merged @jmmasteys rails_5 branch

2017-07-12 10:24:04 -04:00
parent efad3bb2ab f1a3bc7bcf
commit 386a526742
38 changed files with 85 additions and 438 deletions
@@ -11,8 +11,7 @@ before_install:
  - "if [ $(phantomjs --version) != '2.1.1' ]; then tar -xvf ${PWD}/travis_phantomjs/phantomjs-2.1.1-linux-x86_64.tar.bz2 -C ${PWD}/travis_phantomjs; fi"
  - "phantomjs --version"
-before_script: rake db:setup
+before_script: bundle exec rails db:test:prepare
 before_script: bundle exec rake db:setup
 cache: bundler
 sudo: false
-env: RAILSGOAT_MAINTAINER=true
+env: RAILSGOAT_MAINTAINER=true
@@ -1,7 +1,7 @@
 source 'https://rubygems.org'
 #don't upgrade
-gem 'rails', '4.2.8'
+gem 'rails', '5.0.1'
 ruby '2.3.4'
@@ -53,7 +53,7 @@ gem 'sass-rails'
 gem 'coffee-rails'
 gem 'jquery-fileupload-rails'
 gem 'uglifier'
-gem 'turbolinks' # New for Rails 4.0
+gem 'turbolinks'
 # See https://github.com/sstephenson/execjs#readme for more supported runtimes
 # gem 'therubyracer', :platforms => :ruby
@@ -87,11 +87,12 @@ gem 'execjs'
 gem 'therubyracer'
 # Add SMTP server support using MailCatcher
-gem 'mailcatcher'
+# NOTE: https://github.com/sj26/mailcatcher#bundler
 # gem 'mailcatcher'
 #For Rails 4.0
 #group :doc do
-#  # bundle exec rake doc:rails generates the API under doc/api.
+#  # bundle exec rails doc:rails generates the API under doc/api.
 #  gem 'sdoc', require: false
 #end
@@ -1,366 +0,0 @@
 GEM
  remote: https://rubygems.org/
  specs:
    actionmailer (4.2.8)
      actionpack (= 4.2.8)
      actionview (= 4.2.8)
      activejob (= 4.2.8)
      mail (~> 2.5, >= 2.5.4)
      rails-dom-testing (~> 1.0, >= 1.0.5)
    actionpack (4.2.8)
      actionview (= 4.2.8)
      activesupport (= 4.2.8)
      rack (~> 1.6)
      rack-test (~> 0.6.2)
      rails-dom-testing (~> 1.0, >= 1.0.5)
      rails-html-sanitizer (~> 1.0, >= 1.0.2)
    actionview (4.2.8)
      activesupport (= 4.2.8)
      builder (~> 3.1)
      erubis (~> 2.7.0)
      rails-dom-testing (~> 1.0, >= 1.0.5)
      rails-html-sanitizer (~> 1.0, >= 1.0.3)
    activejob (4.2.8)
      activesupport (= 4.2.8)
      globalid (>= 0.3.0)
    activemodel (4.2.8)
      activesupport (= 4.2.8)
      builder (~> 3.1)
    activerecord (4.2.8)
      activemodel (= 4.2.8)
      activesupport (= 4.2.8)
      arel (~> 6.0)
    activesupport (4.2.8)
      i18n (~> 0.7)
      minitest (~> 5.1)
      thread_safe (~> 0.3, >= 0.3.4)
      tzinfo (~> 1.1)
    addressable (2.5.1)
      public_suffix (~> 2.0, >= 2.0.2)
    arel (6.0.4)
    aruba (0.14.2)
      childprocess (~> 0.5.6)
      contracts (~> 0.9)
      cucumber (>= 1.3.19)
      ffi (~> 1.9.10)
      rspec-expectations (>= 2.99)
      thor (~> 0.19)
    bcrypt (3.1.11)
    better_errors (2.1.1)
