From 36f236013d36e83599fc478ac5e8fa6ed5764bd4 Mon Sep 17 00:00:00 2001 From: James Espinosa Date: Wed, 2 Jul 2014 21:49:55 -0500 Subject: [PATCH 1/9] Migrate deprecated rvmrc to ruby-gemset/version --- .ruby-gemset | 1 + .ruby-version | 1 + .rvmrc | 1 - 3 files changed, 2 insertions(+), 1 deletion(-) create mode 100644 .ruby-gemset create mode 100644 .ruby-version delete mode 100755 .rvmrc diff --git a/.ruby-gemset b/.ruby-gemset new file mode 100644 index 0000000..b7f2343 --- /dev/null +++ b/.ruby-gemset @@ -0,0 +1 @@ +railsgoat \ No newline at end of file diff --git a/.ruby-version b/.ruby-version new file mode 100644 index 0000000..8f9174b --- /dev/null +++ b/.ruby-version @@ -0,0 +1 @@ +2.1.2 \ No newline at end of file diff --git a/.rvmrc b/.rvmrc deleted file mode 100755 index 97ca0d8..0000000 --- a/.rvmrc +++ /dev/null @@ -1 +0,0 @@ -rvm use 2.1.2@railsgoat --create From e89ab2ca1b68322b9a8dacb8a4a4cead0c3e1a98 Mon Sep 17 00:00:00 2001 From: James Espinosa Date: Wed, 2 Jul 2014 22:16:29 -0500 Subject: [PATCH 2/9] Update README file information --- README.md | 24 +++--------------------- 1 file changed, 3 insertions(+), 21 deletions(-) diff --git a/README.md b/README.md index d9ac783..2fbaf62 100755 --- a/README.md +++ b/README.md @@ -4,13 +4,10 @@ RailsGoat is a vulnerable version of the Ruby on Rails Framework. It includes vu ## Getting Started - - To begin, install the Ruby Version Manager (RVM): ``` -$ curl -L https://get.rvm.io | bash -s stable --autolibs=3 --ruby=1.9.3 -$ rvm use 2.1.2@railsgoat --create # https://rvm.io/ +$ curl -L https://get.rvm.io | bash -s stable --autolibs=3 --ruby=2.1.2 ``` After installing the package, clone this repo: @@ -19,22 +16,7 @@ After installing the package, clone this repo: $ git clone git@github.com:OWASP/railsgoat.git ``` -Navigate into the directory and accept the notice by typing `yes`: -``` -**************************************************************************************************** -* NOTICE * -**************************************************************************************************** -* RVM has encountered a new or modified .rvmrc file in the current directory, this is a shell * -* script and therefore may contain any shell commands. * -* * -* Examine the contents of this file carefully to be sure the contents are safe before trusting it! * -* Do you wish to trust '/path/to/railsgoat/.rvmrc'? * -* Choose v[view] below to view the contents * -**************************************************************************************************** -y[es], n[o], v[iew], c[cancel]> -``` - -Install the project dependencies: +Navigate into the directory and install the dependencies: ``` $ bundle install @@ -52,7 +34,7 @@ Initialize the database: $ rake db:setup ``` -Start the WEBrick HTTP Server: +Start the Thin web server: ``` $ rails server From 22a6faf502b2e481a4bc0c285fb968050da9db53 Mon Sep 17 00:00:00 2001 From: James Espinosa Date: Wed, 2 Jul 2014 22:17:05 -0500 Subject: [PATCH 3/9] Update MIT license copyright year --- LICENSE.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/LICENSE.md b/LICENSE.md index 122db6d..b47c765 100755 --- a/LICENSE.md +++ b/LICENSE.md @@ -1,6 +1,6 @@ The MIT License (MIT) -Copyright (c) 2013 The Open Web Application Security Project +Copyright (c) 2013-2014 The Open Web Application Security Project Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal From 8b318a793bc5133263b593a4da1e5ea0eeb3f696 Mon Sep 17 00:00:00 2001 From: James Espinosa Date: Wed, 2 Jul 2014 22:39:50 -0500 Subject: [PATCH 4/9] Update powrc to support ruby-version/gemset --- .powrc | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/.powrc b/.powrc index 52c4a57..c99e5b2 100644 --- a/.powrc +++ b/.powrc @@ -1,4 +1,7 @@ -if [ -f "$rvm_path/scripts/rvm" ] && [ -f ".rvmrc" ]; then - source "$rvm_path/scripts/rvm" - source ".rvmrc" -fi +if [ -f "${rvm_path}/scripts/rvm" ]; then + source "${rvm_path}/scripts/rvm" + + if [ -f ".ruby-version" ] && [ -f ".ruby-gemset" ]; then + rvm use `cat .ruby-version`@`cat .ruby-gemset` + fi +fi \ No newline at end of file From 70c9c9942bec9815d1e0a94127e8f112bc8c340f Mon Sep 17 00:00:00 2001 From: James Espinosa Date: Wed, 2 Jul 2014 22:54:00 -0500 Subject: [PATCH 5/9] Update LICENSE year in README file --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 2fbaf62..1c469ad 100755 --- a/README.md +++ b/README.md @@ -83,7 +83,7 @@ Conversion to the OWASP Top Ten 2013 completed in November, 2013. The MIT License (MIT) -Copyright (c) 2013 The Open Web Application Security Project +Copyright (c) 2013-2014 The Open Web Application Security Project Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: From ad784fd0997677afff93c0b512f630e5a2b99759 Mon Sep 17 00:00:00 2001 From: James Espinosa Date: Thu, 3 Jul 2014 07:38:12 -0500 Subject: [PATCH 6/9] Remove placeholders from non-empty directories --- app/mailers/.gitkeep | 0 app/models/.gitkeep | 0 lib/tasks/.gitkeep | 0 test/fixtures/.gitkeep | 0 test/functional/.gitkeep | 0 test/unit/.gitkeep | 0 6 files changed, 0 insertions(+), 0 deletions(-) delete mode 100755 app/mailers/.gitkeep delete mode 100755 app/models/.gitkeep delete mode 100755 lib/tasks/.gitkeep delete mode 100755 test/fixtures/.gitkeep delete mode 100755 test/functional/.gitkeep delete mode 100755 test/unit/.gitkeep diff --git a/app/mailers/.gitkeep b/app/mailers/.gitkeep deleted file mode 100755 index e69de29..0000000 diff --git a/app/models/.gitkeep b/app/models/.gitkeep deleted file mode 100755 index e69de29..0000000 diff --git a/lib/tasks/.gitkeep b/lib/tasks/.gitkeep deleted file mode 100755 index e69de29..0000000 diff --git a/test/fixtures/.gitkeep b/test/fixtures/.gitkeep deleted file mode 100755 index e69de29..0000000 diff --git a/test/functional/.gitkeep b/test/functional/.gitkeep deleted file mode 100755 index e69de29..0000000 diff --git a/test/unit/.gitkeep b/test/unit/.gitkeep deleted file mode 100755 index e69de29..0000000 From 6ea16fbe18573899cecacd99a85ec1e2822673f8 Mon Sep 17 00:00:00 2001 From: James Espinosa Date: Thu, 3 Jul 2014 07:55:41 -0500 Subject: [PATCH 7/9] Update powrc to maintain backward compatibility --- .powrc | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.powrc b/.powrc index c99e5b2..b8d32ef 100644 --- a/.powrc +++ b/.powrc @@ -1,7 +1,9 @@ if [ -f "${rvm_path}/scripts/rvm" ]; then source "${rvm_path}/scripts/rvm" - if [ -f ".ruby-version" ] && [ -f ".ruby-gemset" ]; then + if [ -f ".rvmrc" ]; then + source ".rvmrc" + elif [ -f ".ruby-version" ] && [ -f ".ruby-gemset" ]; then rvm use `cat .ruby-version`@`cat .ruby-gemset` fi fi \ No newline at end of file From 68e6a01743594baa05139ea9e653eaf6191d7284 Mon Sep 17 00:00:00 2001 From: James Espinosa Date: Sat, 5 Jul 2014 19:15:32 -0500 Subject: [PATCH 8/9] Clean up trailing and leading whitespace --- app/controllers/admin_controller.rb | 12 ++--- app/controllers/api/v1/users_controller.rb | 24 +++++----- app/controllers/application_controller.rb | 2 +- app/controllers/benefit_forms_controller.rb | 24 +++++----- app/controllers/dashboard_controller.rb | 4 +- app/controllers/paid_time_off_controller.rb | 2 +- app/controllers/pay_controller.rb | 18 ++++---- app/controllers/performance_controller.rb | 4 +- app/controllers/retirement_controller.rb | 4 +- app/controllers/schedule_controller.rb | 18 ++++---- app/controllers/sessions_controller.rb | 16 +++---- app/controllers/tutorials_controller.rb | 46 +++++++++---------- app/controllers/work_info_controller.rb | 10 ++-- app/models/benefits.rb | 14 +++--- app/models/key_management.rb | 2 +- app/models/paid_time_off.rb | 4 +- app/models/pay.rb | 16 +++---- app/models/performance.rb | 4 +- app/models/schedule.rb | 2 +- app/models/user.rb | 20 ++++---- app/models/work_info.rb | 16 +++---- app/views/admin/dashboard.html.erb | 10 ++-- app/views/benefit_forms/index.html.erb | 22 ++++----- app/views/dashboard/home.html.erb | 10 ++-- app/views/layouts/admin/_analytics.html.erb | 6 +-- .../layouts/admin/_get_all_users.html.erb | 4 +- app/views/layouts/admin/_get_user.html.erb | 32 ++++++------- app/views/layouts/application.html.erb | 14 +++--- app/views/layouts/shared/_header.html.erb | 4 +- app/views/layouts/shared/_messages.html.erb | 2 +- app/views/layouts/shared/_sidebar.html.erb | 12 ++--- app/views/layouts/tutorial/_header.html.erb | 2 +- app/views/layouts/tutorial/_sidebar.html.erb | 16 +++---- .../_access_control_first.html.erb | 10 ++-- .../_insecure_compare.html.erb | 16 +++---- .../_password_complexity.html.erb | 12 ++--- .../broken_auth_sess/_user_pass_enum.html.erb | 12 ++--- .../tutorial/credentials/_creds.html.erb | 24 +++++----- .../tutorial/csrf/_csrf_first.html.erb | 16 +++---- .../_model_attributes_exposure.html.erb | 10 ++-- .../exposure/_password_hashing.html.erb | 16 +++---- .../layouts/tutorial/exposure/_ssn.html.erb | 20 ++++---- .../injection/_injection_command.html.erb | 22 ++++----- .../injection/_injection_first.html.erb | 14 +++--- .../tutorial/injection/_sqli_scope.html.erb | 26 +++++------ .../_insecure_components_first.html.erb | 2 +- .../_insecure_components_second.html.erb | 6 +-- .../insecure_dor/_insecure_dor_first.html.erb | 10 ++-- .../logic_flaws/_broken_regexp.html.erb | 40 ++++++++-------- .../_insecure_crypto_reuse.html.erb | 16 +++---- .../_admin_mass_assign.html.erb | 28 +++++------ .../_benefit_forms_constantize.html.erb | 24 +++++----- .../misconfig/_misconfig_first.html.erb | 4 +- .../misconfig/_misconfig_second.html.erb | 2 +- .../redirects/_redirects_first.html.erb | 22 ++++----- .../tutorial/ssl_tls/_ssl_tls_first.html.erb | 4 +- .../url_access/_url_access_first.html.erb | 20 ++++---- .../layouts/tutorial/xss/_dom_xss.html.erb | 24 +++++----- .../layouts/tutorial/xss/_xss_first.html.erb | 10 ++-- app/views/layouts/tutorials.html.erb | 8 ++-- app/views/messages/index.html.erb | 16 +++---- app/views/messages/show.html.erb | 2 +- app/views/paid_time_off/index.html.erb | 14 +++--- app/views/pay/index.html.erb | 46 +++++++++---------- app/views/performance/index.html.erb | 2 +- app/views/retirement/index.html.erb | 4 +- app/views/sessions/new.html.erb | 8 ++-- app/views/tutorials/exposure.html.erb | 10 ++-- app/views/tutorials/gauntlt.html.erb | 6 +-- app/views/tutorials/guard.html.erb | 2 +- app/views/tutorials/index.html.erb | 20 ++++---- app/views/tutorials/misconfig.html.erb | 2 +- app/views/users/account_settings.html.erb | 26 +++++------ app/views/users/new.html.erb | 16 +++---- app/views/work_info/index.html.erb | 10 ++-- 75 files changed, 499 insertions(+), 499 deletions(-) diff --git a/app/controllers/admin_controller.rb b/app/controllers/admin_controller.rb index 4cde79f..1c5c160 100755 --- a/app/controllers/admin_controller.rb +++ b/app/controllers/admin_controller.rb @@ -1,8 +1,8 @@ class AdminController < ApplicationController - + before_filter :administrative, :if => :admin_param skip_before_filter :has_info - + def dashboard end @@ -27,14 +27,14 @@ class AdminController < ApplicationController @users = User.all render :partial => "layouts/admin/get_all_users" end - + def get_user @user = User.find_by_id(params[:admin_id].to_s) arr = ["true", "false"] @admin_select = @user.admin ? arr : arr.reverse render :partial => "layouts/admin/get_user" end - + def update_user user = User.find_by_id(params[:admin_id]) if user @@ -48,7 +48,7 @@ class AdminController < ApplicationController format.json { render :json => { :msg => message ? "success" : "failure"} } end end - + def delete_user user = User.find_by_user_id(params[:admin_id]) if user && !