Merge branch 'pr-136'

2014-07-11 06:28:54 -04:00
parent daa670da61 7e4fad462b
commit 52d5c6a5a3
105 changed files with 3192 additions and 3288 deletions
@@ -1,4 +1,9 @@
-if [ -f "$rvm_path/scripts/rvm" ] && [ -f ".rvmrc" ]; then
-  source "$rvm_path/scripts/rvm"
+if [ -f "${rvm_path}/scripts/rvm" ]; then
+  source "${rvm_path}/scripts/rvm"
+
+  if [ -f ".rvmrc" ]; then
    source ".rvmrc"
+  elif [ -f ".ruby-version" ] && [ -f ".ruby-gemset" ]; then
+    rvm use `cat .ruby-version`@`cat .ruby-gemset`
+  fi
 fi
@@ -0,0 +1 @@
+railsgoat
@@ -0,0 +1 @@
+2.1.2
@@ -1 +0,0 @@
-rvm use 2.1.2@railsgoat --create
@@ -1,6 +1,6 @@
 The MIT License (MIT)

-Copyright (c) 2013  The Open Web Application Security Project
+Copyright (c) 2013-2014 The Open Web Application Security Project

 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
@@ -4,13 +4,10 @@ RailsGoat is a vulnerable version of the Ruby on Rails Framework. It includes vu

 ## Getting Started

-
-
 To begin, install the Ruby Version Manager (RVM):

 ```
-$ curl -L https://get.rvm.io | bash -s stable --autolibs=3 --ruby=1.9.3
-$ rvm use 2.1.2@railsgoat --create # https://rvm.io/
+$ curl -L https://get.rvm.io | bash -s stable --autolibs=3 --ruby=2.1.2
 ```

 After installing the package, clone this repo:
@@ -19,22 +16,7 @@ After installing the package, clone this repo:
 $ git clone git@github.com:OWASP/railsgoat.git
 ```

-Navigate into the directory and accept the notice by typing `yes`:
-```
-****************************************************************************************************
-* NOTICE                                                                                           *
-****************************************************************************************************
-* RVM has encountered a new or modified .rvmrc file in the current directory, this is a shell      *
-* script and therefore may contain any shell commands.                                             *
-*                                                                                                  *
-* Examine the contents of this file carefully to be sure the contents are safe before trusting it! *
-* Do you wish to trust '/path/to/railsgoat/.rvmrc'?                                                *
-* Choose v[view] below to view the contents                                                        *
-****************************************************************************************************
-y[es], n[o], v[iew], c[cancel]>
-```
-
-Install the project dependencies:
+Navigate into the directory and install the dependencies:

 ```
 $ bundle install
@@ -52,7 +34,7 @@ Initialize the database:
 $ rake db:setup
 ```

-Start the WEBrick HTTP Server:
+Start the Thin web server:

 ```
 $ rails server
@@ -101,7 +83,7 @@ Conversion to the OWASP Top Ten 2013 completed in November, 2013.

 The MIT License (MIT)

-Copyright (c) 2013 The Open Web Application Security Project
+Copyright (c) 2013-2014 The Open Web Application Security Project

 Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

@@ -1,5 +1,4 @@
 class AdminController < ApplicationController
-  
  before_filter :administrative, :if => :admin_param
  skip_before_filter :has_info

@@ -67,5 +66,4 @@ class AdminController < ApplicationController
  def admin_param
    params[:admin_id] != '1'
  end
-  
 end
@@ -1,5 +1,4 @@
 class Api::V1::MobileController < ApplicationController
-
  skip_before_filter :authenticated
  before_filter :mobile_request?

@@ -30,5 +29,4 @@ class Api::V1::MobileController < ApplicationController
      request.user_agent =~ /ios|android/i
    end
  end
-
 end
@@ -1,5 +1,4 @@
 class Api::V1::UsersController < ApplicationController
-  
  skip_before_filter :authenticated
  before_filter :valid_api_token
  before_filter :extrapolate_user
@@ -10,7 +9,6 @@ class Api::V1::UsersController < ApplicationController
    # We removed the .as_json code from the model, just seemed like extra work.
    # dunno, maybe useful at a later time?
    #respond_with @user.admin ? User.all.as_json : @user.as_json
-       
    respond_with @user.admin ? User.all : @user
  end

@@ -18,7 +16,7 @@ class Api::V1::UsersController < ApplicationController
    respond_with @user.as_json
  end

-private
+  private

  def valid_api_token
    authenticate_or_request_with_http_token do |token, options|
@@ -53,5 +51,4 @@ private
  def extrapolate_user
    @user = User.find_by_id(@clean_token.split("-").first)
  end
-     
 end
@@ -1,5 +1,4 @@
 class ApplicationController < ActionController::Base
-
  before_filter :authenticated, :has_info, :create_analytic
  helper_method :current_user, :is_admin?, :sanitize_font

@@ -53,5 +52,4 @@ class ApplicationController < ActionController::Base
    css
    # css if css.match(/\A[0-9]+([\%]|pt)\z/)
  end
-
 end
@@ -4,7 +4,6 @@ class BenefitFormsController < ApplicationController
    @benefits = Benefits.new
  end

