Synch my Railsgoat repo with parent's repo

2015-08-19 12:05:01 -04:00
parent 4f2b3148ce 32df4e0ef7
commit 5ac280566e
9 changed files with 98 additions and 60 deletions
@@ -1,7 +1,7 @@
 source 'https://rubygems.org'
 #don't upgrade
-gem 'rails', '4.0.13'
+gem 'rails', '4.2.2'
 ruby '2.2.2'
@@ -1,32 +1,43 @@
 GEM
  remote: https://rubygems.org/
  specs:
-    actionmailer (4.0.13)
+    actionmailer (4.2.2)
-      actionpack (= 4.0.13)
+      actionpack (= 4.2.2)
      actionview (= 4.2.2)
      activejob (= 4.2.2)
      mail (~> 2.5, >= 2.5.4)
-    actionpack (4.0.13)
+      rails-dom-testing (~> 1.0, >= 1.0.5)
-      activesupport (= 4.0.13)
+    actionpack (4.2.2)
-      builder (~> 3.1.0)
+      actionview (= 4.2.2)
-      erubis (~> 2.7.0)
+      activesupport (= 4.2.2)
-      rack (~> 1.5.2)
+      rack (~> 1.6)
      rack-test (~> 0.6.2)
-    activemodel (4.0.13)
+      rails-dom-testing (~> 1.0, >= 1.0.5)
-      activesupport (= 4.0.13)
+      rails-html-sanitizer (~> 1.0, >= 1.0.1)
-      builder (~> 3.1.0)
+    actionview (4.2.2)
-    activerecord (4.0.13)
+      activesupport (= 4.2.2)
-      activemodel (= 4.0.13)
+      builder (~> 3.1)
-      activerecord-deprecated_finders (~> 1.0.2)
+      erubis (~> 2.7.0)
-      activesupport (= 4.0.13)
+      rails-dom-testing (~> 1.0, >= 1.0.5)
-      arel (~> 4.0.0)
+      rails-html-sanitizer (~> 1.0, >= 1.0.1)
-    activerecord-deprecated_finders (1.0.4)
+    activejob (4.2.2)
-    activesupport (4.0.13)
+      activesupport (= 4.2.2)
-      i18n (~> 0.6, >= 0.6.9)
+      globalid (>= 0.3.0)
-      minitest (~> 4.2)
+    activemodel (4.2.2)
-      multi_json (~> 1.3)
+      activesupport (= 4.2.2)
-      thread_safe (~> 0.1)
+      builder (~> 3.1)
-      tzinfo (~> 0.3.37)
+    activerecord (4.2.2)
      activemodel (= 4.2.2)
      activesupport (= 4.2.2)
      arel (~> 6.0)
    activesupport (4.2.2)
      i18n (~> 0.7)
      json (~> 1.7, >= 1.7.7)
      minitest (~> 5.1)
      thread_safe (~> 0.3, >= 0.3.4)
      tzinfo (~> 1.1)
    addressable (2.3.8)
-    arel (4.0.2)
+    arel (6.0.3)
    aruba (0.7.4)
      childprocess (>= 0.3.6)
      cucumber (>= 1.1.1)
@@ -48,7 +59,7 @@ GEM
      ruby_parser (~> 3.7.0)
      sass (~> 3.0)
      terminal-table (~> 1.4)
-    builder (3.1.4)
+    builder (3.2.2)
    bundler-audit (0.4.0)
      bundler (~> 1.2)
      thor (~> 0.18)
@@ -95,13 +106,14 @@ GEM
    foreman (0.78.0)
      thor (~> 0.19.1)
    formatador (0.2.5)
-    gauntlt (1.0.6)
+    gauntlt (0.1.4)
      aruba
      cucumber
-      nokogiri (~> 1.5.0)
+      nokogiri
      trollop
    gherkin (2.12.2)
      multi_json (~> 1.3)
    globalid (0.3.6)
      activesupport (>= 4.1.0)
    guard (2.13.0)
      formatador (>= 0.2.4)
      listen (>= 2.7, <= 4.0)
@@ -134,8 +146,9 @@ GEM
      actionpack (>= 3.1)
      railties (>= 3.1)
      sass (>= 3.2)
-    jquery-rails (3.1.3)
+    jquery-rails (4.0.4)
-      railties (>= 3.0, < 5.0)
