Merge pull request #233 from jasnow/master

Fixed #225 (rspec upgrade from 2.99.0 to latest 3.x)
2016-04-27 10:34:59 -04:00
parent d86bbf6334 433491c905
commit 39b8e85d21
15 changed files with 76 additions and 65 deletions
@@ -41,7 +41,7 @@ group :development, :test, :mysql do
  gem 'capybara'
  gem 'database_cleaner'
  gem 'poltergeist'
-  gem 'rspec-rails', '2.99.0' # LOCKED DOWN
+  gem 'rspec-rails'
  gem 'test-unit'
 end

@@ -66,7 +66,7 @@ GEM
    bundler-audit (0.5.0)
      bundler (~> 1.2)
      thor (~> 0.18)
-    capybara (2.6.2)
+    capybara (2.7.0)
      addressable
      mime-types (>= 1.16)
      nokogiri (>= 1.3.3)
@@ -99,7 +99,7 @@ GEM
      gherkin (~> 3.2.0)
    cucumber-wire (0.0.1)
    daemons (1.2.3)
-    database_cleaner (1.5.1)
+    database_cleaner (1.5.3)
    debug_inspector (0.0.2)
    diff-lcs (1.2.5)
    docile (1.1.5)
@@ -110,7 +110,7 @@ GEM
    eventmachine (1.0.9.1)
    execjs (2.6.0)
    ffi (1.9.10)
-    foreman (0.78.0)
+    foreman (0.80.2)
      thor (~> 0.19.1)
    formatador (0.2.5)
    gauntlt (0.1.4)
@@ -164,7 +164,7 @@ GEM
    launchy (2.4.3)
      addressable (~> 2.3)
    libv8 (3.16.14.13)
-    listen (3.0.6)
+    listen (3.1.1)
      rb-fsevent (>= 0.9.3)
      rb-inotify (>= 0.9.7)
    loofah (2.0.3)
@@ -187,9 +187,9 @@ GEM
    mime-types-data (3.2016.0221)
    mini_portile2 (2.0.0)
    minitest (5.8.4)
-    multi_json (1.11.2)
+    multi_json (1.11.3)
    multi_test (0.1.2)
-    mysql2 (0.4.3)
+    mysql2 (0.4.4)
    nenv (0.3.0)
    nokogiri (1.6.7.2)
      mini_portile2 (~> 2.0.0.rc2)
@@ -249,25 +249,27 @@ GEM
    ref (2.0.0)
    responders (2.1.2)
      railties (>= 4.2.0, < 5.1)
-    rspec (2.99.0)
-      rspec-core (~> 2.99.0)
-      rspec-expectations (~> 2.99.0)
-      rspec-mocks (~> 2.99.0)
-    rspec-collection_matchers (1.1.2)
-      rspec-expectations (>= 2.99.0.beta1)
-    rspec-core (2.99.2)
-    rspec-expectations (2.99.2)
-      diff-lcs (>= 1.1.3, < 2.0)
-    rspec-mocks (2.99.4)
-    rspec-rails (2.99.0)
-      actionpack (>= 3.0)
-      activemodel (>= 3.0)
-      activesupport (>= 3.0)
-      railties (>= 3.0)
-      rspec-collection_matchers
-      rspec-core (~> 2.99.0)
-      rspec-expectations (~> 2.99.0)
-      rspec-mocks (~> 2.99.0)
+    rspec (3.4.0)
+      rspec-core (~> 3.4.0)
+      rspec-expectations (~> 3.4.0)
+      rspec-mocks (~> 3.4.0)
+    rspec-core (3.4.4)
+      rspec-support (~> 3.4.0)
+    rspec-expectations (3.4.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.4.0)
+    rspec-mocks (3.4.1)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.4.0)
+    rspec-rails (3.4.2)
+      actionpack (>= 3.0, < 4.3)
+      activesupport (>= 3.0, < 4.3)
+      railties (>= 3.0, < 4.3)
+      rspec-core (~> 3.4.0)
+      rspec-expectations (~> 3.4.0)
+      rspec-mocks (~> 3.4.0)
+      rspec-support (~> 3.4.0)
+    rspec-support (3.4.1)
    ruby2ruby (2.3.0)
      ruby_parser (~> 3.1)
      sexp_processor (~> 4.0)
@@ -374,7 +376,7 @@ DEPENDENCIES
  rake (= 10.5.0)
  rb-fsevent
  responders
-  rspec-rails (= 2.99.0)
+  rspec-rails
  sass-rails
  simplecov
  sqlite3
@@ -7,7 +7,6 @@ SimpleCov.start if ENV["COVERAGE"]

