team-alpha/railsgoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'upstream/master' into openshift

Browse Source
This commit is contained in:
Ken Toler
2020-06-08 19:13:53 -04:00
parent e53e47d252 df1bae06b9
commit 5a375752b3
12 changed files with 100 additions and 93 deletions
Download Patch File Download Diff File Expand all files Collapse all files
app/controllers/sessions_controller.rb
+1 -1
View File
@@ -12,7 +12,7 @@ class SessionsController < ApplicationController
path = params[:url].present? ? params[:url] : home_dashboard_index_path
begin
# Normalize the email address, why not
user = User.authenticate(params[:email].to_s.downcase, params[:password])
user = User.authenticate(params[:email].to_s.strip.downcase, params[:password])
rescue RuntimeError => e
# don't do ANYTHING
end
app/views/dashboard/home.html.erb
+26 -36
View File
@@ -1,43 +1,37 @@
<div class="dashboard-wrapper">
<div class="main-container">
<div class="row-fluid">
<div class="span12"> <!--begin span12 -->
<div class="widget">
<div class="widget-header">
<div class="title">
<span class="fs1" aria-hidden="true" data-icon="&#xe0a0;"></span> Current Statistics
</div>
<!-- Begin Title Buttons-->
<div class="tools pull-right">
<div class="btn-group">
<a id="change_to_bar_graph" class="btn btn-small">
<span data-icon="&#xe14b;"></span>
</a>
<a id="change_to_pie_charts" class="btn btn-small">
<span data-icon="&#xe096;"></span>
</a>
</div>
</div>
<!-- End Title Buttons-->
</div>
<div id="charts_body" class="widget-body">
<%#= render partial: "dashboard_stats" %>
</div>
<div class="clearfix">
</div>
</div>
</div>
<center><b>Need help using this portal? Check out the <a href="doc?doc=README_FOR_APP">Readme</a></b></center>
</div> <!-- end span12 -->
<div class="span12"> <!--begin span12 -->
<div class="widget">
<div class="widget-header">
<div class="title">
<span class="fs1" aria-hidden="true" data-icon="&#xe0a0;"></span> Current Statistics
</div>
<!-- Begin Title Buttons-->
<div class="tools pull-right">
<div class="btn-group">
<a id="change_to_bar_graph" class="btn btn-small">
<span data-icon="&#xe14b;"></span>
</a>
<a id="change_to_pie_charts" class="btn btn-small">
<span data-icon="&#xe096;"></span>
</a>
</div>
</div>
<!-- End Title Buttons-->
</div>
<div id="charts_body" class="widget-body">
<%#= render partial: "dashboard_stats" %>
</div>
<div class="clearfix">
</div>
</div>
</div> <!-- end span12 -->
</div>
</div>
</div>
<script type="text/javascript">
function makeActive(){
$('li[id="home"]').addClass('active');
};
@@ -60,7 +54,3 @@ $(document).ready(
$("#charts_body").load(<%= sanitize change_graph_dashboard_index_path(:graph => "pie_charts").inspect %>)
);
</script>
app/views/pay/index.html.erb
+14 -18
View File
@@ -1,27 +1,23 @@
<div class="dashboard-wrapper">
<div class="main-container">
<div class="row-fluid">
<div class="span12">
<div id="success" style="display: none;" class="alert alert-block alert-success fade in">
<h4 class="alert-heading">
Success!
</h4>
<p>
Information successfully updated.
</p>
</div>
<div id="success" style="display: none;" class="alert alert-block alert-success fade in">
<h4 class="alert-heading">
Success!
</h4>
<p>
Information successfully updated.
</p>
</div>
</div>
<div class="row-fluid">
<div class="span12">
<div id="failure" style="display: none;" class="alert alert-block alert-error fade in">
<h4 class="alert-heading">
Error!
</h4>
<p>
Failed to update.
</p>
</div>
<div id="failure" style="display: none;" class="alert alert-block alert-error fade in">
<h4 class="alert-heading">
Error!
</h4>
<p>
Failed to update.
</p>
</div>
</div>
<!-- Begin Row-Fluid for Inputs -->
app/views/users/account_settings.html.erb
+14 -20
View File
@@ -1,28 +1,22 @@
<div class="dashboard-wrapper">
<div class="main-container">
<div class="row-fluid">
<div class="span12">
<div id="success" style="display: none;" class="alert alert-block alert-success fade in">
<h4 class="alert-heading">
Success!
</h4>
<p>
Information successfully updated.
</p>
</div>
<div id="success" style="display: none;" class="alert alert-block alert-success fade in">
<h4 class="alert-heading">
Success!
</h4>
<p>
Information successfully updated.
</p>
</div>
</div>
<div class="row-fluid">
<div class="span12">
<div id="failure" style="display: none;" class="alert alert-block alert-error fade in">
<h4 class="alert-heading">
Error!
</h4>
<p>
Failed to update.
</p>
</div>
</div>
<div id="failure" style="display: none;" class="alert alert-block alert-error fade in">
<h4 class="alert-heading">
Error!
</h4>
<p>
Failed to update.