+      rails-dom-testing (~> 1.0)
      railties (>= 4.2.0)
      thor (>= 0.14, < 2.0)
    json (1.8.3)
    kgio (2.9.3)
@@ -145,6 +158,8 @@ GEM
    listen (3.0.3)
      rb-fsevent (>= 0.9.3)
      rb-inotify (>= 0.9)
    loofah (2.0.3)
      nokogiri (>= 1.5.9)
    lumberjack (1.0.9)
    mail (2.6.3)
      mime-types (>= 1.16, < 3)
@@ -158,12 +173,14 @@ GEM
      thin (~> 1.5.0)
    method_source (0.8.2)
    mime-types (2.6.1)
-    minitest (4.7.5)
+    mini_portile (0.6.2)
    minitest (5.8.0)
    multi_json (1.11.2)
    multi_test (0.1.2)
    mysql2 (0.3.19)
    nenv (0.2.0)
-    nokogiri (1.5.11)
+    nokogiri (1.6.6.2)
      mini_portile (~> 0.6.0)
    notiffany (0.0.7)
      nenv (~> 0.1)
      shellany (~> 0.0)
@@ -181,24 +198,35 @@ GEM
      slop (~> 3.4)
    pry-rails (0.3.4)
      pry (>= 0.9.10)
-    rack (1.5.5)
+    rack (1.6.4)
    rack-livereload (0.3.16)
      rack
    rack-protection (1.5.3)
      rack
    rack-test (0.6.3)
      rack (>= 1.0)
-    rails (4.0.13)
+    rails (4.2.2)
-      actionmailer (= 4.0.13)
+      actionmailer (= 4.2.2)
-      actionpack (= 4.0.13)
+      actionpack (= 4.2.2)
-      activerecord (= 4.0.13)
+      actionview (= 4.2.2)
-      activesupport (= 4.0.13)
+      activejob (= 4.2.2)
      activemodel (= 4.2.2)
      activerecord (= 4.2.2)
      activesupport (= 4.2.2)
      bundler (>= 1.3.0, < 2.0)
-      railties (= 4.0.13)
+      railties (= 4.2.2)
-      sprockets-rails (~> 2.0)
+      sprockets-rails
-    railties (4.0.13)
+    rails-deprecated_sanitizer (1.0.3)
-      actionpack (= 4.0.13)
+      activesupport (>= 4.2.0.alpha)
-      activesupport (= 4.0.13)
+    rails-dom-testing (1.0.7)
      activesupport (>= 4.2.0.beta, < 5.0)
      nokogiri (~> 1.6.0)
      rails-deprecated_sanitizer (>= 1.0.1)
    rails-html-sanitizer (1.0.2)
      loofah (~> 2.0)
    railties (4.2.2)
      actionpack (= 4.2.2)
      activesupport (= 4.2.2)
      rake (>= 0.8.7)
      thor (>= 0.18.1, < 2.0)
    raindrops (0.15.0)
@@ -275,7 +303,8 @@ GEM
    trollop (2.1.2)
    turbolinks (2.5.3)
      coffee-rails
-    tzinfo (0.3.44)
+    tzinfo (1.2.2)
      thread_safe (~> 0.1)
    uglifier (2.7.1)
      execjs (>= 0.3.0)
      json (>= 1.8.0)
@@ -320,7 +349,7 @@ DEPENDENCIES
  pry
  pry-rails
  rack-livereload
-  rails (= 4.0.13)
+  rails (= 4.2.2)
  rb-fsevent
  rspec-rails (= 2.14.2)
  sass-rails
@@ -1,42 +1,49 @@
 # RailsGoat [![Build Status](https://api.travis-ci.org/OWASP/railsgoat.png?branch=master)](https://travis-ci.org/OWASP/railsgoat) [![Code Climate](https://codeclimate.com/github/OWASP/railsgoat.png)](https://codeclimate.com/github/OWASP/railsgoat)
-RailsGoat is a vulnerable version of the Ruby on Rails Framework. It includes vulnerabilities from the OWASP Top 10, as well as some "extras" that the initial project contributors felt worthwhile to share. This project is designed to educate both developers, as well as security professionals.
