Merge remote-tracking branch 'upstream/master' into openshift
This commit is contained in:
Ken Toler
@@ -12,7 +12,7 @@ class SessionsController < ApplicationController
|
|||||||
path = params[:url].present? ? params[:url] : home_dashboard_index_path
|
path = params[:url].present? ? params[:url] : home_dashboard_index_path
|
||||||
begin
|
begin
|
||||||
# Normalize the email address, why not
|
# Normalize the email address, why not
|
||||||
user = User.authenticate(params[:email].to_s.downcase, params[:password])
|
user = User.authenticate(params[:email].to_s.strip.downcase, params[:password])
|
||||||
rescue RuntimeError => e
|
rescue RuntimeError => e
|
||||||
# don't do ANYTHING
|
# don't do ANYTHING
|
||||||
end
|
end
|
||||||
|
|||||||
@@ -26,18 +26,12 @@
|
|||||||
<div class="clearfix">
|
<div class="clearfix">
|
||||||
</div>
|
</div>
|
||||||
</div>
|
</div>
|
||||||
</div>
|
|
||||||
<center><b>Need help using this portal? Check out the <a href="doc?doc=README_FOR_APP">Readme</a></b></center>
|
|
||||||
</div> <!-- end span12 -->
|
</div> <!-- end span12 -->
|
||||||
</div>
|
</div>
|
||||||
</div>
|
</div>
|
||||||
</div>
|
</div>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
<script type="text/javascript">
|
<script type="text/javascript">
|
||||||
|
|
||||||
function makeActive(){
|
function makeActive(){
|
||||||
$('li[id="home"]').addClass('active');
|
$('li[id="home"]').addClass('active');
|
||||||
};
|
};
|
||||||
@@ -60,7 +54,3 @@ $(document).ready(
|
|||||||
$("#charts_body").load(<%= sanitize change_graph_dashboard_index_path(:graph => "pie_charts").inspect %>)
|
$("#charts_body").load(<%= sanitize change_graph_dashboard_index_path(:graph => "pie_charts").inspect %>)
|
||||||
);
|
);
|
||||||
</script>
|
</script>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@@ -1,7 +1,6 @@
|
|||||||
<div class="dashboard-wrapper">
|
<div class="dashboard-wrapper">
|
||||||
<div class="main-container">
|
<div class="main-container">
|
||||||
<div class="row-fluid">
|
<div class="row-fluid">
|
||||||
<div class="span12">
|
|
||||||
<div id="success" style="display: none;" class="alert alert-block alert-success fade in">
|
<div id="success" style="display: none;" class="alert alert-block alert-success fade in">
|
||||||
<h4 class="alert-heading">
|
<h4 class="alert-heading">
|
||||||
Success!
|
Success!
|
||||||
@@ -11,9 +10,7 @@
|
|||||||
</p>
|
</p>
|
||||||
</div>
|
</div>
|
||||||
</div>
|
</div>
|
||||||
</div>
|
|
||||||
<div class="row-fluid">
|
<div class="row-fluid">
|
||||||
<div class="span12">
|
|
||||||
<div id="failure" style="display: none;" class="alert alert-block alert-error fade in">
|
<div id="failure" style="display: none;" class="alert alert-block alert-error fade in">
|
||||||
<h4 class="alert-heading">
|
<h4 class="alert-heading">
|
||||||
Error!
|
Error!
|
||||||
@@ -23,7 +20,6 @@
|
|||||||
</p>
|
</p>
|
||||||
</div>
|
</div>
|
||||||
</div>
|
</div>
|
||||||
</div>
|
|
||||||
<!-- Begin Row-Fluid for Inputs -->
|
<!-- Begin Row-Fluid for Inputs -->
|
||||||
<div class="row-fluid">
|
<div class="row-fluid">
|
||||||
<div class="span9">
|
<div class="span9">
|
||||||
|
|||||||
@@ -1,7 +1,6 @@
|
|||||||
<div class="dashboard-wrapper">
|
<div class="dashboard-wrapper">
|
||||||
<div class="main-container">
|
<div class="main-container">
|
||||||
<div class="row-fluid">
|
<div class="row-fluid">
|
||||||
<div class="span12">
|
|
||||||
<div id="success" style="display: none;" class="alert alert-block alert-success fade in">
|
<div id="success" style="display: none;" class="alert alert-block alert-success fade in">
|
||||||
<h4 class="alert-heading">
|
<h4 class="alert-heading">
|
||||||
Success!
