Merge remote-tracking branch 'upstream/master' into openshift

app/controllers/sessions_controller.rb

@@ -12,7 +12,7 @@ class SessionsController < ApplicationController
     path = params[:url].present? ? params[:url] : home_dashboard_index_path
     begin
       # Normalize the email address, why not
-      user = User.authenticate(params[:email].to_s.downcase, params[:password])
+      user = User.authenticate(params[:email].to_s.strip.downcase, params[:password])
     rescue RuntimeError => e
       # don't do ANYTHING
     end

app/views/dashboard/home.html.erb

@@ -1,43 +1,37 @@
 <div class="dashboard-wrapper">
   <div class="main-container">
     <div class="row-fluid">
-        <div class="span12"> <!--begin span12 -->
+      <div class="span12"> <!--begin span12 -->
-			<div class="widget">
+        <div class="widget">
-			    <div class="widget-header">
+          <div class="widget-header">
-			      <div class="title">
+            <div class="title">
-			        <span class="fs1" aria-hidden="true" data-icon="&#xe0a0;"></span> Current Statistics
+              <span class="fs1" aria-hidden="true" data-icon="&#xe0a0;"></span> Current Statistics
-			      </div>
+            </div>
-				  <!-- Begin Title Buttons-->
+            <!-- Begin Title Buttons-->
-				  <div class="tools pull-right">
+            <div class="tools pull-right">
-				  	<div class="btn-group">
+              <div class="btn-group">
-				  		<a id="change_to_bar_graph" class="btn btn-small">
+                <a id="change_to_bar_graph" class="btn btn-small">
-			                  <span data-icon="&#xe14b;"></span>
+                  <span data-icon="&#xe14b;"></span>
-			            </a>
+                </a>
-						<a id="change_to_pie_charts" class="btn btn-small">
+                <a id="change_to_pie_charts" class="btn btn-small">
-				              <span data-icon="&#xe096;"></span>
+                  <span data-icon="&#xe096;"></span>
-				        </a>
+                </a>
-				  	</div>	
+              </div>
-				  </div>
+            </div>
-				  <!-- End Title Buttons-->
+            <!-- End Title Buttons-->
-			    </div>
+          </div>
-			    <div id="charts_body" class="widget-body">
+          <div id="charts_body" class="widget-body">
-				      <%#= render partial: "dashboard_stats" %>
+            <%#= render partial: "dashboard_stats" %>
-			    </div>
+          </div>
-				<div class="clearfix">
+          <div class="clearfix">
-		        </div>
+          </div>
-			  </div>
+        </div>
-			</div>	
+      </div> <!-- end span12 -->
-			<center><b>Need help using this portal? Check out the <a href="doc?doc=README_FOR_APP">Readme</a></b></center>
-        </div> <!-- end span12 -->
     </div>
   </div>
 </div>
 
-
-
-
 <script type="text/javascript">
-
 function makeActive(){
   $('li[id="home"]').addClass('active');
 };
@@ -60,7 +54,3 @@ $(document).ready(
   $("#charts_body").load(<%= sanitize change_graph_dashboard_index_path(:graph => "pie_charts").inspect %>)
 );
 </script>
-
-
-
-

app/views/pay/index.html.erb

@@ -1,27 +1,23 @@
 <div class="dashboard-wrapper">
   <div class="main-container">
     <div class="row-fluid">
-      <div class="span12">
+      <div id="success" style="display: none;" class="alert alert-block alert-success fade in">
-        <div id="success" style="display: none;" class="alert alert-block alert-success fade in">
+        <h4 class="alert-heading">
-                <h4 class="alert-heading">
+          Success!
-                  Success!
+        </h4>
-                </h4>
+        <p>
-                <p>
+        Information successfully updated.
-                  Information successfully updated.
+        </p>
-                </p>
-              </div>
       </div>
     </div>
     <div class="row-fluid">
-      <div class="span12">
+      <div id="failure" style="display: none;" class="alert alert-block alert-error fade in">
-        <div id="failure" style="display: none;" class="alert alert-block alert-error fade in">
+        <h4 class="alert-heading">
-                    <h4 class="alert-heading">
+          Error!
-                      Error!
+        </h4>
-                    </h4>
+        <p>
-                    <p>
+        Failed to update.
-                      Failed to update.
+        </p>
-                    </p>
-                  </div>
       </div>
     </div>
     <!-- Begin Row-Fluid for Inputs -->

app/views/users/account_settings.html.erb

@@ -1,28 +1,22 @@
 <div class="dashboard-wrapper">
   <div class="main-container">
     <div class="row-fluid">
-      <div class="span12">
+      <div id="success" style="display: none;" class="alert alert-block alert-success fade in">
-        <div id="success" style="display: none;" class="alert alert-block alert-success fade in">
+        <h4 class="alert-heading">
-                <h4 class="alert-heading">
+          Success!
-                  Success!
+        </h4>
-                </h4>
+        <p>
-                <p>
+        Information successfully updated.
-                  Information successfully updated.
+        </p>
-                </p>
-              </div>
       </div>
     </div>
-    <div class="row-fluid">
+    <div id="failure" style="display: none;" class="alert alert-block alert-error fade in">
-      <div class="span12">
+      <h4 class="alert-heading">
-        <div id="failure" style="display: none;" class="alert alert-block alert-error fade in">
+        Error!
-                    <h4 class="alert-heading">
+      </h4>
-                      Error!
+      <p>
-                    </h4>
+      Failed to update.
-                    <p>
+      </p>
-                      Failed to update.
-                    </p>
-                  </div>
-      </div>
     </div>
     <div class="row-fluid">
         <div class="span6">

app/views/work_info/index.html.erb

@@ -12,26 +12,26 @@
               <table class="table table-bordered table-striped">
                 <thead>
                   <tr>
-            <th style="width:16%">Full Name</th>
+                    <th style="width:16%">Full Name</th>
                     <th style="width:16%">Income</th>
-                    <th style="width:16%">Bonus/th>
+                    <th style="width:16%">Bonus</th>
                     <th style="width:16%">Years w/ MetaCorp</th>
                     <th style="width:16%">SSN</th>
-            <th style="width:16%">DoB</th>
+                    <th style="width:16%">DoB</th>
                   </tr>
                 </thead>
                 <tbody>
 