+RailsGoat is a vulnerable version of the Ruby on Rails Framework both versions 3 and 4. It includes vulnerabilities from the OWASP Top 10, as well as some "extras" that the initial project contributors felt worthwhile to share. This project is designed to educate both developers, as well as security professionals.
 ## Getting Started
 To begin, install the Ruby Version Manager (RVM):
-```
+```bash
 $ curl -L https://get.rvm.io | bash -s stable --autolibs=3 --ruby=2.1.2
 ```
 After installing the package, clone this repo:
-```
+```bash
 $ git clone git@github.com:OWASP/railsgoat.git
 ```
-Navigate into the directory and install the dependencies:
+**NOTE: NOT NECESSARY IF YOU WANT TO WORK WITH RAILS 4.** Otherwise, if you wish to use the Rails 3 version, you'll need to switch branches 
 ```bash
 $ cd railsgoat
 $ git checkout rails_3_2
 ```
 Navigate into the directory (already there if you followed the previous step) and install the dependencies:
 ```bash
 $ bundle install
 ```
 If you receive an error, make sure you have `bundler` installed:
-```
+```bash
 $ gem install bundler
 ```
 Initialize the database:
-```
+```bash
 $ rake db:setup
 ```
 Start the Thin web server:
-```
+```bash
 $ rails server
 ```
@@ -16,6 +16,7 @@
 //= require wysiwyg/wysihtml5-0.3.0.js
 //= require jquery.min.js
 //= require jquery.scrollUp.js
 //= require bootstrap.js
 //= require wysiwyg/bootstrap-wysihtml5.js
 //= require bootstrap-colorpicker.js
 //= require date-picker/date.js
@@ -32,7 +33,6 @@
 //= require jsapi
 //= html5.js
 function rubyCodeFormat() {
@@ -25,7 +25,7 @@ class SessionsController < ApplicationController
      redirect_to path
    else
      # Removed this code, just doesn't seem specific enough!
-      #  flash[:error] = "Either your username and password is incorrect"
+      # flash[:error] = "Either your username and password is incorrect"
      flash[:error] = e.message
      render "new"
    end
@@ -55,7 +55,7 @@ class UsersController < ApplicationController
  private
  def user_params
-    params.require(:user).permit(:email, :admin, :first_name, :last_name, :user_id, :password, :password_confirmation)
+    params.require(:user).permit!
  end
  # unpermitted attributes are ignored in production
@@ -1,4 +1,5 @@
 <% flash.each do |name, msg| %>
  <% name = name.to_sym %>
  <% if name == :error %>
    <div class="alert alert-error">
      <a class="close" data-dismiss="alert" href="#">×</a>
@@ -1,3 +1,3 @@
 # Be sure to restart your server when you modify this file.
-Railsgoat::Application.config.session_store :cookie_store, key: '_railsgoat_session'
+Railsgoat::Application.config.session_store :cookie_store, key: '_railsgoat_session', httponly: false
@@ -20,10 +20,11 @@ feature 'xss' do
    click_on 'Submit'
    sleep(1)
-    visit '/'
+    
-
+    visit "/users/#{@normal_user.user_id}/account_settings"
-    pending(:if => verifying_fixed?) { find('div input.btn').value.should == 'RailsGoat h4x0r3d' }
+    
-
+    pending(:if => verifying_fixed?) { find('#submit_button').value.should == 'RailsGoat h4x0r3d' }
    # might be nice to demonstrate posting cookie contents or somesuch, but
    # this at least shows the vulnerability still exists.
  end
`@@ -1,3 +1,3 @@`
	`# Be sure to restart your server when you modify this file.`	`# Be sure to restart your server when you modify this file.`

	`Railsgoat::Application.config.session_store :cookie_store, key: '_railsgoat_session'`	`Railsgoat::Application.config.session_store :cookie_store, key: '_railsgoat_session', httponly: false`