diff --git a/db/seeds.rb b/db/seeds.rb index 333d5ad..1da1499 100755 --- a/db/seeds.rb +++ b/db/seeds.rb @@ -4,49 +4,49 @@ users = [ { - :email => "admin@metacorp.com", - :admin => true, - :password => "admin1234", - :password_confirmation => "admin1234", - :first_name => "Admin", - :last_name => "", - :user_id =>1 + :email => "admin@metacorp.com", + :admin => true, + :password => "admin1234", + :password_confirmation => "admin1234", + :first_name => "Admin", + :last_name => "", + :user_id =>1 }, { - :email => "jack@metacorp.com", - :admin => false, - :password => "yankeessuck", - :password_confirmation => "yankeessuck", - :first_name => "Jack", - :last_name => "Mannino", + :email => "jack@metacorp.com", + :admin => false, + :password => "yankeessuck", + :password_confirmation => "yankeessuck", + :first_name => "Jack", + :last_name => "Mannino", :user_id => 2 }, { - :email => "jim@metacorp.com", - :admin => false, - :password => "alohaowasp", - :password_confirmation => "alohaowasp", - :first_name => "Jim", - :last_name => "Manico", - :user_id =>3 + :email => "jim@metacorp.com", + :admin => false, + :password => "alohaowasp", + :password_confirmation => "alohaowasp", + :first_name => "Jim", + :last_name => "Manico", + :user_id =>3 }, { - :email => "mike@metacorp.com", - :admin => false, - :password => "motocross1445", - :password_confirmation => "motocross1445", - :first_name => "Mike", - :last_name => "McCabe", - :user_id =>4 + :email => "mike@metacorp.com", + :admin => false, + :password => "motocross1445", + :password_confirmation => "motocross1445", + :first_name => "Mike", + :last_name => "McCabe", + :user_id =>4 }, { - :email => "ken@metacorp.com", - :admin => false, - :password => "citrusblend", - :password_confirmation => "citrusblend", - :first_name => "Ken", - :last_name => "Johnson", - :user_id =>5 + :email => "ken@metacorp.com", + :admin => false, + :password => "citrusblend", + :password_confirmation => "citrusblend", + :first_name => "Ken", + :last_name => "Johnson", + :user_id =>5 } ] @@ -75,7 +75,7 @@ retirements = [ :employer_contrib => "6000", :total => "12500" } - + ] paid_time_off = [ @@ -107,9 +107,9 @@ paid_time_off = [ :pto_taken => 10, :pto_earned => 30 } - + ] - + schedule = [ { :user_id => 2, @@ -117,8 +117,8 @@ paid_time_off = [ :date_end => Date.new(2014, 8, 2), :event_type => "pto", :event_desc => "vacation to france", - :event_name => "My 2014 Vacation" - + :event_name => "My 2014 Vacation" + }, { :user_id => 3, @@ -127,7 +127,7 @@ paid_time_off = [ :event_type => "pto", :event_desc => "Going Home to see folks", :event_name => "Visit Parents" - + }, { :user_id => 4, @@ -136,7 +136,7 @@ paid_time_off = [ :event_type => "pto", :event_desc => "Taking kids to Grand Canyon", :event_name => "AZ Trip" - + }, { :user_id => 5, @@ -148,7 +148,7 @@ paid_time_off = [ } ] - + work_info = [ { :user_id => 2, @@ -156,7 +156,7 @@ paid_time_off = [ :bonuses => "$10,000", :years_worked => 2, :SSN => "555-55-5555", - :DoB => "01-01-1980" + :DoB => "01-01-1980" }, { :user_id => 3, @@ -164,7 +164,7 @@ paid_time_off = [ :bonuses => "$10,000", :years_worked => 1, :SSN => "333-33-3333", - :DoB => "01-01-1979" + :DoB => "01-01-1979" }, { :user_id => 4, @@ -172,7 +172,7 @@ paid_time_off = [ :bonuses => "$12,000", :years_worked => 3, :SSN => "444-44-4444", - :DoB => "01-01-1981" + :DoB => "01-01-1981" }, { :user_id => 5, @@ -180,57 +180,57 @@ paid_time_off = [ :bonuses => "7,000", :years_worked => 1, :SSN => "222-22-2222", - :DoB => "01-01-1982" - } + :DoB => "01-01-1982" + } ] - + performance = [ { :user_id => 2, :reviewer => 1, - :comments => "Great job! You are my hero", + :comments => "Great job! You are my hero", :date_submitted => Date.new(2012, 01, 01), :score => 5 }, { :user_id => 2, :reviewer => 1, - :comments => "Once again, you've done a great job this year. We greatly appreciate your hard work.", + :comments => "Once again, you've done a great job this year. We greatly appreciate your hard