(current_user.user_id == user.user_id) @@ -67,5 +67,5 @@ class AdminController < ApplicationController def admin_param params[:admin_id] != '1' end - + end diff --git a/app/controllers/api/v1/users_controller.rb b/app/controllers/api/v1/users_controller.rb index 6866774..5ee6797 100644 --- a/app/controllers/api/v1/users_controller.rb +++ b/app/controllers/api/v1/users_controller.rb @@ -1,23 +1,23 @@ class Api::V1::UsersController < ApplicationController - + skip_before_filter :authenticated before_filter :valid_api_token before_filter :extrapolate_user - + respond_to :json - + def index # We removed the .as_json code from the model, just seemed like extra work. # dunno, maybe useful at a later time? #respond_with @user.admin ? User.all.as_json : @user.as_json - + respond_with @user.admin ? User.all : @user end - + def show respond_with @user.as_json end - + private def valid_api_token @@ -26,7 +26,7 @@ private identify_user(token) end end - + def identify_user(token="") # We've had issues with URL encoding, etc. causing issues so just to be safe # we will go ahead and unescape the user's token @@ -37,21 +37,21 @@ private (id && hash) ? true : false check_hash(id, hash) ? true : false end - + def check_hash(id, hash) digest = OpenSSL::Digest::SHA1.hexdigest("#{ACCESS_TOKEN_SALT}:#{id}") - hash == digest + hash == digest end - + # We had some issues with the token and url encoding... # this is an attempt to normalize the data. def unescape_token(token="") @clean_token = CGI::unescape(token) end - + # Added a method to make it easy to figure out who the user is. def extrapolate_user @user = User.find_by_id(@clean_token.split("-").first) end - + end diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 3e56186..5ba7518 100755 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -10,7 +10,7 @@ class ApplicationController < ActionController::Base def current_user @current_user ||= ( - User.find_by_auth_token(cookies[:auth_token].to_s) || + User.find_by_auth_token(cookies[:auth_token].to_s) || User.find_by_user_id(session[:user_id].to_s) ) end diff --git a/app/controllers/benefit_forms_controller.rb b/app/controllers/benefit_forms_controller.rb index 64b851e..da34c50 100644 --- a/app/controllers/benefit_forms_controller.rb +++ b/app/controllers/benefit_forms_controller.rb @@ -1,12 +1,12 @@ class BenefitFormsController < ApplicationController - + def index @benefits = Benefits.new end def download - begin + begin path = params[:name] file = params[:type].constantize.new(path) send_file file, :disposition => 'attachment' @@ -14,7 +14,7 @@ class BenefitFormsController < ApplicationController redirect_to user_benefit_forms_path(:user_id => current_user.user_id) end end - + def upload file = params[:benefits][:upload] if file @@ -22,23 +22,23 @@ class BenefitFormsController < ApplicationController Benefits.save(file, params[:benefits][:backup]) else flash[:error] = "Something went wrong" - end + end redirect_to user_benefit_forms_path(:user_id => current_user.user_id) end - -=begin + +=begin # More secure version def download file_assoc = {"1" => "Health_n_Stuff.pdf", "2" => "Dental_n_Stuff.pdf"} - begin + begin if file_assoc.has_key?