      coderay (>= 1.0.0)
      erubis (>= 2.6.6)
      rack (>= 0.9.0)
    binding_of_caller (0.7.2)
      debug_inspector (>= 0.0.1)
    brakeman (3.6.2)
    builder (3.2.3)
    bundler-audit (0.5.0)
      bundler (~> 1.2)
      thor (~> 0.18)
    capybara (2.14.0)
      addressable
      mime-types (>= 1.16)
      nokogiri (>= 1.3.3)
      rack (>= 1.0.0)
      rack-test (>= 0.5.4)
      xpath (~> 2.0)
    childprocess (0.5.9)
      ffi (~> 1.0, >= 1.0.11)
    cliver (0.3.2)
    coderay (1.1.1)
    coffee-rails (4.2.2)
      coffee-script (>= 2.2.0)
      railties (>= 4.0.0)
    coffee-script (2.4.1)
      coffee-script-source
      execjs
    coffee-script-source (1.12.2)
    concurrent-ruby (1.0.5)
    contracts (0.16.0)
    crack (0.3.1)
    cucumber (2.4.0)
      builder (>= 2.1.2)
      cucumber-core (~> 1.5.0)
      cucumber-wire (~> 0.0.1)
      diff-lcs (>= 1.1.3)
      gherkin (~> 4.0)
      multi_json (>= 1.7.5, < 2.0)
      multi_test (>= 0.1.2)
    cucumber-core (1.5.0)
      gherkin (~> 4.0)
    cucumber-wire (0.0.1)
    daemons (1.2.4)
    database_cleaner (1.6.1)
    debug_inspector (0.0.3)
    diff-lcs (1.3)
    docile (1.1.5)
    em-websocket (0.5.1)
      eventmachine (>= 0.12.9)
      http_parser.rb (~> 0.6.0)
    erubis (2.7.0)
    eventmachine (1.0.9.1)
    execjs (2.7.0)
    ffi (1.9.18)
    foreman (0.84.0)
      thor (~> 0.19.1)
    formatador (0.2.5)
    gherkin (4.1.3)
    globalid (0.4.0)
      activesupport (>= 4.2.0)
    guard (2.14.1)
      formatador (>= 0.2.4)
      listen (>= 2.7, < 4.0)
      lumberjack (~> 1.0)
      nenv (~> 0.1)
      notiffany (~> 0.0)
      pry (>= 0.9.12)
      shellany (~> 0.0)
      thor (>= 0.18.1)
    guard-brakeman (0.8.3)
      brakeman (>= 2.1.1)
      guard (>= 2.0.0)
    guard-compat (1.2.1)
    guard-livereload (2.5.2)
      em-websocket (~> 0.5)
      guard (~> 2.8)
      guard-compat (~> 1.0)
      multi_json (~> 1.8)
    guard-rspec (4.7.3)
      guard (~> 2.1)
      guard-compat (~> 1.1)
      rspec (>= 2.99.0, < 4.0)
    guard-shell (0.7.1)
      guard (>= 2.0.0)
      guard-compat (~> 1.0)
    http_parser.rb (0.6.0)
    i18n (0.8.4)
    jquery-fileupload-rails (0.4.7)
      actionpack (>= 3.1)
      railties (>= 3.1)
      sass (>= 3.2)
    jquery-rails (4.3.1)
      rails-dom-testing (>= 1, < 3)
      railties (>= 4.2.0)
      thor (>= 0.14, < 2.0)
    json (2.1.0)
    kgio (2.11.0)
    launchy (2.4.3)
      addressable (~> 2.3)
    libv8 (3.16.14.19)
    listen (3.1.5)
      rb-fsevent (~> 0.9, >= 0.9.4)
      rb-inotify (~> 0.9, >= 0.9.7)
      ruby_dep (~> 1.2)
    loofah (2.0.3)
      nokogiri (>= 1.5.9)
    lumberjack (1.0.12)
    mail (2.6.5)
      mime-types (>= 1.16, < 4)
    mailcatcher (0.6.5)
