Added notice and removed spoilers from spec names.

2013-10-03 11:00:43 -05:00
parent 538d01e5cf
commit 525dfa1717
11 changed files with 41 additions and 15 deletions
@@ -6,7 +6,7 @@ feature 'broken_auth' do
    @normal_user = UserFixture.normal_user
  end

-  scenario 'TMI during login - username' do
+  scenario 'one' do
    visit '/'
    within('.signup') do
      fill_in 'email', :with => @normal_user.email + 'not'
@@ -16,7 +16,7 @@ feature 'broken_auth' do
    pending(:if => verifying_fixed?) { find('div#flash_notice').text.should == "#{@normal_user.email}not doesn't exist!" }
  end

-  scenario 'TMI during login - password' do
+  scenario 'two' do
    visit '/'
    within('.signup') do
      fill_in 'email', :with => @normal_user.email
@@ -7,7 +7,7 @@ feature 'command injection' do
    @normal_user = UserFixture.normal_user
  end

-  scenario 'injection attack on file upload', :js => true do
+  scenario 'attack', :js => true do
    login @normal_user

    legit_file = File.join(Rails.root, 'public', 'data', 'legit.txt')
@@ -7,7 +7,7 @@ feature 'csrf' do
    @normal_user = UserFixture.normal_user
  end

-  scenario 'csrf attack to pto', :js => true do
+  scenario 'attack', :js => true do
    visit '/'
    # TODO: is there a way to get this without visiting root first?
    base_url = current_url
@@ -9,7 +9,7 @@ feature 'sensitive information disclosure' do

  # this won't work with javascript_driver, as it'll apply the javascript
  # function to mask this value and the source will be overwritten.
-  scenario 'full ssn returned to view' do
+  scenario 'attack' do
    login @normal_user

    visit "/users/#{@normal_user.user_id}/work_info"
@@ -6,7 +6,7 @@ feature 'insecure direct object reference' do
    @normal_user = UserFixture.normal_user
  end

-  scenario 'download production configuration' do
+  scenario 'attack one' do
    login(@normal_user)

    visit "/users/#{@normal_user.user_id}/benefit_forms"
@@ -20,7 +20,7 @@ feature 'insecure direct object reference' do
    }
  end

-  scenario 'view any user work_info' do
+  scenario 'attack two' do
    login(@normal_user)

    @normal_user.user_id.should_not == 2
@@ -1,12 +1,12 @@
 require 'spec_helper'

-feature 'sql injection' do
+feature 'mass assignment' do
  before do
    UserFixture.reset_all_users
    @normal_user = UserFixture.normal_user
  end

-  scenario 'mass assignment attack update account_settings' do
+  scenario 'attack one' do
    @normal_user.admin.should be_false

    login(@normal_user)
@@ -20,7 +20,7 @@ feature 'sql injection' do
    pending(:if => verifying_fixed?) { @normal_user.reload.admin.should be_true }
  end

-  scenario 'mass assignment attack create new account' do
+  scenario 'attack two' do
    params = {:user => {:admin => 't',
                        :email => 'hackety@h4x0rs.c0m',
                        :first_name => 'hackety',
@@ -7,7 +7,7 @@ feature 'sql injection' do
    @admin_user = User.where("admin='t'").first
  end

-  scenario 'injection attack on account_settings' do
+  scenario 'attack' do
    @admin_user.admin.should be_true

    login(@normal_user)
@@ -6,7 +6,7 @@ feature 'unvalidated redirect' do
    @normal_user = UserFixture.normal_user
  end

-  scenario 'login redirects to anywhere', :js => true do
+  scenario 'attack', :js => true do
    visit '/?url=http://example.com/do/evil/things'
    within('.signup') do
      fill_in 'email', :with => @normal_user.email
@@ -6,7 +6,7 @@ feature 'url access' do
    @normal_user = UserFixture.normal_user
  end

-  scenario 'admin route not protected', :js => true do
+  scenario 'attack', :js => true do
    login @normal_user

    visit '/admin/1/dashboard'
@@ -6,7 +6,7 @@ feature 'xss' do
    @normal_user = UserFixture.normal_user
  end

-  scenario 'xss attack on account_settings', :js => true do
+  scenario 'attack', :js => true do
    login @normal_user

    visit "/users/#{@normal_user.user_id}/account_settings"