(params[:name].to_s) path = Rails.root.join('public', 'docs', file_assoc[params[:name].to_s]) if params[:type] == "File" - file = params[:type].constantize.new(path) + file = params[:type].constantize.new(path) send_file file, :disposition => 'attachment' - end - else + end + else file = Rails.root.join('public', 'docs', "Dental_n_Stuff.pdf") send_file file, :disposition => 'attachment' end @@ -46,7 +46,7 @@ class BenefitFormsController < ApplicationController redirect_to user_benefit_forms_path(:user_id => current_user.user_id) end end -=end +=end + - end diff --git a/app/controllers/dashboard_controller.rb b/app/controllers/dashboard_controller.rb index 41d4236..9ce2834 100755 --- a/app/controllers/dashboard_controller.rb +++ b/app/controllers/dashboard_controller.rb @@ -1,7 +1,7 @@ class DashboardController < ApplicationController - + skip_before_filter :has_info - + def home @user = current_user diff --git a/app/controllers/paid_time_off_controller.rb b/app/controllers/paid_time_off_controller.rb index ea64301..fb63087 100644 --- a/app/controllers/paid_time_off_controller.rb +++ b/app/controllers/paid_time_off_controller.rb @@ -1,5 +1,5 @@ class PaidTimeOffController < ApplicationController - + def index @pto = current_user.paid_time_off @schedule = Schedule.new diff --git a/app/controllers/pay_controller.rb b/app/controllers/pay_controller.rb index 6a71dc3..2089179 100644 --- a/app/controllers/pay_controller.rb +++ b/app/controllers/pay_controller.rb @@ -1,28 +1,28 @@ class PayController < ApplicationController - + def index end - + def update_dd_info msg = false pay = Pay.new( - :bank_account_num => params[:bank_account_num], - :bank_routing_num => params[:bank_routing_num], + :bank_account_num => params[:bank_account_num], + :bank_routing_num => params[:bank_routing_num], :percent_of_deposit => params[:dd_percent] ) pay.user_id = current_user.user_id - msg = true if pay.save! + msg = true if pay.save! respond_to do |format| format.json {render :json => {:msg => msg } } end end - + def show respond_to do |format| format.json { render :json => {:user => current_user.pay.as_json} } end end - + def destroy pay = Pay.find_by_id(params[:id]) if pay.present? and pay.destroy @@ -32,12 +32,12 @@ class PayController < ApplicationController end redirect_to user_pay_index_path end - + def decrypted_bank_acct_num decrypted = Encryption.decrypt_sensitive_value(params[:value_to_decrypt]) respond_to do |format| format.json {render :json => {:account_num => decrypted || "No Data" }} end end - + end diff --git a/app/controllers/performance_controller.rb b/app/controllers/performance_controller.rb index bdbff15..767fc65 100644 --- a/app/controllers/performance_controller.rb +++ b/app/controllers/performance_controller.rb @@ -1,7 +1,7 @@ class PerformanceController < ApplicationController - + def index @perf = current_user.performance end - + end diff --git a/app/controllers/retirement_controller.rb b/app/controllers/retirement_controller.rb index 1a376ee..b3663fc 100644 --- a/app/controllers/retirement_controller.rb +++ b/app/controllers/retirement_controller.rb @@ -1,7 +1,7 @@ class RetirementController < ApplicationController - + def index @info = current_user.retirement end - + end diff --git a/app/controllers/schedule_controller.rb b/app/controllers/schedule_controller.rb index 82d4736..f9d8a57 100644 --- a/app/controllers/schedule_controller.rb +++ b/app/controllers/schedule_controller.rb @@ -1,7 +1,7 @@ class ScheduleController < ApplicationController def create message = false - + if params[:schedule][:event_type] == "pto" sched = Schedule.new(params[:schedule]) sched.date_begin, sched.date_end = format_schedule_date(params[:date_range1]) @@ -11,12 +11,12 @@ class ScheduleController < ApplicationController message = true end end - + respond_to do |format| format.json {render :json => {:msg => message ? "success" : "failure" }} end end - + def get_pto_schedule begin schedules = current_user.paid_time_off.schedule @@ -29,17 +29,17 @@ class ScheduleController < ApplicationController hash[:end] = s[:date_end] jfs << hash end - rescue + rescue end respond_to do |format| format.json do render :json => jfs.to_json - end + end end end - + private - + # Returns a two part array consisting of dates # First value is the begin date and the second is the end date def