      eventmachine (= 1.0.9.1)
      mail (~> 2.3)
      rack (~> 1.5)
      sinatra (~> 1.2)
      skinny (~> 0.2.3)
      sqlite3 (~> 1.3)
      thin (~> 1.5.0)
    method_source (0.8.2)
    mime-types (3.1)
      mime-types-data (~> 3.2015)
    mime-types-data (3.2016.0521)
    mini_portile2 (2.1.0)
    minitest (5.10.2)
    multi_json (1.12.1)
    multi_test (0.1.2)
    mysql2 (0.4.6)
    nenv (0.3.0)
    nokogiri (1.7.2)
      mini_portile2 (~> 2.1.0)
    notiffany (0.1.1)
      nenv (~> 0.1)
      shellany (~> 0.0)
    poltergeist (1.15.0)
      capybara (~> 2.1)
      cliver (~> 0.3.1)
      websocket-driver (>= 0.2.0)
    powder (0.3.0)
      thor (>= 0.11.5)
    power_assert (1.0.2)
    pry (0.10.4)
      coderay (~> 1.1.0)
      method_source (~> 0.8.1)
      slop (~> 3.4)
    pry-rails (0.3.6)
      pry (>= 0.10.4)
    public_suffix (2.0.5)
    rack (1.6.8)
    rack-livereload (0.3.16)
      rack
    rack-protection (1.5.3)
      rack
    rack-test (0.6.3)
      rack (>= 1.0)
    rails (4.2.8)
      actionmailer (= 4.2.8)
      actionpack (= 4.2.8)
      actionview (= 4.2.8)
      activejob (= 4.2.8)
      activemodel (= 4.2.8)
      activerecord (= 4.2.8)
      activesupport (= 4.2.8)
      bundler (>= 1.3.0, < 2.0)
      railties (= 4.2.8)
      sprockets-rails
    rails-deprecated_sanitizer (1.0.3)
      activesupport (>= 4.2.0.alpha)
    rails-dom-testing (1.0.8)
      activesupport (>= 4.2.0.beta, < 5.0)
      nokogiri (~> 1.6)
      rails-deprecated_sanitizer (>= 1.0.1)
    rails-html-sanitizer (1.0.3)
      loofah (~> 2.0)
    railties (4.2.8)
      actionpack (= 4.2.8)
      activesupport (= 4.2.8)
      rake (>= 0.8.7)
      thor (>= 0.18.1, < 2.0)
    raindrops (0.18.0)
    rake (12.0.0)
    rb-fsevent (0.9.8)
    rb-inotify (0.9.8)
      ffi (>= 0.5.0)
    ref (2.0.0)
    responders (2.4.0)
      actionpack (>= 4.2.0, < 5.3)
      railties (>= 4.2.0, < 5.3)
    rspec (3.6.0)
      rspec-core (~> 3.6.0)
      rspec-expectations (~> 3.6.0)
      rspec-mocks (~> 3.6.0)
    rspec-core (3.6.0)
      rspec-support (~> 3.6.0)
    rspec-expectations (3.6.0)
      diff-lcs (>= 1.2.0, < 2.0)
      rspec-support (~> 3.6.0)
    rspec-mocks (3.6.0)
      diff-lcs (>= 1.2.0, < 2.0)
      rspec-support (~> 3.6.0)
    rspec-rails (3.6.0)
      actionpack (>= 3.0)
      activesupport (>= 3.0)
      railties (>= 3.0)
      rspec-core (~> 3.6.0)
      rspec-expectations (~> 3.6.0)
      rspec-mocks (~> 3.6.0)
      rspec-support (~> 3.6.0)
    rspec-support (3.6.0)
    ruby_dep (1.5.0)
    sass (3.4.24)
    sass-rails (5.0.6)
      railties (>= 4.0.0, < 6)
      sass (~> 3.1)
      sprockets (>= 2.8, < 4.0)
      sprockets-rails (>= 2.0, < 4.0)
      tilt (>= 1.1, < 3)
    shellany (0.0.1)