|
Success!
|
||||||
@@ -11,9 +10,6 @@
|
|||||||
</p>
|
</p>
|
||||||
</div>
|
</div>
|
||||||
</div>
|
</div>
|
||||||
</div>
|
|
||||||
<div class="row-fluid">
|
|
||||||
<div class="span12">
|
|
||||||
<div id="failure" style="display: none;" class="alert alert-block alert-error fade in">
|
<div id="failure" style="display: none;" class="alert alert-block alert-error fade in">
|
||||||
<h4 class="alert-heading">
|
<h4 class="alert-heading">
|
||||||
Error!
|
Error!
|
||||||
@@ -22,8 +18,6 @@
|
|||||||
Failed to update.
|
Failed to update.
|
||||||
</p>
|
</p>
|
||||||
</div>
|
</div>
|
||||||
</div>
|
|
||||||
</div>
|
|
||||||
<div class="row-fluid">
|
<div class="row-fluid">
|
||||||
<div class="span6">
|
<div class="span6">
|
||||||
<div class="widget">
|
<div class="widget">
|
||||||
|
|||||||
@@ -14,7 +14,7 @@
|
|||||||
<tr>
|
<tr>
|
||||||
<th style="width:16%">Full Name</th>
|
<th style="width:16%">Full Name</th>
|
||||||
<th style="width:16%">Income</th>
|
<th style="width:16%">Income</th>
|
||||||
<th style="width:16%">Bonus/th>
|
<th style="width:16%">Bonus</th>
|
||||||
<th style="width:16%">Years w/ MetaCorp</th>
|
<th style="width:16%">Years w/ MetaCorp</th>
|
||||||
<th style="width:16%">SSN</th>
|
<th style="width:16%">SSN</th>
|
||||||
<th style="width:16%">DoB</th>
|
<th style="width:16%">DoB</th>
|
||||||
|
|||||||
+1
-1
@@ -15,7 +15,7 @@ module Encryption
|
|||||||
aes = OpenSSL::Cipher.new(cipher_type)
|
aes = OpenSSL::Cipher.new(cipher_type)
|
||||||
aes.decrypt
|
aes.decrypt
|
||||||
aes.key = key[0..31]
|
aes.key = key[0..31]
|
||||||
aes.iv = iv[0.15] if iv != nil
|
aes.iv = iv[0..15] if iv != nil
|
||||||
decoded = Base64.strict_decode64("#{val}")
|
decoded = Base64.strict_decode64("#{val}")
|
||||||
aes.update("#{decoded}") + aes.final
|
aes.update("#{decoded}") + aes.final
|
||||||
end
|
end
|
||||||
|
|||||||
@@ -0,0 +1,24 @@
|
|||||||
|
# frozen_string_literal: true
|
||||||
|
require "spec_helper"
|
||||||
|
require_relative "../../lib/encryption"
|
||||||
|
|
||||||
|
describe Encryption do
|
||||||
|
let(:value) {
|
||||||
|
allow(Encryption).to receive(:key).and_return(SecureRandom.bytes(32))
|
||||||
|
allow(Encryption).to receive(:iv).and_return(SecureRandom.bytes(16))
|
||||||
|
|
||||||
|
"OMG PII"
|
||||||
|
}
|
||||||
|
|
||||||
|
it "encrypts values" do
|
||||||
|
encrypted = Encryption.encrypt_sensitive_value(value)
|
||||||
|
expect(Base64.decode64(encrypted)).not_to eq(value)
|
||||||
|
end
|
||||||
|
|
||||||
|
it "decrypts values" do
|
||||||
|
encrypted = Encryption.encrypt_sensitive_value(value)
|
||||||
|
decrypted = Encryption.decrypt_sensitive_value(encrypted)
|
||||||
|
|
||||||
|
expect(decrypted).to eq(value)
|
||||||
|
end
|
||||||
|
end
|
||||||
@@ -10,7 +10,7 @@ feature "csrf" do
|
|||||||
pending unless verifying_fixed?