format_schedule_date(date_array) @@ -50,10 +50,10 @@ class ScheduleController < ApplicationController date = Date.strptime(s.strip, '%m/%d/%Y') vals <<(date) end - rescue ArgumentError + rescue ArgumentError return [] end return vals end - + end diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb index a13bbc7..4b90e41 100755 --- a/app/controllers/sessions_controller.rb +++ b/app/controllers/sessions_controller.rb @@ -1,22 +1,22 @@ class SessionsController < ApplicationController - + skip_before_filter :has_info skip_before_filter :authenticated, :only => [:new, :create] - + def new @url = params[:url] redirect_to home_dashboard_index_path if current_user end - + def create - path = params[:url].present? ? params[:url] : home_dashboard_index_path + path = params[:url].present? ? params[:url] : home_dashboard_index_path begin # Normalize the email address, why not user = User.authenticate(params[:email].to_s.downcase, params[:password]) # @url = params[:url] rescue Exception => e end - + if user if params[:remember_me] cookies.permanent[:auth_token] = user.auth_token if User.where(:user_id => user.user_id).exists? @@ -26,12 +26,12 @@ class SessionsController < ApplicationController redirect_to path else # Removed this code, just doesn't seem specific enough! - # flash[:error] = "Either your username and password is incorrect" + # flash[:error] = "Either your username and password is incorrect" flash[:error] = e.message render "new" - end + end end - + def destroy cookies.delete(:auth_token) reset_session diff --git a/app/controllers/tutorials_controller.rb b/app/controllers/tutorials_controller.rb index 7f878f3..3a294d5 100755 --- a/app/controllers/tutorials_controller.rb +++ b/app/controllers/tutorials_controller.rb @@ -1,26 +1,26 @@ class TutorialsController < ApplicationController - + skip_before_filter :has_info skip_before_filter :authenticated - + def index end - + def credentials render :partial => "layouts/tutorial/credentials/creds" end - + def show render "injection" end - + def injection end - + def xss @code = %{
  • - } @meta_code_good = %{<%= csrf_meta_tags %> } @@ -55,10 +55,10 @@ class TutorialsController < ApplicationController \} \}); \}); - + \} } end - + def misconfig end @@ -67,33 +67,33 @@ class TutorialsController < ApplicationController def access_control end - + def crypto end - + def url_access end - + def ssl_tls end - + def redirects end - + def guard end - + def logic_flaws end - + def mass_assignment end - + def guantlt - + end - + def metaprogramming end - + end diff --git a/app/controllers/work_info_controller.rb b/app/controllers/work_info_controller.rb index 1ba3981..2238259 100644 --- a/app/controllers/work_info_controller.rb +++ b/app/controllers/work_info_controller.rb @@ -1,8 +1,8 @@ class WorkInfoController < ApplicationController - + def index @user = User.find_by_user_id(params[:user_id]) - if !(@user) || @user.admin + if !(@user) || @user.admin flash[:error] = "Sorry, no user with that user id exists" redirect_to home_dashboard_index_path end @@ -12,11 +12,11 @@ class WorkInfoController < ApplicationController # More secure version def index @user = current_user - if !(@user) || @user.admin + if !(@user) || @user.admin flash[:error] = "Apologies, looks like something went wrong" redirect_to home_dashboard_index_path end end -=end - +=end + end diff --git a/app/models/benefits.rb b/app/models/benefits.rb index 5764c9d..9b0feb5 100644 --- a/app/models/benefits.rb +++ b/app/models/benefits.rb @@ -1,6 +1,6 @@ class Benefits < ActiveRecord::Base attr_accessor :backup - + def self.save(file, backup=false) data_path = Rails.root.join("public", "data") full_file_name = "#{data_path}/#{file.original_filename}" @@ -9,18 +9,18 @@ class Benefits < ActiveRecord::Base f.close make_backup(file, data_path, full_file_name) if backup == "true" end - + def self.make_backup(file, data_path, full_file_name) - if File.exists?