    simplecov (0.14.1)
      docile (~> 1.1.0)
      json (>= 1.8, < 3)
      simplecov-html (~> 0.10.0)
    simplecov-html (0.10.1)
    sinatra (1.4.8)
      rack (~> 1.5)
      rack-protection (~> 1.4)
      tilt (>= 1.3, < 3)
    skinny (0.2.4)
      eventmachine (~> 1.0.0)
      thin (>= 1.5, < 1.7)
    slop (3.6.0)
    sprockets (3.7.1)
      concurrent-ruby (~> 1.0)
      rack (> 1, < 3)
    sprockets-rails (3.2.0)
      actionpack (>= 4.0)
      activesupport (>= 4.0)
      sprockets (>= 3.0.0)
    sqlite3 (1.3.13)
    test-unit (3.2.4)
      power_assert
    therubyracer (0.12.3)
      libv8 (~> 3.16.14.15)
      ref
    thin (1.5.1)
      daemons (>= 1.0.9)
      eventmachine (>= 0.12.6)
      rack (>= 1.0.0)
    thor (0.19.4)
    thread_safe (0.3.6)
    tilt (2.0.7)
    travis-lint (2.0.0)
      json
    turbolinks (5.0.1)
      turbolinks-source (~> 5)
    turbolinks-source (5.0.3)
    tzinfo (1.2.3)
      thread_safe (~> 0.1)
    uglifier (3.2.0)
      execjs (>= 0.3.0, < 3)
    unicorn (5.3.0)
      kgio (~> 2.6)
      raindrops (~> 0.7)
    websocket-driver (0.6.5)
      websocket-extensions (>= 0.1.0)
    websocket-extensions (0.1.2)
    xpath (2.1.0)
      nokogiri (~> 1.3)
 PLATFORMS
  ruby
 DEPENDENCIES
  aruba
  bcrypt
  better_errors
  binding_of_caller
  brakeman
  bundler-audit
  capybara
  coffee-rails
  crack (= 0.3.1)
  database_cleaner
  execjs
  foreman
  guard-brakeman
  guard-livereload
  guard-rspec
  guard-shell
  jquery-fileupload-rails
  jquery-rails
  launchy
  mailcatcher
  mysql2
  poltergeist
  powder
  pry
  pry-rails
  rack-livereload
  rails (= 4.2.8)
  rake
  rb-fsevent
  responders
  rspec-rails
  sass-rails
  simplecov
  sqlite3
  test-unit
  therubyracer
  travis-lint
  turbolinks
  uglifier
  unicorn
 RUBY VERSION
   ruby 2.3.4p301
 BUNDLED WITH
   1.15.0
@@ -1,6 +1,6 @@
 # RailsGoat [![Build Status](https://api.travis-ci.org/OWASP/railsgoat.png?branch=master)](https://travis-ci.org/OWASP/railsgoat) [![Code Climate](https://codeclimate.com/github/OWASP/railsgoat.png)](https://codeclimate.com/github/OWASP/railsgoat)
-RailsGoat is a vulnerable version of the Ruby on Rails Framework both versions 3 and 4. It includes vulnerabilities from the OWASP Top 10, as well as some "extras" that the initial project contributors felt worthwhile to share. This project is designed to educate both developers, as well as security professionals.
+RailsGoat is a vulnerable version of the Ruby on Rails Framework from versions 3 to 5. It includes vulnerabilities from the OWASP Top 10, as well as some "extras" that the initial project contributors felt worthwhile to share. This project is designed to educate both developers, as well as security professionals.
