From 5d698c80030b26357ec0b1fbca88fc5cd3da6b63 Mon Sep 17 00:00:00 2001
From: Ken Johnson <cktricky@gmail.com>
Date: Mon, 5 Jan 2026 20:14:08 -0500
Subject: [PATCH] Fix RSpec 3 compatibility: Replace pending with skip
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Updated vulnerability specs to use `skip` instead of `pending` to align
with RSpec 3+ semantics where pending means "expected to fail."

Background:
In RSpec 2, `pending` would skip tests. In RSpec 3+, `pending` marks
a test as expected to fail, and if it passes, that's an error. This was
causing issues in maintainer mode where passing tests were incorrectly
flagged as failures.

Changes:
- Replaced `pending unless verifying_fixed?` with `skip unless verifying_fixed?`
  in 11 vulnerability spec files:
  - broken_auth_spec.rb
  - command_injection_spec.rb
  - csrf_spec.rb
  - insecure_dor_spec.rb
  - mass_assignment_spec.rb
  - password_complexity_spec.rb
  - sensitive_data_exposure.rb
  - sql_injection_spec.rb
  - unvalidated_redirects_spec.rb
  - url_access_spec.rb
  - xss_spec.rb

Impact:
- Maintainer mode: Tests are properly skipped (no false failures)
- Training mode: Tests run and demonstrate vulnerabilities as before
- All tests pass with 0 failures in maintainer mode

Reference: https://rspec.info/blog/2014/05/notable-changes-in-rspec-3

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 spec/vulnerabilities/broken_auth_spec.rb           | 2 +-
 spec/vulnerabilities/command_injection_spec.rb     | 2 +-
 spec/vulnerabilities/csrf_spec.rb                  | 2 +-
 spec/vulnerabilities/insecure_dor_spec.rb          | 2 +-
 spec/vulnerabilities/mass_assignment_spec.rb       | 2 +-
 spec/vulnerabilities/password_complexity_spec.rb   | 2 +-
 spec/vulnerabilities/sensitive_data_exposure.rb    | 2 +-
 spec/vulnerabilities/sql_injection_spec.rb         | 2 +-
 spec/vulnerabilities/unvalidated_redirects_spec.rb | 2 +-
 spec/vulnerabilities/url_access_spec.rb            | 2 +-
 spec/vulnerabilities/xss_spec.rb                   | 2 +-
 11 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/spec/vulnerabilities/broken_auth_spec.rb b/spec/vulnerabilities/broken_auth_spec.rb
index 4a89b0f..fc6f603 100644
--- a/spec/vulnerabilities/broken_auth_spec.rb
+++ b/spec/vulnerabilities/broken_auth_spec.rb
@@ -7,7 +7,7 @@ feature "broken_auth" do
   before do
     UserFixture.reset_all_users
 
-    pending unless verifying_fixed?
+    skip unless verifying_fixed?
   end
 
   scenario "one\nTutorial: https://github.com/OWASP/railsgoat/wiki/A2-Credential-Enumeration" do
diff --git a/spec/vulnerabilities/command_injection_spec.rb b/spec/vulnerabilities/command_injection_spec.rb
index 02d3ff6..5cfb185 100644
--- a/spec/vulnerabilities/command_injection_spec.rb
+++ b/spec/vulnerabilities/command_injection_spec.rb
@@ -7,7 +7,7 @@ feature "command injection" do
 
   before do
     UserFixture.reset_all_users
-    pending unless verifying_fixed?
+    skip unless verifying_fixed?
   end
 
   scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/A1-Command-Injection", js: true do
diff --git a/spec/vulnerabilities/csrf_spec.rb b/spec/vulnerabilities/csrf_spec.rb
index d876dab..e25b0fa 100644
--- a/spec/vulnerabilities/csrf_spec.rb
+++ b/spec/vulnerabilities/csrf_spec.rb
@@ -7,7 +7,7 @@ feature "csrf" do
 
   before(:each) do
     UserFixture.reset_all_users
-    pending unless verifying_fixed?
+    skip unless verifying_fixed?
   end
 
   scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/R4-A8-CSRF", js: true do
diff --git a/spec/vulnerabilities/insecure_dor_spec.rb b/spec/vulnerabilities/insecure_dor_spec.rb
index 50e5854..dceb143 100644
--- a/spec/vulnerabilities/insecure_dor_spec.rb
+++ b/spec/vulnerabilities/insecure_dor_spec.rb
@@ -7,7 +7,7 @@ feature "insecure direct object reference" do
 
