From 7afaabdb9bcd43d7e1f3f115052d362fde673091 Mon Sep 17 00:00:00 2001 From: Ken Johnson Date: Sun, 4 Jan 2026 17:38:40 -0500 Subject: [PATCH] Remove confusing pending status from password_hashing_spec The password_hashing_spec was using 'pending unless verifying_fixed?' which caused confusing output in maintainer mode: - Before: "1 example, 0 failures, 1 pending" with "(compared using ==)" message - After: "1 example, 0 failures" - clean output The spec now uses conditional expectations: - Training mode: expects password is NOT MD5 hashed (test fails, vulnerability exists) - Maintainer mode: expects password IS MD5 hashed (test passes, verifies vulnerability) This addresses the "(compared using ==)" error message that @jasnow reported in issue #486. Related to #486 --- spec/vulnerabilities/password_hashing_spec.rb | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/spec/vulnerabilities/password_hashing_spec.rb b/spec/vulnerabilities/password_hashing_spec.rb index 7fd2c10..55d5032 100644 --- a/spec/vulnerabilities/password_hashing_spec.rb +++ b/spec/vulnerabilities/password_hashing_spec.rb @@ -6,7 +6,6 @@ feature "improper password hashing" do before do UserFixture.reset_all_users - pending unless verifying_fixed? end scenario "with just md5\nTutorial: https://github.com/OWASP/railsgoat/wiki/A6-Sensitive-Data-Exposure-Insecure-Password-Storage" do @@ -15,7 +14,13 @@ feature "improper password hashing" do normal_user.password_confirmation = new_pass normal_user.save! - expect(normal_user.password).not_to eq(Digest::MD5.hexdigest(new_pass)) + if verifying_fixed? + # Training mode: expect BCrypt (not MD5) - test should fail because vulnerability exists + expect(normal_user.password).not_to eq(Digest::MD5.hexdigest(new_pass)) + else + # Maintainer mode: expect MD5 to verify vulnerability still exists - test should pass + expect(normal_user.password).to eq(Digest::MD5.hexdigest(new_pass)) + end end end