 ## Support
@@ -20,11 +20,12 @@ After installing the package, clone this repo:
 $ git clone git@github.com:OWASP/railsgoat.git
 ```
-**NOTE: NOT NECESSARY IF YOU WANT TO WORK WITH RAILS 4.** Otherwise, if you wish to use the Rails 3 version, you'll need to switch branches
+**NOTE: NOT NECESSARY IF YOU WANT TO WORK WITH RAILS 5.** Otherwise, if you wish to use the Rails 3 or 4 versions, you'll need to switch branches:
 ```bash
 $ cd railsgoat
 $ git checkout rails_3_2
 $ git checkout rails_4_2
 ```
 Navigate into the directory (already there if you followed the previous step) and install the dependencies:
@@ -42,7 +43,7 @@ $ gem install bundler
 Initialize the database:
 ```bash
-$ rake db:setup
+$ rails db:setup
 ```
 Start the Thin web server:
@@ -78,7 +79,7 @@ To run Railsgoat with Docker you must first have [Docker](https://docs.docker.co
 ```
 #~/code/railsgoat
 $ docker-compose build
-$ docker-compose run web rake db:setup
+$ docker-compose run web rails db:setup
 $ docker-compose up
 ...
  Creating railsgoat_web_1
@@ -93,7 +94,7 @@ Note: if your container exits with an error, it may be because a server is alrea
 ```
 A server is already running. Check /myapp/tmp/pids/server.pid.
 => Booting Thin
-=> Rails 4.2.6 application starting in development on
+=> Rails 5.0.1 application starting in development on
 http://0.0.0.0:3000
 => Run `rails server -h` for more startup options
 => Ctrl-C to shutdown server
@@ -103,16 +104,16 @@ In this case, remove that server.pid file and try again. Note also that this fil
 ## Capybara Tests
-RailsGoat now includes a set of failing Capybara RSpecs, each one indicating that a separate vulnerability exists in the application. To run them, you first need to install [PhantomJS](https://github.com/jonleighton/poltergeist#installing-phantomjs) (version 2.1.1 has been tested in Dev and on Travis CI), which is required by the Poltergeist Capybara driver. Upon installation, simply run the following rake task:
+RailsGoat now includes a set of failing Capybara RSpecs, each one indicating that a separate vulnerability exists in the application. To run them, you first need to install [PhantomJS](https://github.com/jonleighton/poltergeist#installing-phantomjs) (version 2.1.1 has been tested in Dev and on Travis CI), which is required by the Poltergeist Capybara driver. Upon installation, simply run the following task:
 ```
-$ rake training
+$ rails training
 ```
 To run just one spec:
 ```
-$ rake training SPEC=spec/vulnerabilities/sql_injection_spec.rb
+$ rails training SPEC=spec/vulnerabilities/sql_injection_spec.rb
 ```
 NOTE: As vulnerabilities are fixed in the application, these specs will not change to `passing`, but to `pending`.
@@ -124,10 +125,10 @@ By default in development mode Railsgoat runs with a SQLite database. There is a
 ```
 #Create the MySQL database
-RAILS_ENV=mysql rake db:create
+RAILS_ENV=mysql rails db:create
 #Run the migrations against the database
-RAILS_ENV=mysql rake db:migrate
+RAILS_ENV=mysql rails db:migrate
 #Boot Rails using MySQl
 RAILS_ENV=mysql rails s
@@ -137,9 +138,10 @@ RAILS_ENV=mysql rails s
 In order for RailsGoat to effectively process email, you will first need to run MailCatcher, an SMTP server that will intercept email messages and display them in a web interface.
-To start an instance of MailCatcher, simply run:
+Mailcatcher is not installed by default. To install MailCatcher and start an instance of it, simply run:
 ```
 $ gem install mailcatcher
 $ mailcatcher
 ```
@@ -1,7 +1,6 @@
 #!/usr/bin/env rake
 # Add your own tasks in files placed in lib/tasks ending in .rake,
 # for example lib/tasks/capistrano.rake, and they will automatically be available to Rake.
-require File.expand_path('../config/application', __FILE__)
+require_relative 'config/application'
-Railsgoat::Application.load_tasks
+Rails.application.load_tasks
@@ -1,6 +1,6 @@
 class AdminController < ApplicationController
  before_action :administrative, :if => :admin_param, :except => [:get_user]
-  skip_before_filter :has_info
+  skip_before_action :has_info
  def dashboard
  end
@@ -1,6 +1,6 @@
 class Api::V1::MobileController < ApplicationController
-  skip_before_filter :authenticated
+  skip_before_action :authenticated
-  before_filter :mobile_request?
