Merge branch 'pr-136'

2014-07-11 06:28:54 -04:00
parent daa670da61 7e4fad462b
commit 52d5c6a5a3
105 changed files with 3192 additions and 3288 deletions
@@ -1,4 +1,9 @@
-if [ -f "$rvm_path/scripts/rvm" ] && [ -f ".rvmrc" ]; then
+if [ -f "${rvm_path}/scripts/rvm" ]; then
-  source "$rvm_path/scripts/rvm"
+  source "${rvm_path}/scripts/rvm"
  if [ -f ".rvmrc" ]; then
    source ".rvmrc"
  elif [ -f ".ruby-version" ] && [ -f ".ruby-gemset" ]; then
    rvm use `cat .ruby-version`@`cat .ruby-gemset`
  fi
 fi
@@ -0,0 +1 @@
 railsgoat
@@ -0,0 +1 @@
 2.1.2
@@ -1 +0,0 @@
 rvm use 2.1.2@railsgoat --create
@@ -1,6 +1,6 @@
 The MIT License (MIT)
-Copyright (c) 2013  The Open Web Application Security Project
+Copyright (c) 2013-2014 The Open Web Application Security Project
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
@@ -4,13 +4,10 @@ RailsGoat is a vulnerable version of the Ruby on Rails Framework. It includes vu
 ## Getting Started
 To begin, install the Ruby Version Manager (RVM):
 ```
-$ curl -L https://get.rvm.io | bash -s stable --autolibs=3 --ruby=1.9.3
+$ curl -L https://get.rvm.io | bash -s stable --autolibs=3 --ruby=2.1.2
 $ rvm use 2.1.2@railsgoat --create # https://rvm.io/
 ```
 After installing the package, clone this repo:
@@ -19,22 +16,7 @@ After installing the package, clone this repo:
 $ git clone git@github.com:OWASP/railsgoat.git
 ```
-Navigate into the directory and accept the notice by typing `yes`:
+Navigate into the directory and install the dependencies:
 ```
 ****************************************************************************************************
 * NOTICE                                                                                           *
 ****************************************************************************************************
 * RVM has encountered a new or modified .rvmrc file in the current directory, this is a shell      *
 * script and therefore may contain any shell commands.                                             *
 *                                                                                                  *
 * Examine the contents of this file carefully to be sure the contents are safe before trusting it! *
 * Do you wish to trust '/path/to/railsgoat/.rvmrc'?                                                *
 * Choose v[view] below to view the contents                                                        *
 ****************************************************************************************************
 y[es], n[o], v[iew], c[cancel]>
 ```
 Install the project dependencies:
 ```
 $ bundle install
@@ -52,7 +34,7 @@ Initialize the database:
 $ rake db:setup
 ```
-Start the WEBrick HTTP Server:
+Start the Thin web server:
 ```
 $ rails server
@@ -101,7 +83,7 @@ Conversion to the OWASP Top Ten 2013 completed in November, 2013.
 The MIT License (MIT)
-Copyright (c) 2013 The Open Web Application Security Project
+Copyright (c) 2013-2014 The Open Web Application Security Project
 Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
@@ -1,5 +1,4 @@
 class AdminController < ApplicationController
  before_filter :administrative, :if => :admin_param
  skip_before_filter :has_info
@@ -67,5 +66,4 @@ class AdminController < ApplicationController
  def admin_param
    params[:admin_id] != '1'
  end
 end
@@ -1,5 +1,4 @@
 class Api::V1::MobileController < ApplicationController
  skip_before_filter :authenticated
  before_filter :mobile_request?
