Merge branch 'master' of github.com:OWASP/railsgoat into top-10-2013

.rspec

@@ -0,0 +1 @@
+--color

Gemfile

@@ -19,6 +19,12 @@ group :development do
   gem 'rack-livereload'
 end
 
+gem 'gauntlt'
+
+group :development, :test do
+  gem 'rspec-rails'
+end
+
 
 # Gems used only for assets and not required
 # in production environments by default.
@@ -46,7 +52,9 @@ gem 'jquery-rails'
 
 # Pow related gem
 gem 'powder'
-gem 'minitest'
+
+gem 'aruba'
+gem 'minitest', '~> 4.0', :require=> "minitest/autorun"
 
 # Deploy with Capistrano
 # gem 'capistrano'

Gemfile.lock

@@ -29,6 +29,10 @@ GEM
       i18n (= 0.6.1)
       multi_json (~> 1.0)
     arel (3.0.2)
+    aruba (0.5.3)
+      childprocess (>= 0.3.6)
+      cucumber (>= 1.1.1)
+      rspec-expectations (>= 2.7.0)
     bcrypt-ruby (3.0.1)
     brakeman (1.9.5)
       erubis (~> 2.6)
@@ -44,6 +48,8 @@ GEM
     builder (3.0.4)
     bundler-audit (0.1.2)
       bundler (~> 1.2)
+    childprocess (0.3.9)
+      ffi (~> 1.0, >= 1.0.11)
     coderay (1.0.9)
     coffee-rails (3.2.2)
       coffee-script (>= 2.2.0)
@@ -52,6 +58,12 @@ GEM
       coffee-script-source
       execjs
     coffee-script-source (1.6.2)
+    cucumber (1.3.2)
+      builder (>= 2.1.2)
+      diff-lcs (>= 1.1.3)
+      gherkin (~> 2.12.0)
+      multi_json (~> 1.3)
+    diff-lcs (1.2.4)
     em-websocket (0.5.0)
       eventmachine (>= 0.12.9)
       http_parser.rb (~> 0.5.3)
@@ -60,9 +72,16 @@ GEM
     execjs (1.4.0)
       multi_json (~> 1.0)
     fastercsv (1.5.5)
+    ffi (1.9.0)
     foreman (0.62.0)
       thor (>= 0.13.6)
     formatador (0.2.4)
+    gauntlt (1.0.5)
+      cucumber
+      nokogiri (~> 1.5.0)
+      trollop
+    gherkin (2.12.0)
+      multi_json (~> 1.3)
     guard (1.7.0)
       formatador (>= 0.2.4)
       listen (>= 0.6.0)
@@ -101,8 +120,9 @@ GEM
       treetop (~> 1.4.8)
     method_source (0.8.1)
     mime-types (1.22)
-    minitest (5.0.2)
+    minitest (4.7.5)
     multi_json (1.7.2)
+    nokogiri (1.5.10)
     polyglot (0.3.3)
     powder (0.2.0)
       thor (>= 0.11.5)
@@ -139,6 +159,17 @@ GEM
     rb-fsevent (0.9.3)
     rdoc (3.12.2)
       json (~> 1.4)
+    rspec-core (2.14.4)
+    rspec-expectations (2.14.0)
+      diff-lcs (>= 1.1.3, < 2.0)
+    rspec-mocks (2.14.2)
+    rspec-rails (2.14.0)
+      actionpack (>= 3.0)
+      activesupport (>= 3.0)
+      railties (>= 3.0)
+      rspec-core (~> 2.14.0)
+      rspec-expectations (~> 2.14.0)
+      rspec-mocks (~> 2.14.0)
     ruby2ruby (2.0.3)
       ruby_parser (~> 3.1)
       sexp_processor (~> 4.0)
@@ -167,6 +198,7 @@ GEM
     treetop (1.4.12)
       polyglot
       polyglot (>= 0.3.1)
+    trollop (2.0)
     tzinfo (0.3.37)
     uglifier (2.0.1)
       execjs (>= 0.3.0)
@@ -180,21 +212,24 @@ PLATFORMS
   ruby
 
 DEPENDENCIES
+  aruba
   bcrypt-ruby
   brakeman
   bundler-audit
   coffee-rails (~> 3.2.1)
   foreman
+  gauntlt
   guard-brakeman
   guard-livereload
   guard-shell
   jquery-fileupload-rails
   jquery-rails
-  minitest
+  minitest (~> 4.0)
   powder
   rack-livereload
   rails (= 3.2.13)
   rb-fsevent
+  rspec-rails
   sass-rails (~> 3.2.3)
   sqlite3
   uglifier (>= 1.0.3)

README.md

@@ -1,3 +1,16 @@
+### Developer Note ###
+<p/>
+Conversion to the OWASP Top 10, 2013 is under way. 
+
+You can view progress within the top-10-2013 branch.
+
+    git fetch origin
+    git checkout top-10-2013
+Then proceed with browsing the site as normal :thumbsup:
+<hr/>
+
+### License Stuff ###
+
 The MIT License (MIT)
 
 Copyright (c) 2013  The Open Web Application Security Project
@@ -18,4 +31,6 @@ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-THE SOFTWARE.
+THE SOFTWARE.
+
+<hr/>

gauntlt_scripts/simple.attack

@@ -0,0 +1,11 @@
+# simplest.attack
+Feature: simplest attack possible
+  Scenario:
+    When I launch a "generic" attack with:
+      """
+      ls -a
+      """
+    Then the output should contain:
+      """
+      .
+      """

spec/spec_helper.rb

@@ -0,0 +1,39 @@
+# This file is copied to spec/ when you run 'rails generate rspec:install'
+ENV["RAILS_ENV"] ||= 'test'
+require File.expand_path("../../config/environment", __FILE__)
+require 'minitest/autorun'
+require 'rspec/rails'
+require 'rspec/autorun'
+
+# Requires supporting ruby files with custom matchers and macros, etc,
+# in spec/support/ and its subdirectories.
+Dir[Rails.root.join("spec/support/**/*.rb")].each { |f| require f }
+
+RSpec.configure do |config|
+  # ## Mock Framework
+  #
+  # If you prefer to use mocha, flexmock or RR, uncomment the appropriate line:
+  #
+  # config.mock_with :mocha
+  # config.mock_with :flexmock
+  # config.mock_with :rr
+
+  # Remove this line if you're not using ActiveRecord or ActiveRecord fixtures
+  config.fixture_path = "#{::Rails.root}/spec/fixtures"
+
+  # If you're not using ActiveRecord, or you'd prefer not to run each of your
+  # examples within a transaction, remove the following line or assign false
+  # instead of true.
+  config.use_transactional_fixtures = true
+
+  # If true, the base class of anonymous controllers will be inferred
+  # automatically. This will be the default behavior in future versions of
+  # rspec-rails.
+  config.infer_base_class_for_anonymous_controllers = false
+
+  # Run specs in random order to surface order dependencies. If you find an
+  # order dependency and want to debug it, you can fix the order by providing
+  # the seed, which is printed after each run.
+  #     --seed 1234
+  config.order = "random"
+end