</p>
</div>
<div class="row-fluid">
<div class="span6">
app/views/work_info/index.html.erb
+9 -9
View File
@@ -12,26 +12,26 @@
<table class="table table-bordered table-striped">
<thead>
<tr>
<th style="width:16%">Full Name</th>
<th style="width:16%">Full Name</th>
<th style="width:16%">Income</th>
<th style="width:16%">Bonus/th>
<th style="width:16%">Bonus</th>
<th style="width:16%">Years w/ MetaCorp</th>
<th style="width:16%">SSN</th>
<th style="width:16%">DoB</th>
<th style="width:16%">DoB</th>
</tr>
</thead>
<tbody>
<tr>
<tr>
<td><%= "#{@user.first_name} #{@user.last_name}" %></td>
<td><%= @user.work_info.income %></td>
<td><%= @user.work_info.bonuses %></td>
<td><%= @user.work_info.years_worked %></td>
<td class="ssn"><%= @user.work_info.SSN %></td>
<!-- Begin Secure Version>-->
<!--<td class="ssn"><%#= @user.work_info.last_four %></td>-->
<!-- End Secure Version -->
<td><%= @user.work_info.DoB %></td>
<td class="ssn"><%= @user.work_info.SSN %></td>
<!-- Begin Secure Version>-->
<!--<td class="ssn"><%#= @user.work_info.last_four %></td>-->
<!-- End Secure Version -->
<td><%= @user.work_info.DoB %></td>
</tr>
</tbody>
lib/encryption.rb
+1 -1
View File
@@ -15,7 +15,7 @@ module Encryption
aes = OpenSSL::Cipher.new(cipher_type)
aes.decrypt
aes.key = key[0..31]
aes.iv = iv[0.15] if iv != nil
aes.iv = iv[0..15] if iv != nil
decoded = Base64.strict_decode64("#{val}")
aes.update("#{decoded}") + aes.final
end
spec/lib/encryption_spec.rb
+24
View File
@@ -0,0 +1,24 @@
# frozen_string_literal: true
require "spec_helper"
require_relative "../../lib/encryption"
describe Encryption do
let(:value) {
allow(Encryption).to receive(:key).and_return(SecureRandom.bytes(32))
allow(Encryption).to receive(:iv).and_return(SecureRandom.bytes(16))
"OMG PII"
}
it "encrypts values" do
encrypted = Encryption.encrypt_sensitive_value(value)
expect(Base64.decode64(encrypted)).not_to eq(value)
end
it "decrypts values" do
encrypted = Encryption.encrypt_sensitive_value(value)
decrypted = Encryption.decrypt_sensitive_value(encrypted)
expect(decrypted).to eq(value)
end
end
spec/vulnerabilities/csrf_spec.rb
+1 -1
View File
@@ -10,7 +10,7 @@ feature "csrf" do
pending unless verifying_fixed?
end
scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/R5-A8-CSRF", js: true do
scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/R4-A8-CSRF", js: true do
visit "/"
# TODO: is there a way to get this without visiting root first?
base_url = current_url
spec/vulnerabilities/insecure_dor_spec.rb
+5 -3
View File
@@ -18,15 +18,17 @@ feature "insecure direct object reference" do
visit download_url.sub(/name=(.*?)&/, "name=config/database.yml&")
expect(page.status_code).not_to eq(200)
expect(page.response_headers["Content-Disposition"]).not_to include("database.yml")
expect(page.response_headers["Content-Disposition"].to_a).not_to include("database.yml")
end
scenario "attack two\nTutorial: https://github.com/OWASP/railsgoat/wiki/A4-Insecure-Direct-Object-Reference" do
login(normal_user)
expect(normal_user.id).not_to eq(another_user.id)
visit "/users/#{another_user.id}/work_info"
expect(first("td").text).not_to include(another_user.name)
expect(first("td").text).to include(normal_user.name)
expect(first("td").text).not_to include(another_user.full_name)
expect(first("td").text).to include(normal_user.full_name)
end
end
spec/vulnerabilities/mass_assignment_spec.rb
+2 -2
View File
@@ -23,7 +23,7 @@ feature "mass assignment" do
expect(normal_user.reload.admin).to be_falsy
end
scenario "attack two, Tutorial: https://github.com/OWASP/railsgoat/wiki/R5-Extras-Mass-Assignment-Admin-Role" do
scenario "attack two, Tutorial: https://github.com/OWASP/railsgoat/wiki/R4-Extras-Mass-Assignment-Admin-Role" do
params = { user: { admin: "t",
email: "hackety@h4x0rs.c0m",
first_name: "hackety",
@@ -33,6 +33,6 @@ feature "mass assignment" do
page.driver.post "/users", params
expect(User.find_by(email: "hackety@h4x0rs.c0m")).to be_nil
expect(User.find_by(email: "hackety@h4x0rs.c0m").admin).to be_falsy
end
end
spec/vulnerabilities/unvalidated_redirects_spec.rb
+2 -1
View File
@@ -20,6 +20,7 @@ feature "unvalidated redirect" do
click_on "Login"
end
expect(current_url).to eq("/dashboard/home")
expect(current_url).to start_with("http://127.0.0.1")
expect(current_path).to eq("/dashboard/home")
end
end
spec/vulnerabilities/url_access_spec.rb
+1 -1
View File
@@ -15,6 +15,6 @@ feature "url access" do
visit "/admin/1/dashboard"
expect(current_path).to eq("/")
expect(current_path).to eq("/dashboard/home")
end
end