(full_file_name) + if File.exists?(full_file_name) silence_streams(STDERR) { system("cp #{full_file_name} #{data_path}/bak#{Time.now.to_i}_#{file.original_filename}") } - end + end end -=begin +=begin def self.make_backup(file, data_path, full_file_name) FileUtils.cp "#{full_file_name}", "#{data_path}/bak#{Time.now.to_i}_#{file.original_filename}" end -=end +=end def self.silence_streams(*streams) on_hold = streams.collect { |stream| stream.dup } @@ -34,5 +34,5 @@ class Benefits < ActiveRecord::Base stream.reopen(on_hold[i]) end end - + end diff --git a/app/models/key_management.rb b/app/models/key_management.rb index 174b80c..f15c339 100644 --- a/app/models/key_management.rb +++ b/app/models/key_management.rb @@ -2,5 +2,5 @@ class KeyManagement < ActiveRecord::Base attr_accessible :iv, :user_id belongs_to :work_info belongs_to :user - + end diff --git a/app/models/paid_time_off.rb b/app/models/paid_time_off.rb index 3628d22..8c980b6 100644 --- a/app/models/paid_time_off.rb +++ b/app/models/paid_time_off.rb @@ -6,11 +6,11 @@ class PaidTimeOff < ActiveRecord::Base def sick_days_remaining self.sick_days_earned - self.sick_days_taken end - + def pto_days_remaining self.pto_earned - self.pto_taken end - + def sick_days_taken_percentage result = self.sick_days_taken.to_f / self.sick_days_earned.to_f * 100.0 end diff --git a/app/models/pay.rb b/app/models/pay.rb index 78f0278..56616b1 100644 --- a/app/models/pay.rb +++ b/app/models/pay.rb @@ -1,25 +1,25 @@ class Pay < ActiveRecord::Base - + # mass-assignable attributes attr_accessible :bank_account_num, :bank_routing_num, :percent_of_deposit - + # Associations - belongs_to :user - + belongs_to :user + # Validations validates :bank_account_num, presence: true validates :bank_routing_num, presence: true validates :percent_of_deposit, presence: true - + # callbacks before_save :encrypt_bank_account_num - + def as_json super(only: [:bank_account_num, :bank_routing_num, :percent_of_deposit, :id]) end - + def encrypt_bank_account_num self.bank_account_num = Encryption.encrypt_sensitive_value(self.bank_account_num) end - + end diff --git a/app/models/performance.rb b/app/models/performance.rb index f6785b1..73f25c1 100644 --- a/app/models/performance.rb +++ b/app/models/performance.rb @@ -1,7 +1,7 @@ class Performance < ActiveRecord::Base attr_accessible :comments, :date_submitted, :reviewer, :score - belongs_to :user - + belongs_to :user + def reviewer_name u = User.find_by_id(self.reviewer) u.full_name if u.respond_to?('fullname') diff --git a/app/models/schedule.rb b/app/models/schedule.rb index ed7dcc5..fc66df7 100644 --- a/app/models/schedule.rb +++ b/app/models/schedule.rb @@ -1,6 +1,6 @@ class Schedule < ActiveRecord::Base attr_accessible :date_begin, :date_end, :event_desc, :event_name, :event_type belongs_to :paid_time_off - + validates_presence_of :date_begin, :date_end, :event_desc, :event_name, :event_type end diff --git a/app/models/user.rb b/app/models/user.rb index 261703e..7af6ed9 100755 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -13,7 +13,7 @@ class User < ActiveRecord::Base :confirmation => true, :if => :password, :format => {:with => /\A.*(?=.{10,})(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[\@\#\$\%\^\&\+\=]).*\z/} -=end +=end validates_presence_of :email validates_uniqueness_of :email validates_format_of :email, :with => /.+@.+\..