-
  def download
   begin
     path = params[:name]
@@ -26,7 +25,6 @@ class BenefitFormsController < ApplicationController
    redirect_to user_benefit_forms_path(:user_id => current_user.user_id)
  end

-  
 =begin
    # More secure version
    def download
@@ -47,6 +45,4 @@ class BenefitFormsController < ApplicationController
     end
    end
 =end
-
-  
 end
@@ -1,5 +1,4 @@
 class DashboardController < ApplicationController
-  
  skip_before_filter :has_info

  def home
@@ -10,5 +9,4 @@ class DashboardController < ApplicationController
    	cookies[:font] = params[:font]
    end
  end
-
 end
@@ -33,5 +33,4 @@ class MessagesController < ApplicationController
      end
    end
  end
-
 end
@@ -1,7 +1,6 @@
 class PasswordResetsController < ApplicationController
  skip_before_filter :authenticated

-
  def reset_password
    user = Marshal.load(Base64.decode64(params[:user])) unless params[:user].nil?

@@ -39,5 +39,4 @@ class PayController < ApplicationController
      format.json {render :json => {:account_num => decrypted || "No Data" }}
    end
  end
-  
 end
@@ -3,5 +3,4 @@ class PerformanceController < ApplicationController
  def index
    @perf = current_user.performance
  end
-  
 end
@@ -3,5 +3,4 @@ class RetirementController < ApplicationController
  def index
    @info = current_user.retirement
  end
-  
 end
@@ -1,4 +1,5 @@
 class ScheduleController < ApplicationController
+
  def create
    message = false

@@ -55,5 +56,4 @@ class ScheduleController < ApplicationController
   end
     return vals
  end
-    
 end
@@ -1,5 +1,4 @@
 class SessionsController < ApplicationController
-  
  skip_before_filter :has_info
  skip_before_filter :authenticated, :only => [:new, :create]

@@ -37,5 +36,4 @@ class SessionsController < ApplicationController
    reset_session
    redirect_to root_path
  end
-
 end
@@ -1,5 +1,4 @@
 class TutorialsController < ApplicationController
-  
  skip_before_filter :has_info
  skip_before_filter :authenticated

@@ -95,5 +94,4 @@ class TutorialsController < ApplicationController

  def metaprogramming
  end
-  
 end
@@ -1,9 +1,7 @@
 class UsersController < ApplicationController
-
  skip_before_filter :has_info
  skip_before_filter :authenticated, :only => [:new, :create]

-
  def new
    @user = User.new
  end
@@ -52,5 +50,4 @@ class UsersController < ApplicationController
      redirect_to user_account_settings_path(:user_id => current_user.user_id)
    end
  end
-
 end
@@ -1,5 +1,4 @@
 class WorkInfoController < ApplicationController
-  
  def index
    @user = User.find_by_user_id(params[:user_id])
    if !(@user) || @user.admin
@@ -18,5 +17,4 @@ class WorkInfoController < ApplicationController
    end
  end
 =end
-  
 end
@@ -34,5 +34,4 @@ class Benefits < ActiveRecord::Base
      stream.reopen(on_hold[i])
    end
  end
- 
 end
@@ -2,5 +2,4 @@ class KeyManagement < ActiveRecord::Base
  attr_accessible :iv, :user_id
  belongs_to :work_info
  belongs_to :user
-  
 end
@@ -14,5 +14,4 @@ class PaidTimeOff < ActiveRecord::Base
  def sick_days_taken_percentage
    result = self.sick_days_taken.to_f /  self.sick_days_earned.to_f * 100.0
  end
-
 end
@@ -1,5 +1,4 @@
 class Pay < ActiveRecord::Base
-  
  # mass-assignable attributes
  attr_accessible :bank_account_num, :bank_routing_num, :percent_of_deposit

@@ -21,5 +20,4 @@ class Pay < ActiveRecord::Base
  def encrypt_bank_account_num
    self.bank_account_num = Encryption.encrypt_sensitive_value(self.bank_account_num)
  end
-  
 end
@@ -1,7 +1,6 @@
 require 'encryption'

 class User < ActiveRecord::Base
-
  attr_accessible :email, :admin, :first_name, :last_name, :user_id, :password, :password_confirmation
  validates :password, :presence => true,
                       :confirmation => true,
@@ -49,7 +48,7 @@ class User < ActiveRecord::Base
  end
 =end

-private
+  private

  def self.authenticate(email, password)
    auth = nil
@@ -96,5 +95,4 @@ private
      self[column] = Encryption.encrypt_sensitive_value(self.user_id)
    end while User.exists?(column => self[column])
  end
-
 end
@@ -4,7 +4,6 @@ class WorkInfo < ActiveRecord::Base
  has_one :key_management, :foreign_key => :user_id, :primary_key => :user_id, :dependent => :destroy
  #before_save :encrypt_ssn