-            <tr>
+                  <tr>
                     <td><%= "#{@user.first_name} #{@user.last_name}" %></td>
                     <td><%= @user.work_info.income %></td>
                     <td><%= @user.work_info.bonuses %></td>
                     <td><%= @user.work_info.years_worked %></td>
-            <td class="ssn"><%= @user.work_info.SSN %></td>
+                    <td class="ssn"><%= @user.work_info.SSN %></td>
-            <!-- Begin Secure Version>-->
+                    <!-- Begin Secure Version>-->
-            <!--<td class="ssn"><%#= @user.work_info.last_four %></td>-->
+                    <!--<td class="ssn"><%#= @user.work_info.last_four %></td>-->
-            <!-- End Secure Version -->
+                    <!-- End Secure Version -->
-            <td><%= @user.work_info.DoB %></td>
+                    <td><%= @user.work_info.DoB %></td>
                   </tr>
 
                 </tbody>

lib/encryption.rb

@@ -15,7 +15,7 @@ module Encryption
      aes = OpenSSL::Cipher.new(cipher_type)
      aes.decrypt
      aes.key = key[0..31]
-     aes.iv = iv[0.15] if iv != nil
+     aes.iv = iv[0..15] if iv != nil
      decoded = Base64.strict_decode64("#{val}")
      aes.update("#{decoded}") + aes.final
   end

spec/lib/encryption_spec.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+require "spec_helper"
+require_relative "../../lib/encryption"
+
+describe Encryption do
+  let(:value) {
+    allow(Encryption).to receive(:key).and_return(SecureRandom.bytes(32))
+    allow(Encryption).to receive(:iv).and_return(SecureRandom.bytes(16))
+
+    "OMG PII"
+  }
+
+  it "encrypts values" do
+    encrypted = Encryption.encrypt_sensitive_value(value)
+    expect(Base64.decode64(encrypted)).not_to eq(value)
+  end
+
+  it "decrypts values" do
+    encrypted = Encryption.encrypt_sensitive_value(value)
+    decrypted = Encryption.decrypt_sensitive_value(encrypted)
+
+    expect(decrypted).to eq(value)
+  end
+end

spec/vulnerabilities/csrf_spec.rb

@@ -10,7 +10,7 @@ feature "csrf" do
     pending unless verifying_fixed?
   end
 
-  scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/R5-A8-CSRF", js: true do
+  scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/R4-A8-CSRF", js: true do
     visit "/"
     # TODO: is there a way to get this without visiting root first?
     base_url = current_url

spec/vulnerabilities/insecure_dor_spec.rb

@@ -18,15 +18,17 @@ feature "insecure direct object reference" do
     visit download_url.sub(/name=(.*?)&/, "name=config/database.yml&")
 
     expect(page.status_code).not_to eq(200)
-    expect(page.response_headers["Content-Disposition"]).not_to include("database.yml")
+    expect(page.response_headers["Content-Disposition"].to_a).not_to include("database.yml")
   end
 
   scenario "attack two\nTutorial: https://github.com/OWASP/railsgoat/wiki/A4-Insecure-Direct-Object-Reference" do
+    login(normal_user)
+
     expect(normal_user.id).not_to eq(another_user.id)
 
     visit "/users/#{another_user.id}/work_info"
 
-    expect(first("td").text).not_to include(another_user.name)
+    expect(first("td").text).not_to include(another_user.full_name)
-    expect(first("td").text).to include(normal_user.name)
+    expect(first("td").text).to include(normal_user.full_name)
   end
 end

spec/vulnerabilities/mass_assignment_spec.rb

@@ -23,7 +23,7 @@ feature "mass assignment" do
     expect(normal_user.reload.admin).to be_falsy
   end
 
-  scenario "attack two, Tutorial: https://github.com/OWASP/railsgoat/wiki/R5-Extras-Mass-Assignment-Admin-Role" do
+  scenario "attack two, Tutorial: https://github.com/OWASP/railsgoat/wiki/R4-Extras-Mass-Assignment-Admin-Role" do
     params = { user: {  admin: "t",
                         email: "hackety@h4x0rs.c0m",
                         first_name: "hackety",
@@ -33,6 +33,6 @@ feature "mass assignment" do
 
     page.driver.post "/users", params
 
-    expect(User.find_by(email: "hackety@h4x0rs.c0m")).to be_nil
+    expect(User.find_by(email: "hackety@h4x0rs.c0m").admin).to be_falsy
   end
 end

spec/vulnerabilities/unvalidated_redirects_spec.rb

@@ -20,6 +20,7 @@ feature "unvalidated redirect" do
       click_on "Login"
     end
 
-    expect(current_url).to eq("/dashboard/home")
+    expect(current_url).to start_with("http://127.0.0.1")
+    expect(current_path).to eq("/dashboard/home")
   end
 end

spec/vulnerabilities/url_access_spec.rb

@@ -15,6 +15,6 @@ feature "url access" do
 
     visit "/admin/1/dashboard"
 
-    expect(current_path).to eq("/")
+    expect(current_path).to eq("/dashboard/home")
   end
 end