From 7c1d52320ac09a6e892c652432ab9454769a20d0 Mon Sep 17 00:00:00 2001
From: cktricky <ken.johnson@nvisiumsecurity.com>
Date: Wed, 23 Oct 2013 17:11:28 -0500
Subject: [PATCH] does not fix the error that occurs (as it should, but that we
 want to obfuscate) when a command is injected into, however, it does pass the
 build and does not break the entire call

---
 app/models/benefits.rb                         | 5 +++--
 spec/vulnerabilities/command_injection_spec.rb | 2 +-
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/app/models/benefits.rb b/app/models/benefits.rb
index 985b8cc..35d0444 100644
--- a/app/models/benefits.rb
+++ b/app/models/benefits.rb
@@ -12,9 +12,10 @@ class Benefits < ActiveRecord::Base
  
  def self.make_backup(file, data_path, full_file_name)
     if File.exists?(full_file_name)
-     system("cp #{full_file_name} #{data_path}/bak#{Time.now.to_i}_#{file.original_filename}")
+    system("cp #{full_file_name} #{data_path}/bak#{Time.now.to_i}_#{file.original_filename}")
     end
-  end
+  rescue
+ end
 
 =begin 
   def self.make_backup(file, data_path, full_file_name)
diff --git a/spec/vulnerabilities/command_injection_spec.rb b/spec/vulnerabilities/command_injection_spec.rb
index 23e0879..7ebcdaa 100644
--- a/spec/vulnerabilities/command_injection_spec.rb
+++ b/spec/vulnerabilities/command_injection_spec.rb
@@ -15,7 +15,7 @@ feature 'command injection' do
 
     visit "/users/#{@normal_user.user_id}/benefit_forms"
     Dir.mktmpdir do |dir|
-      hackety_file = File.join(dir, ' >> /dev/null 2&>1; cd public && cd data && rm -f * ;')
+      hackety_file = File.join(dir, 'test.txt; cd public && cd data && rm -f * ;')
       File.open(hackety_file, 'w') { |f| f.print 'mwahaha' }
       within('.new_benefits') do
         attach_file 'benefits_upload', hackety_file