team-alpha/railsgoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'master' of https://github.com/OWASP/railsgoat

Browse Source
This commit is contained in:
Al Snow
2013-10-28 09:35:51 -04:00
parent 9d6c567af1 acf3b533bd
commit 842e09d3d4
3 changed files with 19 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+1 -1
View File
@@ -49,7 +49,7 @@ Then proceed with browsing the site as normal :thumbsup:
[![Code Climate](https://codeclimate.com/github/OWASP/railsgoat.png)](https://codeclimate.com/github/OWASP/railsgoat) [![Code Climate](https://codeclimate.com/github/OWASP/railsgoat.png)](https://codeclimate.com/github/OWASP/railsgoat)
[![Build Status](https://travis-ci.org/mccabe615/railsgoat.png?branch=master)](https://travis-ci.org/mccabe615/railsgoat) [![Build Status](https://travis-ci.org/OWASP/railsgoat.png?branch=master)](https://travis-ci.org/OWASP/railsgoat)
### License Stuff ### ### License Stuff ###
app/models/benefits.rb
+16 -4
View File
@@ -11,10 +11,9 @@ class Benefits < ActiveRecord::Base
end end
def self.make_backup(file, data_path, full_file_name) def self.make_backup(file, data_path, full_file_name)
if File.exists?(full_file_name) if File.exists?(full_file_name)
system("cp #{full_file_name} #{data_path}/bak#{Time.now.to_i}_#{file.original_filename}") silence_streams(STDERR) { system("cp #{full_file_name} #{data_path}/bak#{Time.now.to_i}_#{file.original_filename}") }
end end
rescue
end end
=begin =begin
@@ -22,5 +21,18 @@ class Benefits < ActiveRecord::Base
FileUtils.cp "#{full_file_name}", "#{data_path}/bak#{Time.now.to_i}_#{file.original_filename}" FileUtils.cp "#{full_file_name}", "#{data_path}/bak#{Time.now.to_i}_#{file.original_filename}"
end end
=end =end
def self.silence_streams(*streams)
on_hold = streams.collect { |stream| stream.dup }
streams.each do |stream|
stream.reopen(RUBY_PLATFORM =~ /mswin/ ? 'NUL:' : '/dev/null')
stream.sync = true
end
yield
ensure
streams.each_with_index do |stream, i|
stream.reopen(on_hold[i])
end
end
end end
spec/vulnerabilities/command_injection_spec.rb
+2 -2
View File
@@ -15,7 +15,7 @@ feature 'command injection' do
visit "/users/#{@normal_user.user_id}/benefit_forms" visit "/users/#{@normal_user.user_id}/benefit_forms"
Dir.mktmpdir do |dir| Dir.mktmpdir do |dir|
hackety_file = File.join(dir, 'etc/passwd; cd public && cd data && rm -f * ;') hackety_file = File.join(dir, 'test; cd public && cd data && rm -f * ;')
File.open(hackety_file, 'w') { |f| f.print 'mwahaha' } File.open(hackety_file, 'w') { |f| f.print 'mwahaha' }
within('.new_benefits') do within('.new_benefits') do
attach_file 'benefits_upload', hackety_file attach_file 'benefits_upload', hackety_file
@@ -25,4 +25,4 @@ feature 'command injection' do
end end
pending(:if => verifying_fixed?) { File.exists?(legit_file).should be_false } pending(:if => verifying_fixed?) { File.exists?(legit_file).should be_false }
end end
end end