Merge pull request #49 from chrismo/capybara

Added notice and removed spoilers from spec names.

spec/features/broken_auth_spec.rb

@@ -6,7 +6,7 @@ feature 'broken_auth' do
     @normal_user = UserFixture.normal_user
   end
 
-  scenario 'TMI during login - username' do
+  scenario 'one' do
     visit '/'
     within('.signup') do
       fill_in 'email', :with => @normal_user.email + 'not'
@@ -16,7 +16,7 @@ feature 'broken_auth' do
     pending(:if => verifying_fixed?) { find('div#flash_notice').text.should == "#{@normal_user.email}not doesn't exist!" }
   end
 
-  scenario 'TMI during login - password' do
+  scenario 'two' do
     visit '/'
     within('.signup') do
       fill_in 'email', :with => @normal_user.email

spec/features/command_injection_spec.rb

@@ -7,7 +7,7 @@ feature 'command injection' do
     @normal_user = UserFixture.normal_user
   end
 
-  scenario 'injection attack on file upload', :js => true do
+  scenario 'attack', :js => true do
     login @normal_user
 
     legit_file = File.join(Rails.root, 'public', 'data', 'legit.txt')

spec/features/csrf_spec.rb

@@ -7,7 +7,7 @@ feature 'csrf' do
     @normal_user = UserFixture.normal_user
   end
 
-  scenario 'csrf attack to pto', :js => true do
+  scenario 'attack', :js => true do
     visit '/'
     # TODO: is there a way to get this without visiting root first?
     base_url = current_url

spec/features/info_disclosure_spec.rb

@@ -9,7 +9,7 @@ feature 'sensitive information disclosure' do
 
   # this won't work with javascript_driver, as it'll apply the javascript
   # function to mask this value and the source will be overwritten.
-  scenario 'full ssn returned to view' do
+  scenario 'attack' do
     login @normal_user
 
     visit "/users/#{@normal_user.user_id}/work_info"

spec/features/insecure_dor_spec.rb

@@ -6,7 +6,7 @@ feature 'insecure direct object reference' do
     @normal_user = UserFixture.normal_user
   end
 
-  scenario 'download production configuration' do
+  scenario 'attack one' do
     login(@normal_user)
 
     visit "/users/#{@normal_user.user_id}/benefit_forms"
@@ -20,7 +20,7 @@ feature 'insecure direct object reference' do
     }
   end
 
-  scenario 'view any user work_info' do
+  scenario 'attack two' do
     login(@normal_user)
 
     @normal_user.user_id.should_not == 2

spec/features/mass_assignment_spec.rb

@@ -1,12 +1,12 @@
 require 'spec_helper'
 
-feature 'sql injection' do
+feature 'mass assignment' do
   before do
     UserFixture.reset_all_users
     @normal_user = UserFixture.normal_user
   end
 
-  scenario 'mass assignment attack update account_settings' do
+  scenario 'attack one' do
     @normal_user.admin.should be_false
 
     login(@normal_user)
@@ -20,7 +20,7 @@ feature 'sql injection' do
     pending(:if => verifying_fixed?) { @normal_user.reload.admin.should be_true }
   end
 
-  scenario 'mass assignment attack create new account' do
+  scenario 'attack two' do
     params = {:user => {:admin => 't',
                         :email => 'hackety@h4x0rs.c0m',
                         :first_name => 'hackety',

spec/features/sql_injection_spec.rb

@@ -7,7 +7,7 @@ feature 'sql injection' do
     @admin_user = User.where("admin='t'").first
   end
 
-  scenario 'injection attack on account_settings' do
+  scenario 'attack' do
     @admin_user.admin.should be_true
 
     login(@normal_user)

spec/features/unvalidated_redirects_spec.rb

@@ -6,7 +6,7 @@ feature 'unvalidated redirect' do
     @normal_user = UserFixture.normal_user
   end
 
-  scenario 'login redirects to anywhere', :js => true do
+  scenario 'attack', :js => true do
     visit '/?url=http://example.com/do/evil/things'
     within('.signup') do
       fill_in 'email', :with => @normal_user.email

spec/features/url_access_spec.rb

@@ -6,7 +6,7 @@ feature 'url access' do
     @normal_user = UserFixture.normal_user
   end
 
-  scenario 'admin route not protected', :js => true do
+  scenario 'attack', :js => true do
     login @normal_user
 
     visit '/admin/1/dashboard'

spec/features/xss_spec.rb

@@ -6,7 +6,7 @@ feature 'xss' do
     @normal_user = UserFixture.normal_user
   end
 
-  scenario 'xss attack on account_settings', :js => true do
+  scenario 'attack', :js => true do
     login @normal_user
 
     visit "/users/#{@normal_user.user_id}/account_settings"

spec/support/capybara_shared.rb

@@ -5,8 +5,34 @@
 # However, RailsGoat maintainers need the Capybara features to pass to indicate
 # changes to the site have not inadvertently removed or fixed any vulnerabilities
 # since the whole point is to provide a site for a developer to fix.
+@@displayed_spec_notice = false
+
 def verifying_fixed?
-  !ENV['RAILSGOAT_MAINTAINER']
+  maintainer_env_name = 'RAILSGOAT_MAINTAINER'
+  result = !ENV[maintainer_env_name]
+  if !@@displayed_spec_notice && result
+    puts <<-NOTICE
+
+******************************************************************************
+  You are running the RailsGoat Capybara Specs in Training mode. These specs
+  are supposed to fail, indicating vulnerabilities exist. They contain
+  spoilers, so do not read the code in spec/features if your goal is to
+  learn more about patching the vulnerabilities. You should fix the
+  vulnerabilities in the application in order to get these specs to pass**.
+  You can use them to measure your progress.
+
+  These same specs will pass if you set the #{maintainer_env_name} ENV
+  variable.
+
+  **NOTE: The RSpec pending feature is used to toggle the outcome of these
+  specs between Training mode and RailsGoat Maintainer mode, so when the
+  vulnerabilities are removed, these specs actually won't 'pass' but go into
+  a 'pending' state.
+******************************************************************************
+    NOTICE
+    @@displayed_spec_notice = true
+  end
+  result
 end
 
 def login(user)