Merge branch 'master' of https://github.com/OWASP/railsgoat

README.md

@@ -49,7 +49,7 @@ Then proceed with browsing the site as normal :thumbsup:
 
 [![Code Climate](https://codeclimate.com/github/OWASP/railsgoat.png)](https://codeclimate.com/github/OWASP/railsgoat)
 
-[![Build Status](https://travis-ci.org/mccabe615/railsgoat.png?branch=master)](https://travis-ci.org/mccabe615/railsgoat)
+[![Build Status](https://travis-ci.org/OWASP/railsgoat.png?branch=master)](https://travis-ci.org/OWASP/railsgoat)
 
 ### License Stuff ###
 

app/models/benefits.rb

@@ -12,9 +12,8 @@ class Benefits < ActiveRecord::Base
  
  def self.make_backup(file, data_path, full_file_name)
     if File.exists?(full_file_name) 
-    system("cp #{full_file_name} #{data_path}/bak#{Time.now.to_i}_#{file.original_filename}")
+      silence_streams(STDERR) { system("cp #{full_file_name} #{data_path}/bak#{Time.now.to_i}_#{file.original_filename}") }
     end  
-  rescue
  end
 
 =begin 
@@ -23,4 +22,17 @@ class Benefits < ActiveRecord::Base
   end
 =end 
 
+ def self.silence_streams(*streams)
+   on_hold = streams.collect { |stream| stream.dup }
+   streams.each do |stream|
+     stream.reopen(RUBY_PLATFORM =~ /mswin/ ? 'NUL:' : '/dev/null')
+     stream.sync = true
+   end
+   yield
+ ensure
+   streams.each_with_index do |stream, i|
+     stream.reopen(on_hold[i])
+   end
+ end
+ 
 end

spec/vulnerabilities/command_injection_spec.rb

@@ -15,7 +15,7 @@ feature 'command injection' do
 
     visit "/users/#{@normal_user.user_id}/benefit_forms"
     Dir.mktmpdir do |dir|
-      hackety_file = File.join(dir, 'etc/passwd; cd public && cd data && rm -f * ;')
+      hackety_file = File.join(dir, 'test; cd public && cd data && rm -f * ;')
       File.open(hackety_file, 'w') { |f| f.print 'mwahaha' }
       within('.new_benefits') do
         attach_file 'benefits_upload', hackety_file