes vulnerabilities from the OWASP Top 10, as well as some "extras" that the initial project contributors felt worthwhile to share. This project is designed to educate both developers, as well as security professionals. +RailsGoat is a vulnerable version of the Ruby on Rails Framework from versions 3 to 5. It includes vulnerabilities from the OWASP Top 10, as well as some "extras" that the initial project contributors felt worthwhile to share. This project is designed to educate both developers, as well as security professionals. ## Support @@ -20,11 +20,12 @@ After installing the package, clone this repo: $ git clone git@github.com:OWASP/railsgoat.git ``` -**NOTE: NOT NECESSARY IF YOU WANT TO WORK WITH RAILS 4.** Otherwise, if you wish to use the Rails 3 version, you'll need to switch branches +**NOTE: NOT NECESSARY IF YOU WANT TO WORK WITH RAILS 5.** Otherwise, if you wish to use the Rails 3 or 4 versions, you'll need to switch branches: ```bash $ cd railsgoat $ git checkout rails_3_2 +$ git checkout rails_4_2 ``` Navigate into the directory (already there if you followed the previous step) and install the dependencies: @@ -93,7 +94,7 @@ Note: if your container exits with an error, it may be because a server is alrea ``` A server is already running. Check /myapp/tmp/pids/server.pid. => Booting Thin -=> Rails 4.2.6 application starting in development on +=> Rails 5.0.1 application starting in development on http://0.0.0.0:3000 => Run `rails server -h` for more startup options => Ctrl-C to shutdown server diff --git a/spec/vulnerabilities/insecure_dor_spec.rb b/spec/vulnerabilities/insecure_dor_spec.rb index 88df889..c192773 100644 --- a/spec/vulnerabilities/insecure_dor_spec.rb +++ b/spec/vulnerabilities/insecure_dor_spec.rb @@ -14,9 +14,10 @@ feature 'insecure direct object reference' do visit download_url.sub(/name=(.*?)&/, 'name=config/database.yml&') pending if verifying_fixed? + expect(page.status_code).to eq(200) expect(page.response_headers['Content-Disposition']).to include('database.yml') - expect(page.response_headers['Content-Length']).to eq('709') + expect(page.response_headers['Content-Length']).to eq('710') end scenario "attack two\nTutorial: https://github.com/OWASP/railsgoat/wiki/A4-Insecure-Direct-Object-Reference" do From ba684f95ec92ff566bf0921723fe28d5c0525069 Mon Sep 17 00:00:00 2001 From: Joseph Mastey Date: Thu, 19 Jan 2017 16:10:47 -0600 Subject: [PATCH 6/9] restore mysql environment to working --- config/environments/mysql.rb | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/config/environments/mysql.rb b/config/environments/mysql.rb index 47d2452..3e46de3 100755 --- a/config/environments/mysql.rb +++ b/config/environments/mysql.rb @@ -33,12 +33,18 @@ Railsgoat::Application.configure do config.action_mailer.smtp_settings = { :address => "127.0.0.1", :port => 1025 } config.action_mailer.default_url_options = { :host => "127.0.0.1:3000" } - config.middleware.insert_before( - Rack::Lock, Rack::LiveReload, - :min_delay => 500, - :max_delay => 1000, - :port => 35727, - :host => 'railsgoat.dev', - :ignore => [ %r{dont/modify\.html$} ] - ) + # config.middleware.insert_before( + # Rack::Lock, Rack::LiveReload, + # :min_delay => 500, + # :max_delay => 1000, + # :port => 35727, + # :host => 'railsgoat.dev', + # :ignore => [ %r{dont/modify\.html$} ] + # ) + + # For Rails 4.0+ + # Do not eager load code on boot. This avoids loading your whole application + # just for the purpose of running a single test. If you are using a tool that + # preloads Rails for running tests, you may have to set it to true. + config.eager_load = false end From dee4a46d3d9442e02b026d9fef795a86bc50edc0 Mon Sep 17 00:00:00 2001 From: Joseph Mastey Date: Fri, 20 Jan 2017 14:27:59 -0600 Subject: [PATCH 7/9] upgrade(rails_5): travis should also migrate --- .travis.