+  before_action :mobile_request?
  respond_to :json
@@ -1,7 +1,7 @@
 class Api::V1::UsersController < ApplicationController
-  skip_before_filter :authenticated
+  skip_before_action :authenticated
-  before_filter :valid_api_token
+  before_action :valid_api_token
-  before_filter :extrapolate_user
+  before_action :extrapolate_user
  respond_to :json
@@ -18,7 +18,9 @@ class Api::V1::UsersController < ApplicationController
  def valid_api_token
    authenticate_or_request_with_http_token do |token, options|
      # TODO :add some functionality to check if the HTTP Header is valid
-      identify_user(token)
+      if !identify_user(token)
        redirect_to root_url
      end
    end
  end
@@ -29,8 +31,8 @@ class Api::V1::UsersController < ApplicationController
    @clean_token =~ /(.*?)-(.*)/
    id = $1
    hash = $2
-    (id && hash) ? true : false
+
-    check_hash(id, hash) ? true : false
+    check_hash(id, hash)
  end
  def check_hash(id, hash)
@@ -1,5 +1,5 @@
 class DashboardController < ApplicationController
-  skip_before_filter :has_info
+  skip_before_action :has_info
  def home
    @user = current_user
@@ -1,5 +1,5 @@
 class PasswordResetsController < ApplicationController
-  skip_before_filter :authenticated
+  skip_before_action :authenticated
  def reset_password
    user = Marshal.load(Base64.decode64(params[:user])) unless params[:user].nil?
@@ -1,6 +1,6 @@
 class SessionsController < ApplicationController
-  skip_before_filter :has_info
+  skip_before_action :has_info
-  skip_before_filter :authenticated, :only => [:new, :create]
+  skip_before_action :authenticated, :only => [:new, :create]
  def new
    @url = params[:url]
@@ -1,6 +1,6 @@
 class TutorialsController < ApplicationController
-  skip_before_filter :has_info
+  skip_before_action :has_info
-  skip_before_filter :authenticated
+  skip_before_action :authenticated
  def credentials
    render :partial => "layouts/tutorial/credentials/creds"
@@ -1,6 +1,6 @@
 class UsersController < ApplicationController
-  skip_before_filter :has_info
+  skip_before_action :has_info
-  skip_before_filter :authenticated, :only => [:new, :create]
+  skip_before_action :authenticated, :only => [:new, :create]
  def new
    @user = User.new
@@ -25,8 +25,9 @@ class UsersController < ApplicationController
  def update
    message = false
-  
+
-    user = User.where("user_id = '#{params[:user][:user_id]}'").first
+    user = User.where("user_id = '#{params[:user][:user_id]}'")[0]
    if user
      user.skip_user_id_assign = true
      user.skip_hash_password = true
@@ -1,4 +1,4 @@
-class Analytics < ActiveRecord::Base
+class Analytics < ApplicationRecord
  scope :hits_by_ip, ->(ip,col="*") { select("#{col}").where(:ip_address => ip).order("id DESC")}
  def self.count_by_col(col)
@@ -0,0 +1,3 @@
 class ApplicationRecord < ActiveRecord::Base
  self.abstract_class = true
 end
@@ -1,4 +1,4 @@
-class Benefits < ActiveRecord::Base
+class Benefits < ApplicationRecord
  def self.save(file, backup=false)
    data_path = Rails.root.join("public", "data")
@@ -1,4 +1,4 @@
-class KeyManagement < ActiveRecord::Base