@@ -30,5 +29,4 @@ class Api::V1::MobileController < ApplicationController
      request.user_agent =~ /ios|android/i
    end
  end
 end
@@ -1,5 +1,4 @@
 class Api::V1::UsersController < ApplicationController
  skip_before_filter :authenticated
  before_filter :valid_api_token
  before_filter :extrapolate_user
@@ -10,7 +9,6 @@ class Api::V1::UsersController < ApplicationController
    # We removed the .as_json code from the model, just seemed like extra work.
    # dunno, maybe useful at a later time?
    #respond_with @user.admin ? User.all.as_json : @user.as_json
    respond_with @user.admin ? User.all : @user
  end
@@ -18,7 +16,7 @@ class Api::V1::UsersController < ApplicationController
    respond_with @user.as_json
  end
-private
+  private
  def valid_api_token
    authenticate_or_request_with_http_token do |token, options|
@@ -53,5 +51,4 @@ private
  def extrapolate_user
    @user = User.find_by_id(@clean_token.split("-").first)
  end
 end
@@ -1,5 +1,4 @@
 class ApplicationController < ActionController::Base
  before_filter :authenticated, :has_info, :create_analytic
  helper_method :current_user, :is_admin?, :sanitize_font
@@ -53,5 +52,4 @@ class ApplicationController < ActionController::Base
    css
    # css if css.match(/\A[0-9]+([\%]|pt)\z/)
  end
 end
@@ -4,7 +4,6 @@ class BenefitFormsController < ApplicationController
    @benefits = Benefits.new
  end
  def download
   begin
     path = params[:name]
@@ -26,7 +25,6 @@ class BenefitFormsController < ApplicationController
    redirect_to user_benefit_forms_path(:user_id => current_user.user_id)
  end
 =begin
    # More secure version
    def download
@@ -47,6 +45,4 @@ class BenefitFormsController < ApplicationController
     end
    end
 =end
 end
@@ -1,5 +1,4 @@
 class DashboardController < ApplicationController
  skip_before_filter :has_info
  def home
@@ -10,5 +9,4 @@ class DashboardController < ApplicationController
    	cookies[:font] = params[:font]
    end
  end
 end
@@ -33,5 +33,4 @@ class MessagesController < ApplicationController
      end
    end
  end
 end
@@ -1,7 +1,6 @@
 class PasswordResetsController < ApplicationController
  skip_before_filter :authenticated
  def reset_password
    user = Marshal.load(Base64.decode64(params[:user])) unless params[:user].nil?
@@ -39,5 +39,4 @@ class PayController < ApplicationController
      format.json {render :json => {:account_num => decrypted || "No Data" }}
    end
  end
 end
@@ -3,5 +3,4 @@ class PerformanceController < ApplicationController
  def index
    @perf = current_user.performance
  end
 end
@@ -3,5 +3,4 @@ class RetirementController < ApplicationController
  def index
    @info = current_user.retirement
  end
 end
@@ -1,4 +1,5 @@
 class ScheduleController < ApplicationController
  def create
    message = false
@@ -55,5 +56,4 @@ class ScheduleController < ApplicationController
   end
     return vals
  end
 end
@@ -1,5 +1,4 @@
 class SessionsController < ApplicationController
  skip_before_filter :has_info
  skip_before_filter :authenticated, :only => [:new, :create]
@@ -37,5 +36,4 @@ class SessionsController < ApplicationController
    reset_session
    redirect_to root_path
  end
 end
@@ -1,5 +1,4 @@
 class TutorialsController < ApplicationController
  skip_before_filter :has_info
  skip_before_filter :authenticated
@@ -95,5 +94,4 @@ class TutorialsController < ApplicationController
  def metaprogramming
  end
 end
@@ -1,9 +1,7 @@
 class UsersController < ApplicationController
  skip_before_filter :has_info
  skip_before_filter :authenticated, :only => [:new, :create]
  def new
    @user = User.new
  end
@@ -52,5 +50,4 @@ class UsersController < ApplicationController
      redirect_to user_account_settings_path(:user_id => current_user.user_id)
    end
  end
 end
@@ -1,5 +1,4 @@
 class WorkInfoController < ApplicationController
  def index
    @user = User.find_by_user_id(params[:user_id])
    if !(@user) || @user.admin
@@ -18,5 +17,4 @@ class WorkInfoController < ApplicationController
    end
  end
 =end
 end
@@ -34,5 +34,4 @@ class Benefits < ActiveRecord::Base
      stream.reopen(on_hold[i])
    end
  end
 end
@@ -2,5 +2,4 @@ class KeyManagement < ActiveRecord::Base
  attr_accessible :iv, :user_id
  belongs_to :work_info
  belongs_to :user
 end
@@ -14,5 +14,4 @@ class PaidTimeOff < ActiveRecord::Base
  def sick_days_taken_percentage
    result = self.sick_days_taken.to_f /  self.sick_days_earned.to_f * 100.0
  end
 end
@@ -1,5 +1,4 @@
 class Pay < ActiveRecord::Base
  # mass-assignable attributes
  attr_accessible :bank_account_num, :bank_routing_num, :percent_of_deposit
@@ -21,5 +20,4 @@ class Pay < ActiveRecord::Base
  def encrypt_bank_account_num
    self.bank_account_num = Encryption.encrypt_sensitive_value(self.bank_account_num)
  end
 end
@@ -1,7 +1,6 @@
 require 'encryption'
 class User < ActiveRecord::Base
  attr_accessible :email, :admin, :first_name, :last_name, :user_id, :password, :password_confirmation
  validates :password, :presence => true,
                       :confirmation => true,
@@ -49,7 +48,7 @@ class User < ActiveRecord::Base
  end
 =end
-private
+  private
  def self.authenticate(email, password)
    auth = nil
@@ -96,5 +95,4 @@ private
      self[column] = Encryption.encrypt_sensitive_value(self.user_id)
    end while User.exists?(column => self[column])
  end
 end
@@ -4,7 +4,6 @@ class WorkInfo < ActiveRecord::Base
  has_one :key_management, :foreign_key => :user_id, :primary_key => :user_id, :dependent => :destroy
  #before_save :encrypt_ssn
  # We should probably use this
  def last_four
    "***-**-" << self.decrypt_ssn[-4,4]
@@ -40,5 +39,4 @@ class WorkInfo < ActiveRecord::Base
  def cipher_type
    'aes-256-cbc'
  end
 end
@@ -3,51 +3,41 @@
    <div class="row-fluid">
      <div class="span12">
        <div id="success" style="display: none;" class="alert alert-block alert-success fade in">
-		            <h4 class="alert-heading">
+          <h4 class="alert-heading">Success!</h4>
-		              Success!