|
pending unless verifying_fixed?
|
||||||
end
|
end
|
||||||
|
|
||||||
scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/R5-A8-CSRF", js: true do
|
scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/R4-A8-CSRF", js: true do
|
||||||
visit "/"
|
visit "/"
|
||||||
# TODO: is there a way to get this without visiting root first?
|
# TODO: is there a way to get this without visiting root first?
|
||||||
base_url = current_url
|
base_url = current_url
|
||||||
|
|||||||
@@ -18,15 +18,17 @@ feature "insecure direct object reference" do
|
|||||||
visit download_url.sub(/name=(.*?)&/, "name=config/database.yml&")
|
visit download_url.sub(/name=(.*?)&/, "name=config/database.yml&")
|
||||||
|
|
||||||
expect(page.status_code).not_to eq(200)
|
expect(page.status_code).not_to eq(200)
|
||||||
expect(page.response_headers["Content-Disposition"]).not_to include("database.yml")
|
expect(page.response_headers["Content-Disposition"].to_a).not_to include("database.yml")
|
||||||
end
|
end
|
||||||
|
|
||||||
scenario "attack two\nTutorial: https://github.com/OWASP/railsgoat/wiki/A4-Insecure-Direct-Object-Reference" do
|
scenario "attack two\nTutorial: https://github.com/OWASP/railsgoat/wiki/A4-Insecure-Direct-Object-Reference" do
|
||||||
|
login(normal_user)
|
||||||
|
|
||||||
expect(normal_user.id).not_to eq(another_user.id)
|
expect(normal_user.id).not_to eq(another_user.id)
|
||||||
|
|
||||||
visit "/users/#{another_user.id}/work_info"
|
visit "/users/#{another_user.id}/work_info"
|
||||||
|
|
||||||
expect(first("td").text).not_to include(another_user.name)
|
expect(first("td").text).not_to include(another_user.full_name)
|
||||||
expect(first("td").text).to include(normal_user.name)
|
expect(first("td").text).to include(normal_user.full_name)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|||||||
@@ -23,7 +23,7 @@ feature "mass assignment" do
|
|||||||
expect(normal_user.reload.admin).to be_falsy
|
expect(normal_user.reload.admin).to be_falsy
|
||||||
end
|
end
|
||||||
|
|
||||||
scenario "attack two, Tutorial: https://github.com/OWASP/railsgoat/wiki/R5-Extras-Mass-Assignment-Admin-Role" do
|
scenario "attack two, Tutorial: https://github.com/OWASP/railsgoat/wiki/R4-Extras-Mass-Assignment-Admin-Role" do
|
||||||
params = { user: { admin: "t",
|
params = { user: { admin: "t",
|
||||||
email: "hackety@h4x0rs.c0m",
|
email: "hackety@h4x0rs.c0m",
|
||||||
first_name: "hackety",
|
first_name: "hackety",
|
||||||
@@ -33,6 +33,6 @@ feature "mass assignment" do
|
|||||||
|
|
||||||
page.driver.post "/users", params
|
page.driver.post "/users", params
|
||||||
|
|
||||||
expect(User.find_by(email: "hackety@h4x0rs.c0m")).to be_nil
|
expect(User.find_by(email: "hackety@h4x0rs.c0m").admin).to be_falsy
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|||||||
@@ -20,6 +20,7 @@ feature "unvalidated redirect" do
|
|||||||
click_on "Login"
|
click_on "Login"
|
||||||
end
|
end
|
||||||
|
|
||||||
expect(current_url).to eq("/dashboard/home")
|
expect(current_url).to start_with("http://127.0.0.1")
|
||||||
|
expect(current_path).to eq("/dashboard/home")
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|||||||
@@ -15,6 +15,6 @@ feature "url access" do
|
|||||||
|
|
||||||
visit "/admin/1/dashboard"
|
visit "/admin/1/dashboard"
|
||||||
|
|
||||||
expect(current_path).to eq("/")
|
expect(current_path).to eq("/dashboard/home")
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|||||||
Reference in New Issue
Block a user