refactor vulnerabilities so that users can turn them from failing to passing

2017-09-19 22:16:05 -05:00
parent fb2254342e
commit 5643edcc5d
12 changed files with 130 additions and 127 deletions
@@ -2,33 +2,31 @@
 require "spec_helper"

 feature "insecure direct object reference" do
+  let(:normal_user) { UserFixture.normal_user }
+  let(:another_user) { User.find_by(user_id: 2) }
+
  before do
    UserFixture.reset_all_users
-    @normal_user = UserFixture.normal_user
+    pending unless verifying_fixed?
  end

-  scenario "attack one" do
-    login(@normal_user)
+  scenario 'attack one' do
+    login(normal_user)

-    visit "/users/#{@normal_user.id}/benefit_forms"
-    download_url = first(".widget-body a")[:href]
-    visit download_url.sub(/name=(.*?)&/, "name=config/database.yml&")
+    visit "/users/#{normal_user.user_id}/benefit_forms"
+    download_url = first('.widget-body a')[:href]
+    visit download_url.sub(/name=(.*?)&/, 'name=config/database.yml&')

-    pending if verifying_fixed?
-
-    expect(page.status_code).to eq(200)
-    expect(page.response_headers["Content-Disposition"]).to include("database.yml")
-    expect(page.response_headers["Content-Length"]).to eq("710")
+    expect(page.status_code).not_to eq(200)
+    expect(page.response_headers['Content-Disposition']).not_to include('database.yml')
  end

  scenario "attack two\nTutorial: https://github.com/OWASP/railsgoat/wiki/A4-Insecure-Direct-Object-Reference" do
-    login(@normal_user)
-    expect(@normal_user.id).not_to eq(2)
-    another_user = User.find(2)
+    expect(normal_user.user_id).not_to eq(another_user.user_id)

-    visit "/users/#{another_user.id}/work_info"
+    visit "/users/#{another_user.user_id}/work_info"

-    pending if verifying_fixed?
-    expect(first("td").text).to eq(another_user.full_name)
+    expect(first('td').text).not_to include(another_user.name)
+    expect(first('td').text).to include(normal_user.name)
  end
 end