+class KeyManagement < ApplicationRecord
  belongs_to :work_info
  belongs_to :user
 end
@@ -1,4 +1,4 @@
-class Message < ActiveRecord::Base
+class Message < ApplicationRecord
  belongs_to :user
  validates_presence_of :creator_id, :receiver_id, :message
@@ -1,4 +1,4 @@
-class PaidTimeOff < ActiveRecord::Base
+class PaidTimeOff < ApplicationRecord
  belongs_to :user
  has_many :schedule, :foreign_key => :user_id, :primary_key => :user_id, :dependent => :destroy
@@ -1,4 +1,4 @@
-class Pay < ActiveRecord::Base
+class Pay < ApplicationRecord
  # Associations
  belongs_to :user
@@ -1,4 +1,4 @@
-class Performance < ActiveRecord::Base
+class Performance < ApplicationRecord
  belongs_to :user
  def reviewer_name
@@ -1,3 +1,3 @@
-class Retirement < ActiveRecord::Base
+class Retirement < ApplicationRecord
  belongs_to :user
 end
@@ -1,4 +1,4 @@
-class Schedule < ActiveRecord::Base
+class Schedule < ApplicationRecord
  belongs_to :paid_time_off
  validates_presence_of :date_begin, :date_end, :event_desc, :event_name, :event_type
@@ -1,6 +1,6 @@
 require 'encryption'
-class User < ActiveRecord::Base
+class User < ApplicationRecord
  validates :password, :presence => true,
                       :confirmation => true,
                       :length => {:within => 6..40},
@@ -1,4 +1,4 @@
-class WorkInfo < ActiveRecord::Base
+class WorkInfo < ApplicationRecord
  belongs_to :user
  has_one :key_management, :foreign_key => :user_id, :primary_key => :user_id, :dependent => :destroy
  #before_save :encrypt_ssn
@@ -23,7 +23,7 @@ module Railsgoat
    # config.active_record.observers = :cacher, :garbage_collector, :forum_observer
    # Set Time.zone default to the specified zone and make Active Record auto-convert to this zone.
-    # Run "rake -D time" for a list of tasks for finding time zone names. Default is UTC.
+    # Run "rails -D time" for a list of tasks for finding time zone names. Default is UTC.
    # config.time_zone = 'Central Time (US & Canada)'
    # The default locale is :en and all translations from config/locales/*.rb,yml are auto loaded.
@@ -19,7 +19,7 @@ mysql:
  password:
 # Warning: The database defined as "test" will be erased and
-# re-generated from your development database when you run "rake".
+# re-generated from your development database when you run "rails".
 # Do not set this db to the same as development or production.
 test:
  adapter: sqlite3
@@ -33,12 +33,18 @@ Railsgoat::Application.configure do
  config.action_mailer.smtp_settings = { :address => "127.0.0.1", :port => 1025 }
  config.action_mailer.default_url_options = { :host => "127.0.0.1:3000" }
-  config.middleware.insert_before(
+ # config.middleware.insert_before(
-       Rack::Lock, Rack::LiveReload,
+ #      Rack::Lock, Rack::LiveReload,
-       :min_delay => 500,
+ #      :min_delay => 500,
-       :max_delay => 1000,
+ #      :max_delay => 1000,
-       :port => 35727,
+ #      :port => 35727,
-       :host => 'railsgoat.dev',
+ #      :host => 'railsgoat.dev',
-       :ignore => [ %r{dont/modify\.html$} ]
+ #      :ignore => [ %r{dont/modify\.html$} ]
-  )
+ # )
