team-alpha/railsgoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

does not fix the error that occurs (as it should, but that we want to obfuscate) when a command is injected into, however, it does pass the build and does not break the entire call

Browse Source
This commit is contained in:
cktricky
2013-10-23 17:11:28 -05:00
parent a921f2118d
commit 7c1d52320a
2 changed files with 4 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
app/models/benefits.rb
+3 -2
View File
@@ -12,9 +12,10 @@ class Benefits < ActiveRecord::Base
def self.make_backup(file, data_path, full_file_name)
if File.exists?(full_file_name)
system("cp #{full_file_name} #{data_path}/bak#{Time.now.to_i}_#{file.original_filename}")
system("cp #{full_file_name} #{data_path}/bak#{Time.now.to_i}_#{file.original_filename}")
end
end
rescue
end
=begin
def self.make_backup(file, data_path, full_file_name)
spec/vulnerabilities/command_injection_spec.rb
+1 -1
View File
@@ -15,7 +15,7 @@ feature 'command injection' do
visit "/users/#{@normal_user.user_id}/benefit_forms"
Dir.mktmpdir do |dir|
hackety_file = File.join(dir, ' >> /dev/null 2&>1; cd public && cd data && rm -f * ;')
hackety_file = File.join(dir, 'test.txt; cd public && cd data && rm -f * ;')
File.open(hackety_file, 'w') { |f| f.print 'mwahaha' }
within('.new_benefits') do
attach_file 'benefits_upload', hackety_file