-  
  # We should probably use this
  def last_four
    "***-**-" << self.decrypt_ssn[-4,4]
@@ -40,5 +39,4 @@ class WorkInfo < ActiveRecord::Base
  def cipher_type
    'aes-256-cbc'
  end
-  
 end
@@ -3,51 +3,41 @@
    <div class="row-fluid">
      <div class="span12">
        <div id="success" style="display: none;" class="alert alert-block alert-success fade in">
-		            <h4 class="alert-heading">
-		              Success!
-		            </h4>
-		            <p>
-		              User information successfully updated.
-		            </p>
+          <h4 class="alert-heading">Success!</h4>
+          <p>User information successfully updated.</p>
        </div>
      </div>
    </div>
+
    <div class="row-fluid">
      <div class="span12">
        <div id="failure" style="display: none;" class="alert alert-block alert-error fade in">
-                    <h4 class="alert-heading">
-                      Error!
-                    </h4>
-                    <p>
-                      Something went wrong.
-                    </p>
+          <h4 class="alert-heading">Error!</h4>
+          <p>Something went wrong.</p>
        </div>
      </div>
    </div>
+
    <div class="row-fluid">
      <div class="span12">
        <div class="widget">
          <div class="widget-header">
            <div class="title">
-							<span class="fs1" aria-hidden="true" data-icon="&#xe071;"></span>
-							Manage Users
+              <span class="fs1" aria-hidden="true" data-icon="&#xe071;"></span>Manage Users
            </div>
          </div>
-					<div id="userDataTable" class="widget-body">

+          <div id="userDataTable" class="widget-body">
          </div> <!-- End widget-body-->
        </div> <!-- End widget header-->
      </div>
    </div>
  </div>
-	
-	
 </div>

 <%= javascript_include_tag "jquery.dataTables.js"%>

 <script type="text/javascript">
-
 function dataTablePagination(){
  $('#data-table').dataTable({
    "sPaginationType": "full_numbers"
@@ -110,25 +110,17 @@
  </div>
 </div>

-
-
 <script type="text/javascript">
-   
  $(function() {
    $("#benefits_upload").change(function (){
      var fileName = $(this).val();
      $(".filename").html(fileName);
    });
-		
  });

  function makeActive(){
    $('li[id="benefit_forms"]').addClass('active');
  };

- 	$(document).ready(
- 	   makeActive
- 	);
-
-	
+  $(document).ready(makeActive);
 </script>
@@ -1,7 +1,5 @@
 <div class="dashboard-wrapper">
-    
  <div class="main-container">
-
    <div class="row-fluid">
        <div class="span12"> <!--begin span12 -->
        <% if @user.paid_time_off %>
@@ -14,7 +12,6 @@

 <script type="text/javascript">

-
 function makeActive(){
  $('li[id="home"]').addClass('active');
 };
@@ -132,7 +129,6 @@ function pieChartHome() {
    }, 41000);
  });

-
  $(function () {
    //create instance
    $('.chart5').easyPieChart({
@@ -161,12 +157,11 @@ function pieChartHome() {
    }, 47000);
  });

-  }
+}

 $(document).ready(
  makeActive,
  pieChartHome()
 );
-
 </script>

@@ -41,6 +41,5 @@ function dataTablePagination(){
    });
 };

-
 $(document).ready(dataTablePagination());
 </script>
@@ -56,6 +56,5 @@ function dataTablePagination(){
    });
 };

-
 $(document).ready(dataTablePagination());
 </script>
@@ -1,7 +1,4 @@
-
-
 <!-- Begin Modal -->
-
    <div class="modal-header">
      <button type="button" class="close" data-dismiss="modal" aria-hidden="true">
        ×
@@ -1,5 +1,4 @@
 <header>
-
    <span style="color:#eee;margin-left:10px;">
     Font Size:
     <a href="<%= home_dashboard_index_path %>?font=8pt" style="font-size:10pt;color:#eee;">A</a>
@@ -10,7 +10,6 @@
 </script>
 <![endif]-->

-
 </head>
 <body>

@@ -51,7 +51,6 @@

 <script type="text/javascript">

-
 google.load("visualization", "1", {
  packages: ["corechart"]
 });
@@ -45,8 +45,6 @@

      </span>

-		  
-
          <div class="clearfix"></div>
          <% end %>
        </div>
@@ -24,8 +24,6 @@
  </div>
 </div>

-
-
 <script type="text/javascript">

 function openSub(){
@@ -16,8 +16,6 @@
  </div>
 </div>

-
-
 <script type="text/javascript">

 function openSub(){
@@ -74,7 +74,6 @@
            </div>
        </div>

-			
    </div>
    </div>
  </div>
@@ -101,7 +101,3 @@ $("#submit_button").click(function(event) {
 });

 </script>
-
-            
-            
-
@@ -1,7 +1,6 @@
 <div class="row-fluid">
  <div class="span12">

-
        <div class="row-fluid">
          <div class="span4 offset4">
            <div class="signup">
@@ -37,7 +36,6 @@
          </div>
        </div>

-
  </div>
 </div>

@@ -52,12 +52,10 @@ function maskSSN(){

 }

-
 function makeActive(){
  $('li[id="employee_info"]').addClass('active');
 };

-
 $(document).ready(function () {
   maskSSN(),
   makeActive()