+/i @@ -37,11 +37,11 @@ class User < ActiveRecord::Base #work_info.build_key_management(:iv => SecureRandom.hex(32)) performance.build(POPULATE_PERFORMANCE.shuffle.first) end - + def full_name "#{self.first_name} #{self.last_name}" end - + =begin # Instead of the entire user object being returned, we can use this to filter. def as_json @@ -59,10 +59,10 @@ private auth = user else raise "Incorrect Password!" - end + end return auth - end - + end + =begin # More secure version, still lacking a decent hashing routine, this is for timing attack prevention def self.authenticate(email, password) @@ -71,9 +71,9 @@ private return user else raise "Incorrect username or password" - end + end end -=end +=end def assign_user_id unless @skip_user_id_assign.present? || self.user_id.present? @@ -82,7 +82,7 @@ private self.user_id = uid.to_s if uid end end - + def hash_password unless @skip_hash_password == true if password.present? @@ -90,7 +90,7 @@ private end end end - + def generate_token(column) begin self[column] = Encryption.encrypt_sensitive_value(self.user_id) diff --git a/app/models/work_info.rb b/app/models/work_info.rb index c8e30d8..e594766 100644 --- a/app/models/work_info.rb +++ b/app/models/work_info.rb @@ -3,13 +3,13 @@ class WorkInfo < ActiveRecord::Base belongs_to :user has_one :key_management, :foreign_key => :user_id, :primary_key => :user_id, :dependent => :destroy #before_save :encrypt_ssn - - + + # We should probably use this def last_four "***-**-" << self.decrypt_ssn[-4,4] end - + def encrypt_ssn aes = OpenSSL::Cipher::Cipher.new(cipher_type) aes.encrypt @@ -18,7 +18,7 @@ class WorkInfo < ActiveRecord::Base self.encrypted_ssn = aes.update(self.SSN) + aes.final self.SSN = nil end - + def decrypt_ssn aes = OpenSSL::Cipher::Cipher.new(cipher_type) aes.decrypt @@ -26,19 +26,19 @@ class WorkInfo < ActiveRecord::Base aes.iv = iv if iv != nil aes.update(self.encrypted_ssn) + aes.final end - + def key raise "Key Missing" if !(KEY) KEY end - + def iv raise "No IV for this User" if !(self.key_management.iv) self.key_management.iv end - + def cipher_type 'aes-256-cbc' end - + end diff --git a/app/views/admin/dashboard.html.erb b/app/views/admin/dashboard.html.erb index da2c845..7998520 100755 --- a/app/views/admin/dashboard.html.erb +++ b/app/views/admin/dashboard.html.erb @@ -11,7 +11,7 @@

    - +
    - +
    - - - + + + <%= javascript_include_tag "jquery.dataTables.js"%> diff --git a/app/views/benefit_forms/index.html.erb b/app/views/benefit_forms/index.html.erb index 3c48e5c..a212c20 100644 --- a/app/views/benefit_forms/index.html.erb +++ b/app/views/benefit_forms/index.html.erb @@ -2,7 +2,7 @@
    - +
    @@ -21,14 +21,14 @@ PDF
    - +
    <% end %>
    - +
    @@ -47,11 +47,11 @@ PDF
    - +
    <% end %>
    - + @@ -108,27 +108,27 @@ - + \ No newline at end of file diff --git a/app/views/dashboard/home.html.erb b/app/views/dashboard/home.html.erb index 4cdbdbf..8276848 100755 --- a/app/views/dashboard/home.html.erb +++ b/app/views/dashboard/home.html.erb @@ -1,19 +1,19 @@
    - +
    - <% if @user.paid_time_off %> + <% if @user.paid_time_off %> <%= render :partial => "layouts/dashboard/dashboard_stats"%> - <% end %> + <% end %>
    -
    +
    diff --git a/app/views/layouts/application.html.erb b/app/views/layouts/application.html.erb index bcc55e5..2c08669 100755 --- a/app/views/layouts/application.html.erb +++ b/app/views/layouts/application.html.erb @@ -16,26 +16,26 @@ end -<% if current_user %> - <%= render "layouts/shared/header" %> +<% if current_user %> + <%= render "layouts/shared/header" %> <%= render "layouts/shared/sidebar" %> <% else %> - <%= render "layouts/tutorial/header" %> - <%= render "layouts/tutorial/sidebar" %> + <%= render "layouts/tutorial/header" %> + <%= render "layouts/tutorial/sidebar" %> <% end %>
    <%= render "layouts/shared/messages" %> <%= yield %>
    -
    + <%= render "layouts/shared/footer" %> - + - + diff --git a/app/views/layouts/shared/_header.html.erb b/app/views/layouts/shared/_header.html.erb index 3a62d80..5426bab 100755 --- a/app/views/layouts/shared/_header.html.erb +++ b/app/views/layouts/shared/_header.html.erb @@ -8,7 +8,7 @@