 require File.expand_path("../../config/environment", __FILE__)
 require 'rspec/rails'
-require 'rspec/autorun'
 require 'capybara/rails'
 require 'capybara/poltergeist'
 require 'database_cleaner'
@@ -15,7 +15,8 @@ feature 'broken_auth' do
    within('.actions') do
      click_on 'Login'
    end
-    pending(:if => verifying_fixed?) { find('div#flash_notice').text.should == "#{@normal_user.email}not doesn't exist!" }
+    pending if verifying_fixed?
+    expect(find('div#flash_notice').text).to eq("#{@normal_user.email}not doesn't exist!")
  end

  scenario 'two' do
@@ -27,6 +28,7 @@ feature 'broken_auth' do
    within('.actions') do
      click_on 'Login'
    end
-    pending(:if => verifying_fixed?) { find('div#flash_notice').text.should == 'Incorrect Password!' }
+    pending if verifying_fixed?
+    expect(find('div#flash_notice').text).to eq('Incorrect Password!')
  end
-end
+end
@@ -23,6 +23,7 @@ feature 'command injection' do
      end
      click_on 'Start Upload'
    end
-    pending(:if => verifying_fixed?) { File.exists?(legit_file).should be_falsey }
+    pending if verifying_fixed?
+    expect(File.exists?(legit_file)).to be_falsey
  end
 end
@@ -39,6 +39,7 @@ feature 'csrf' do
      end
    end

-    pending(:if => verifying_fixed?) { @normal_user.reload.paid_time_off.schedule.last.event_name.should == 'Bad Guy' }
+    pending if verifying_fixed?
+    expect(@normal_user.reload.paid_time_off.schedule.last.event_name).to eq('Bad Guy')
  end
-end
+end
@@ -13,19 +13,19 @@ feature 'insecure direct object reference' do
    download_url = first('.widget-body a')[:href]
    visit download_url.sub(/name=(.*?)&/, 'name=config/database.yml&')

-    pending(:if => verifying_fixed?) {
-      page.status_code.should == 200
-      page.response_headers['Content-Disposition'].should include('database.yml')
-      page.response_headers['Content-Length'].should == '709'
-    }
+    pending if verifying_fixed?
+    expect(page.status_code).to eq(200)
+    expect(page.response_headers['Content-Disposition']).to include('database.yml')
+    expect(page.response_headers['Content-Length']).to eq('709')
  end

  scenario 'attack two' do
    login(@normal_user)

-    @normal_user.user_id.should_not == 2
+    expect(@normal_user.user_id).not_to eq(2)
    visit '/users/2/work_info'

-    pending(:if => verifying_fixed?) { first('td').text.should == 'Jack Mannino' }
+    pending if verifying_fixed?
+    expect(first('td').text).to eq('Jack Mannino')
  end
 end
@@ -7,7 +7,7 @@ feature 'mass assignment' do
  end

  scenario 'attack one' do
-    @normal_user.admin.should be_falsey
+    expect(@normal_user.admin).to be_falsey

    login(@normal_user)

@@ -17,7 +17,8 @@ feature 'mass assignment' do
                        :password_confirmation => @normal_user.clear_password}}
    page.driver.put "/users/#{@normal_user.user_id}.json", params

-    pending(:if => verifying_fixed?) { @normal_user.reload.admin.should be_truthy }
+    pending if verifying_fixed?
+    expect(@normal_user.reload.admin).to be_truthy
  end

  scenario 'attack two' do
@@ -29,9 +30,8 @@ feature 'mass assignment' do
                        :password_confirmation => 'foobarewe'}}
    page.driver.post '/users', params