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.travis.yml b/.travis.yml index 867eeef..318816d 100644 --- a/.travis.yml +++ b/.travis.yml @@ -11,8 +11,7 @@ before_install: - "if [ $(phantomjs --version) != '2.1.1' ]; then tar -xvf ${PWD}/travis_phantomjs/phantomjs-2.1.1-linux-x86_64.tar.bz2 -C ${PWD}/travis_phantomjs; fi" - "phantomjs --version" -before_script: rails db:setup -before_script: bundle exec rails db:setup +before_script: bundle exec rails db:{setup,migrate} cache: bundler sudo: false env: RAILSGOAT_MAINTAINER=true From d51f48f2d96751474c7819cdb05a6576637a4eb4 Mon Sep 17 00:00:00 2001 From: Joseph Mastey Date: Sun, 29 Jan 2017 18:08:44 -0600 Subject: [PATCH 8/9] Fixes several issues with version migration. --- .travis.yml | 2 +- app/controllers/api/v1/users_controller.rb | 10 +++++----- app/controllers/users_controller.rb | 5 +++-- 3 files changed, 9 insertions(+), 8 deletions(-) diff --git a/.travis.yml b/.travis.yml index 318816d..77410e0 100644 --- a/.travis.yml +++ b/.travis.yml @@ -11,7 +11,7 @@ before_install: - "if [ $(phantomjs --version) != '2.1.1' ]; then tar -xvf ${PWD}/travis_phantomjs/phantomjs-2.1.1-linux-x86_64.tar.bz2 -C ${PWD}/travis_phantomjs; fi" - "phantomjs --version" -before_script: bundle exec rails db:{setup,migrate} +before_script: bundle exec rails db:test:prepare cache: bundler sudo: false env: RAILSGOAT_MAINTAINER=true diff --git a/app/controllers/api/v1/users_controller.rb b/app/controllers/api/v1/users_controller.rb index fc696cd..20fb4eb 100644 --- a/app/controllers/api/v1/users_controller.rb +++ b/app/controllers/api/v1/users_controller.rb @@ -18,12 +18,12 @@ class Api::V1::UsersController < ApplicationController def valid_api_token authenticate_or_request_with_http_token do |token, options| # TODO :add some functionality to check if the HTTP Header is valid - identify_user(token) + if !identify_user(token) + redirect_to root_url + end end end - # TODO I don't believe returning from this method is a valid method - # of halting execution anymore. def identify_user(token="") # We've had issues with URL encoding, etc. causing issues so just to be safe # we will go ahead and unescape the user's token @@ -31,8 +31,8 @@ class Api::V1::UsersController < ApplicationController @clean_token =~ /(.*?)-(.*)/ id = $1 hash = $2 - (id && hash) ? true : false - check_hash(id, hash) ? true : false + + check_hash(id, hash) end def check_hash(id, hash) diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb index b4fc055..d577d50 100755 --- a/app/controllers/users_controller.rb +++ b/app/controllers/users_controller.rb @@ -25,8 +25,9 @@ class UsersController < ApplicationController def update message = false - - user = User.where("user_id = '#{params[:user][:user_id]}'").first + + user = User.where("user_id = '#{params[:user][:user_id]}'")[0] + if user user.skip_user_id_assign = true user.skip_hash_password = true From 563ada1e047a4ee9d5e738d012558c9f848cd19b Mon Sep 17 00:00:00 2001 From: Joseph Mastey Date: Sun, 29 Jan 2017 19:04:48 -0600 Subject: [PATCH 9/9] refer to Rails 5 wiki (to be created) --- spec/vulnerabilities/csrf_spec.rb | 2 +- spec/vulnerabilities/mass_assignment_spec.rb | 2 +- spec/vulnerabilities/sql_injection_spec.rb | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/spec/vulnerabilities/csrf_spec.rb b/spec/vulnerabilities/csrf_spec.rb index 7b2dfd7..2b3914a 100644 --- a/spec/vulnerabilities/csrf_spec.rb +++ b/spec/vulnerabilities/csrf_spec.rb @@ -7,7 +7,7 @@ feature 'csrf' do @normal_user = UserFixture.normal_user end - scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/R4-A8-CSRF", :js => true do + scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/R5-A8-CSRF", :js => true do visit '/' # TODO: is there a way to get this without visiting root first? base_url = current_url diff --git a/spec/vulnerabilities/mass_assignment_spec.rb b/spec/vulnerabilities/mass_assignment_spec.rb index 1f6bd23..f7ab73d 100644 --- a/spec/vulnerabilities/mass_assignment_spec.rb +++ b/spec/vulnerabilities/mass_assignment_spec.rb @@ -21,7 +21,7 @@ feature 'mass assignment' do expect(@normal_user.reload.admin).to be_truthy end - scenario 'attack two, Tutorial: https://github.com/OWASP/railsgoat/wiki/R4-Extras-Mass-Assignment-Admin-Role' do + scenario 'attack two, Tutorial: https://github.com/OWASP/railsgoat/wiki/R5-Extras-Mass-Assignment-Admin-Role' do params = {:user => {:admin => 't', :email => 'hackety@h4x0rs.c0m', :first_name => 'hackety', diff --git a/spec/vulnerabilities/sql_injection_spec.rb b/spec/vulnerabilities/sql_injection_spec.rb index 51685f0..a963a56 100644 --- a/spec/vulnerabilities/sql_injection_spec.rb +++ b/spec/vulnerabilities/sql_injection_spec.rb @@ -7,7 +7,7 @@ feature 'sql injection' do @admin_user = User.where("admin='t'").first end - scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/R4-A1-SQL-Injection-Concatentation" do + scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/R5-A1-SQL-Injection-Concatentation" do expect(@admin_user.admin).to be_truthy login(@normal_user)