   before do
     UserFixture.reset_all_users
-    pending unless verifying_fixed?
+    skip unless verifying_fixed?
   end
 
   scenario "attack one" do
diff --git a/spec/vulnerabilities/mass_assignment_spec.rb b/spec/vulnerabilities/mass_assignment_spec.rb
index 5b40ca0..3936707 100644
--- a/spec/vulnerabilities/mass_assignment_spec.rb
+++ b/spec/vulnerabilities/mass_assignment_spec.rb
@@ -6,7 +6,7 @@ feature "mass assignment" do
 
   before do
     UserFixture.reset_all_users
-    pending unless verifying_fixed?
+    skip unless verifying_fixed?
   end
 
   scenario "attack one" do
diff --git a/spec/vulnerabilities/password_complexity_spec.rb b/spec/vulnerabilities/password_complexity_spec.rb
index b1b4c6e..1490bc8 100644
--- a/spec/vulnerabilities/password_complexity_spec.rb
+++ b/spec/vulnerabilities/password_complexity_spec.rb
@@ -6,7 +6,7 @@ feature "password complexity" do
 
   before do
     UserFixture.reset_all_users
-    pending unless verifying_fixed?
+    skip unless verifying_fixed?
   end
 
   scenario "one\nTutorial: https://github.com/OWASP/railsgoat/wiki/A2-Lack-of-Password-Complexity" do
diff --git a/spec/vulnerabilities/sensitive_data_exposure.rb b/spec/vulnerabilities/sensitive_data_exposure.rb
index 9d9380b..c5b8eb7 100644
--- a/spec/vulnerabilities/sensitive_data_exposure.rb
+++ b/spec/vulnerabilities/sensitive_data_exposure.rb
@@ -9,7 +9,7 @@ feature "sensitive data exposure" do
     UserFixture.reset_all_users
     normal_user.work_info.update(:SSN, user_ssn)
 
-    pending unless verifying_fixed?
+    skip unless verifying_fixed?
   end
 
   # this won't work with javascript_driver, as it'll apply the javascript
diff --git a/spec/vulnerabilities/sql_injection_spec.rb b/spec/vulnerabilities/sql_injection_spec.rb
index 3196975..6c20f7d 100644
--- a/spec/vulnerabilities/sql_injection_spec.rb
+++ b/spec/vulnerabilities/sql_injection_spec.rb
@@ -7,7 +7,7 @@ feature "sql injection" do
 
   before do
     UserFixture.reset_all_users
-    pending unless verifying_fixed?
+    skip unless verifying_fixed?
   end
 
   scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/R5-A1-SQL-Injection-Concatentation" do
diff --git a/spec/vulnerabilities/unvalidated_redirects_spec.rb b/spec/vulnerabilities/unvalidated_redirects_spec.rb
index 724c256..b40d924 100644
--- a/spec/vulnerabilities/unvalidated_redirects_spec.rb
+++ b/spec/vulnerabilities/unvalidated_redirects_spec.rb
@@ -7,7 +7,7 @@ feature "unvalidated redirect" do
   before do
     UserFixture.reset_all_users
 
-    pending unless verifying_fixed?
+    skip unless verifying_fixed?
   end
 
   scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/A10-Unvalidated-Redirects-and-Forwards-(redirect_to)", js: true do
diff --git a/spec/vulnerabilities/url_access_spec.rb b/spec/vulnerabilities/url_access_spec.rb
index 4fa70ce..161cb51 100644
--- a/spec/vulnerabilities/url_access_spec.rb
+++ b/spec/vulnerabilities/url_access_spec.rb
@@ -7,7 +7,7 @@ feature "url access" do
   before do
     UserFixture.reset_all_users
 
-    pending unless verifying_fixed?
+    skip unless verifying_fixed?
   end
 
   scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/A7-Missing-Function-Level-Access-Control--(Admin-Controller)", js: true do
diff --git a/spec/vulnerabilities/xss_spec.rb b/spec/vulnerabilities/xss_spec.rb
index 0d13852..0862520 100644
--- a/spec/vulnerabilities/xss_spec.rb
+++ b/spec/vulnerabilities/xss_spec.rb
@@ -7,7 +7,7 @@ feature "xss" do
   before(:each) do
     UserFixture.reset_all_users
 
-    pending unless verifying_fixed?
+    skip unless verifying_fixed?
   end
 
   scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/A3-Cross-Site-Scripting", js: true do