+          <p>User information successfully updated.</p>
 		            </h4>
 		            <p>
 		              User information successfully updated.
 		            </p>
        </div>
      </div>
    </div>
    <div class="row-fluid">
      <div class="span12">
        <div id="failure" style="display: none;" class="alert alert-block alert-error fade in">
-                    <h4 class="alert-heading">
+          <h4 class="alert-heading">Error!</h4>
-                      Error!
+          <p>Something went wrong.</p>
                    </h4>
                    <p>
                      Something went wrong.
                    </p>
        </div>
      </div>
    </div>
    <div class="row-fluid">
      <div class="span12">
        <div class="widget">
          <div class="widget-header">
            <div class="title">
-							<span class="fs1" aria-hidden="true" data-icon="&#xe071;"></span>
+              <span class="fs1" aria-hidden="true" data-icon="&#xe071;"></span>Manage Users
 							Manage Users
            </div>
          </div>
 					<div id="userDataTable" class="widget-body">
          <div id="userDataTable" class="widget-body">
          </div> <!-- End widget-body-->
        </div> <!-- End widget header-->
      </div>
    </div>
  </div>
 </div>
 <%= javascript_include_tag "jquery.dataTables.js"%>
 <script type="text/javascript">
 function dataTablePagination(){
  $('#data-table').dataTable({
    "sPaginationType": "full_numbers"
@@ -110,25 +110,17 @@
  </div>
 </div>
 <script type="text/javascript">
  $(function() {
    $("#benefits_upload").change(function (){
      var fileName = $(this).val();
      $(".filename").html(fileName);
    });
  });
  function makeActive(){
    $('li[id="benefit_forms"]').addClass('active');
  };
- 	$(document).ready(
+  $(document).ready(makeActive);
 	   makeActive
 	);
 </script>
@@ -1,7 +1,5 @@
 <div class="dashboard-wrapper">
  <div class="main-container">
    <div class="row-fluid">
        <div class="span12"> <!--begin span12 -->
        <% if @user.paid_time_off %>
@@ -14,7 +12,6 @@
 <script type="text/javascript">
 function makeActive(){
  $('li[id="home"]').addClass('active');
 };
@@ -132,7 +129,6 @@ function pieChartHome() {
    }, 41000);
  });
  $(function () {
    //create instance
    $('.chart5').easyPieChart({
@@ -161,12 +157,11 @@ function pieChartHome() {
    }, 47000);
  });
-  }
+}
 $(document).ready(
  makeActive,
  pieChartHome()
 );
 </script>
@@ -41,6 +41,5 @@ function dataTablePagination(){
    });
 };
 $(document).ready(dataTablePagination());
 </script>
@@ -56,6 +56,5 @@ function dataTablePagination(){
    });
 };
 $(document).ready(dataTablePagination());
 </script>
@@ -1,7 +1,4 @@
 <!-- Begin Modal -->
    <div class="modal-header">
      <button type="button" class="close" data-dismiss="modal" aria-hidden="true">
        ×
@@ -1,5 +1,4 @@
 <header>
    <span style="color:#eee;margin-left:10px;">
     Font Size:
     <a href="<%= home_dashboard_index_path %>?font=8pt" style="font-size:10pt;color:#eee;">A</a>
@@ -10,7 +10,6 @@
 </script>
 <![endif]-->
 </head>
 <body>
@@ -51,7 +51,6 @@
 <script type="text/javascript">
 google.load("visualization", "1", {
  packages: ["corechart"]
 });
@@ -45,8 +45,6 @@
      </span>
          <div class="clearfix"></div>
          <% end %>
        </div>
@@ -24,8 +24,6 @@
  </div>
 </div>
 <script type="text/javascript">
 function openSub(){
@@ -16,8 +16,6 @@
  </div>
 </div>
 <script type="text/javascript">
 function openSub(){
@@ -74,7 +74,6 @@
            </div>
        </div>
    </div>
    </div>
  </div>
@@ -101,7 +101,3 @@ $("#submit_button").click(function(event) {
 });
 </script>
@@ -1,7 +1,6 @@
 <div class="row-fluid">
  <div class="span12">
        <div class="row-fluid">
          <div class="span4 offset4">
            <div class="signup">
@@ -37,7 +36,6 @@
          </div>
        </div>
  </div>
 </div>
@@ -52,12 +52,10 @@ function maskSSN(){
 }
 function makeActive(){
  $('li[id="employee_info"]').addClass('active');
 };
 $(document).ready(function () {
   maskSSN(),
   makeActive()
`@@ -101,7 +101,3 @@ $("#submit_button").click(function(event) {`
	`});`	`});`

	`</script>`	`</script>`