  # For Rails 4.0+
  # Do not eager load code on boot. This avoids loading your whole application
  # just for the purpose of running a single test. If you are using a tool that
  # preloads Rails for running tests, you may have to set it to true.
  config.eager_load = false
 end
@@ -15,7 +15,7 @@ Railsgoat::Application.configure do
  # config.action_dispatch.rack_cache = true
  # Disable Rails's static asset server (Apache or nginx will already do this).
-  config.serve_static_files = false
+  config.public_file_server.enabled = false
  # Compress JavaScripts and CSS
  config.assets.compress = true
@@ -8,8 +8,8 @@ Railsgoat::Application.configure do
  config.cache_classes = true
  # Configure static asset server for tests with Cache-Control for performance.
-  config.serve_static_files = true
+  config.public_file_server.enabled = true
-  config.static_cache_control = "public, max-age=3600"
+  config.public_file_server.headers = { 'Cache-Control' => 'public, max-age=3600' }
  # Show full error reports and disable caching.
  config.consider_all_requests_local       = true
@@ -1,4 +1,3 @@
 # encoding: UTF-8
 # This file is auto-generated from the current state of the database. Instead
 # of editing this file, please use the migrations feature of Active Record to
 # incrementally modify your database, and then regenerate this schema definition.
@@ -1,5 +1,5 @@
 # This file should contain all the record creation needed to seed the database with its default values.
-# The data can then be loaded with the rake db:seed (or created alongside the db with db:setup).
+# The data can then be loaded with the rails db:seed (or created alongside the db with db:setup).
 #
 users = [
@@ -1,2 +1,2 @@
 Use this README file to introduce your application and point to useful places in the API for learning more.
-Run "rake doc:app" to generate API documentation for your models, controllers, helpers, and libraries.
+Run "rails doc:app" to generate API documentation for your models, controllers, helpers, and libraries.
@@ -1,5 +1,5 @@
 #!/bin/bash
 set -e
-rake db:setup
+rails db:setup
 rails server
@@ -7,7 +7,7 @@ feature 'csrf' do
    @normal_user = UserFixture.normal_user
  end
-  scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/R4-A8-CSRF", :js => true do
+  scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/R5-A8-CSRF", :js => true do
    visit '/'
    # TODO: is there a way to get this without visiting root first?
    base_url = current_url
@@ -14,9 +14,10 @@ feature 'insecure direct object reference' do
    visit download_url.sub(/name=(.*?)&/, 'name=config/database.yml&')
    pending if verifying_fixed?
    expect(page.status_code).to eq(200)
    expect(page.response_headers['Content-Disposition']).to include('database.yml')
-    expect(page.response_headers['Content-Length']).to eq('709')
+    expect(page.response_headers['Content-Length']).to eq('710')
  end
  scenario "attack two\nTutorial: https://github.com/OWASP/railsgoat/wiki/A4-Insecure-Direct-Object-Reference" do
@@ -21,7 +21,7 @@ feature 'mass assignment' do
    expect(@normal_user.reload.admin).to be_truthy
  end
-  scenario 'attack two, Tutorial: https://github.com/OWASP/railsgoat/wiki/R4-Extras-Mass-Assignment-Admin-Role' do
+  scenario 'attack two, Tutorial: https://github.com/OWASP/railsgoat/wiki/R5-Extras-Mass-Assignment-Admin-Role' do
    params = {:user => {:admin => 't',
                        :email => 'hackety@h4x0rs.c0m',
                        :first_name => 'hackety',
@@ -7,7 +7,7 @@ feature 'sql injection' do
    @admin_user = User.where("admin='t'").first
  end
-  scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/R4-A1-SQL-Injection-Concatentation" do
+  scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/R5-A1-SQL-Injection-Concatentation" do
    expect(@admin_user.admin).to be_truthy
    login(@normal_user)
`@@ -1,2 +1,2 @@`
	`Use this README file to introduce your application and point to useful places in the API for learning more.`	`Use this README file to introduce your application and point to useful places in the API for learning more.`
	`Run "rake doc:app" to generate API documentation for your models, controllers, helpers, and libraries.`	`Run "rails doc:app" to generate API documentation for your models, controllers, helpers, and libraries.`