-    pending(:if => verifying_fixed?) {
-      User.last.email.should == 'hackety@h4x0rs.c0m'
-      User.last.admin.should be_truthy
-    }
+    pending if verifying_fixed?
+    expect(User.last.email).to eq('hackety@h4x0rs.c0m')
+    expect(User.last.admin).to be_truthy
  end
 end
@@ -16,6 +16,7 @@ feature 'password complexity' do
      fill_in 'user_password_confirmation', :with => 'password'
    end
    click_on 'Submit'
-    pending(:if => verifying_fixed?) {current_path.should == '/dashboard/home'}
+    pending if verifying_fixed?
+    expect(current_path).to eq('/dashboard/home')
  end
-end
+end
@@ -11,7 +11,8 @@ feature 'improper password hashing' do
    @normal_user.password = new_pass
    @normal_user.password_confirmation = new_pass
    @normal_user.save
-    pending(:if => verifying_fixed?) {Digest::MD5.hexdigest(new_pass).should == @normal_user.password}
+    pending if verifying_fixed?
+    expect(Digest::MD5.hexdigest(new_pass)).to eq(@normal_user.password)
  end

 =begin
@@ -21,8 +22,9 @@ feature 'improper password hashing' do
    @normal_user.password = new_pass
    @normal_user.password_confirmation = new_pass
    @normal_user.save
-    pending(:if => verifying_fixed?) {Digest::MD5.hexdigest(@normal_user.salt + new_pass).should == @normal_user.password}
+    pending if verifying_fixed?
+    expec(Digest::MD5.hexdigest(@normal_user.salt + new_pass))to. eq(@normal_user.password)
  end
 =end

-end
+end
@@ -13,6 +13,7 @@ feature 'sensitive data exposure' do
    login @normal_user

    visit "/users/#{@normal_user.user_id}/work_info"
-    pending(:if => verifying_fixed?) { page.source.should include '999-99-9999' }
+    pending if verifying_fixed?
+    expect(page.source).to include '999-99-9999'
  end
-end
+end
@@ -8,7 +8,7 @@ feature 'sql injection' do
  end

  scenario 'attack' do
-    @admin_user.admin.should be_truthy
+    expect(@admin_user.admin).to be_truthy

    login(@normal_user)

@@ -23,10 +23,9 @@ feature 'sql injection' do
    end
    click_on 'Submit'

-    pending(:if => verifying_fixed?) {
-      @admin_user = User.where("admin='t'").first
-      @admin_user.email.should == 'joe.admin@schmoe.com'
-      @admin_user.admin.should == true
-    }
+    pending if verifying_fixed?
+    @admin_user = User.where("admin='t'").first
+    expect(@admin_user.email).to eq('joe.admin@schmoe.com')
+    expect(@admin_user.admin).to eq(true)
  end
 end
@@ -15,6 +15,7 @@ feature 'unvalidated redirect' do
    within('.actions') do
      click_on 'Login'
    end
-    pending(:if => verifying_fixed?) { current_url.should == 'http://example.com/do/evil/things' }
+    pending if verifying_fixed?
+    expect(current_url).to eq('http://example.com/do/evil/things')
  end
-end
+end
@@ -10,6 +10,7 @@ feature 'url access' do
    login @normal_user

    visit '/admin/1/dashboard'
-    pending(:if => verifying_fixed?) { current_path.should == '/admin/1/dashboard' }
+    pending if verifying_fixed?
+    expect(current_path).to eq('/admin/1/dashboard')
  end
-end
+end
@@ -23,7 +23,8 @@ feature 'xss' do

    visit "/users/#{@normal_user.user_id}/account_settings"

-    pending(:if => verifying_fixed?) { find('#submit_button').value.should == 'RailsGoat h4x0r3d' }
+    pending if verifying_fixed?
+    expect(find('#submit_button').value).to eq('RailsGoat h4x0r3d')

    # might be nice to demonstrate posting cookie contents or somesuch, but
    # this at least shows the vulnerability still exists.