From 4d2c4218630e05cbc547230cc431b778a3041680 Mon Sep 17 00:00:00 2001 From: cktricky Date: Sun, 27 Oct 2013 20:20:51 -0400 Subject: [PATCH 1/5] removing unwanted files --- public/docs/| dir | 1 - public/docs/| ls | 1 - public/secre | 7 ------- 3 files changed, 9 deletions(-) delete mode 100644 public/docs/| dir delete mode 100644 public/docs/| ls delete mode 100755 public/secre diff --git a/public/docs/| dir b/public/docs/| dir deleted file mode 100644 index fc8617d..0000000 --- a/public/docs/| dir +++ /dev/null @@ -1 +0,0 @@ -# Logfile created on 2013-10-24 00:32:47 -0500 by logger.rb/31641 diff --git a/public/docs/| ls b/public/docs/| ls deleted file mode 100644 index 21ebb9f..0000000 --- a/public/docs/| ls +++ /dev/null @@ -1 +0,0 @@ -# Logfile created on 2013-10-24 00:32:37 -0500 by logger.rb/31641 diff --git a/public/secre b/public/secre deleted file mode 100755 index 1d9d83c..0000000 --- a/public/secre +++ /dev/null @@ -1,7 +0,0 @@ -# Be sure to restart your server when you modify this file. - -# Your secret key for verifying the integrity of signed cookies. -# If you change this key, all old signed cookies will become invalid! -# Make sure the secret is at least 30 characters and all random, -# no regular words or you'll be exposed to dictionary attacks. -Railsgoat::Application.config.secret_token = '2f1d90a26236c3245d96f5606c201a780dc9ca687e5ed82b45e211bb5dc84c1870f61ca9e002dad5dd8a149c9792d8f07f31a9575065cca064bd6af44f8750e4' From 11480ac853a8a2461486549eb77eb9dff72665da Mon Sep 17 00:00:00 2001 From: cktricky Date: Sun, 27 Oct 2013 21:46:12 -0400 Subject: [PATCH 2/5] tests are working again, I will work on surpressing the errors. Also merged @jasnow work --- app/models/benefits.rb | 5 ++--- spec/vulnerabilities/command_injection_spec.rb | 4 ++-- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/app/models/benefits.rb b/app/models/benefits.rb index c423a38..88ab57e 100644 --- a/app/models/benefits.rb +++ b/app/models/benefits.rb @@ -11,10 +11,9 @@ class Benefits < ActiveRecord::Base end def self.make_backup(file, data_path, full_file_name) - if File.exists?(full_file_name) + if File.exists?(full_file_name) system("cp #{full_file_name} #{data_path}/bak#{Time.now.to_i}_#{file.original_filename}") - end - rescue + end end =begin diff --git a/spec/vulnerabilities/command_injection_spec.rb b/spec/vulnerabilities/command_injection_spec.rb index e90ad7e..8baed81 100644 --- a/spec/vulnerabilities/command_injection_spec.rb +++ b/spec/vulnerabilities/command_injection_spec.rb @@ -15,7 +15,7 @@ feature 'command injection' do visit "/users/#{@normal_user.user_id}/benefit_forms" Dir.mktmpdir do |dir| - hackety_file = File.join(dir, 'etc/passwd; cd public && cd data && rm -f * ;') + hackety_file = File.join(dir, 'test; cd public && cd data && rm -f * ;') File.open(hackety_file, 'w') { |f| f.print 'mwahaha' } within('.new_benefits') do attach_file 'benefits_upload', hackety_file @@ -25,4 +25,4 @@ feature 'command injection' do end pending(:if => verifying_fixed?) { File.exists?(legit_file).should be_false } end -end +end \ No newline at end of file From 86035a1cbd1a2e47dc634c978d014fa2695d14b2 Mon Sep 17 00:00:00 2001 From: cktricky Date: Sun, 27 Oct 2013 22:38:38 -0400 Subject: [PATCH 3/5] appears to have solved the issue with our code printing stderrs --- app/helpers/benefit_forms_helper.rb | 1 + app/models/benefits.rb | 15 ++++++++++++++- 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/app/helpers/benefit_forms_helper.rb b/app/helpers/benefit_forms_helper.rb index 4378d04..105184c 100644 --- a/app/helpers/benefit_forms_helper.rb +++ b/app/helpers/benefit_forms_helper.rb @@ -1,2 +1,3 @@ module BenefitFormsHelper + end diff --git a/app/models/benefits.rb b/app/models/benefits.rb index 88ab57e..44a467d 100644 --- a/app/models/benefits.rb +++ b/app/models/benefits.rb @@ -12,7 +12,7 @@ class Benefits < ActiveRecord::Base def self.make_backup(file, data_path, full_file_name) if File.exists?(full_file_name) - system("cp #{full_file_name} #{data_path}/bak#{Time.now.to_i}_#{file.original_filename}") + silence_streams(STDERR) { system("cp #{full_file_name} #{data_path}/bak#{Time.now.to_i}_#{file.original_filename}") } end end @@ -21,5 +21,18 @@ class Benefits < ActiveRecord::Base FileUtils.cp "#{full_file_name}", "#{data_path}/bak#{Time.now.to_i}_#{file.original_filename}" end =end + + def self.silence_streams(*streams) + on_hold = streams.collect { |stream| stream.dup } + streams.each do |stream| + stream.reopen(RUBY_PLATFORM =~ /mswin/ ? 'NUL:' : '/dev/null') + stream.sync = true + end + yield + ensure + streams.each_with_index do |stream, i| + stream.reopen(on_hold[i]) + end + end end From 1e93dc3d4d44abf9bd4229609a1d189a4e2ab818 Mon Sep 17 00:00:00 2001 From: cktricky Date: Sun, 27 Oct 2013 22:38:52 -0400 Subject: [PATCH 4/5] appears to have solved the issue with our code printing stderrs --- app/helpers/benefit_forms_helper.rb | 1 - 1 file changed, 1 deletion(-) diff --git a/app/helpers/benefit_forms_helper.rb b/app/helpers/benefit_forms_helper.rb index 105184c..4378d04 100644 --- a/app/helpers/benefit_forms_helper.rb +++ b/app/helpers/benefit_forms_helper.rb @@ -1,3 +1,2 @@ module BenefitFormsHelper - end From acf3b533bd973e1cbcc527a147fa545efd69a0bd Mon Sep 17 00:00:00 2001 From: cktricky Date: Sun, 27 Oct 2013 22:43:10 -0400 Subject: [PATCH 5/5] fixing travis ci build icon --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 850287c..10fe978 100755 --- a/README.md +++ b/README.md @@ -49,7 +49,7 @@ Then proceed with browsing the site as normal :thumbsup: [![Code Climate](https://codeclimate.com/github/OWASP/railsgoat.png)](https://codeclimate.com/github/OWASP/railsgoat) -[![Build Status](https://travis-ci.org/mccabe615/railsgoat.png?branch=master)](https://travis-ci.org/mccabe615/railsgoat) +[![Build Status](https://travis-ci.org/OWASP/railsgoat.png?branch=master)](https://travis-ci.org/OWASP/railsgoat) ### License Stuff ###