work.", :date_submitted => Date.new(2013, 01, 01), :score => 5 }, { :user_id => 3, :reviewer => 1, - :comments => "Great worker, great attitude for this newcomer!", + :comments => "Great worker, great attitude for this newcomer!", :date_submitted => Date.new(2013, 01, 01), :score => 5 }, { :user_id => 4, :reviewer => 1, - :comments => "Wow, right out of the gate we've been very impressed but unfortunately, our system doesn't allow us to give you a full 5.0 because other ppl have gotten 5.0 ratings.", + :comments => "Wow, right out of the gate we've been very impressed but unfortunately, our system doesn't allow us to give you a full 5.0 because other ppl have gotten 5.0 ratings.", :date_submitted => Date.new(2011, 01, 01), :score => 4 }, { :user_id => 4, :reviewer => 1, - :comments => "We highly recommend promotion for this employee! Consistent performer with proven leadership qualities.", + :comments => "We highly recommend promotion for this employee! Consistent performer with proven leadership qualities.", :date_submitted => Date.new(2012, 01, 01), :score => 5 }, { :user_id => 4, :reviewer => 1, - :comments => "Right out of the gate, Mike has made incredible moves as a newly appointed leader. His only improvement would be more cowbell. Not enough of it.", + :comments => "Right out of the gate, Mike has made incredible moves as a newly appointed leader. His only improvement would be more cowbell. Not enough of it.", :date_submitted => Date.new(2013, 01, 01), :score => 4 }, { :user_id => 5, :reviewer => 1, - :comments => "Ehh, you are okay, we will let you stay..... barely", + :comments => "Ehh, you are okay, we will let you stay..... barely", :date_submitted => Date.new(2013, 01, 01), :score => 2 } @@ -267,44 +267,43 @@ paid_time_off = [ users.each do |user_info| user = User.new(user_info.reject {|k| k == :user_id }) user.user_id = user_info[:user_id] - user.save + user.save! end retirements.each do |r| ret = Retirement.new(r.reject {|k| k == :user_id}) ret.user_id = r[:user_id] - ret.save -end + ret.save! +end paid_time_off.each do |pto| ptoff = PaidTimeOff.new(pto.reject {|k| k == :user_id}) ptoff.user_id = pto[:user_id] - ptoff.save - + ptoff.save! end schedule.each do |event| sched = Schedule.new(event.reject {|k| k == :user_id}) sched.user_id = event[:user_id] - sched.save + sched.save! end performance.each do |perf| p = Performance.new(perf.reject {|k| k == :user_id}) p.user_id = perf[:user_id] - p.save + p.save! end messages.each do |message| m = Message.new(message.reject {|k| k == :creator_id}) m.creator_id = message[:creator_id] - m.save + m.save! end work_info.each do |wi| info = WorkInfo.new(wi.reject {|k| k == :user_id } ) info.user_id = wi[:user_id] - info.save + info.save! end diff --git a/spec/vulnerabilities/password_hashing_spec.rb b/spec/vulnerabilities/password_hashing_spec.rb index 19f7b6f..ee54232 100644 --- a/spec/vulnerabilities/password_hashing_spec.rb +++ b/spec/vulnerabilities/password_hashing_spec.rb @@ -7,7 +7,7 @@ feature 'improper password hashing' do end scenario "with just md5\nTutorial: https://github.com/OWASP/railsgoat/wiki/A6-Sensitive-Data-Exposure-Insecure-Password-Storage" do - new_pass = 'testpassword' + new_pass = 'testPassw0rd!' @normal_user.password = new_pass @normal_user.password_confirmation = new_pass @normal_user.save diff --git a/spec/vulnerabilities/sql_injection_spec.rb b/spec/vulnerabilities/sql_injection_spec.rb index a963a56..b8b95b6 100644 --- a/spec/vulnerabilities/sql_injection_spec.rb +++ b/spec/vulnerabilities/sql_injection_spec.rb @@ -7,7 +7,7 @@ feature 'sql injection' do @admin_user = User.where("admin='t'").first end - scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/R5-A1-SQL-Injection-Concatentation" do + scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/R4-A1-SQL-Injection-Concatentation" do expect(@admin_user.admin).to be_truthy login(@normal_user) @@ -15,8 +15,8 @@ feature 'sql injection' do visit "/users/#{@normal_user.user_id}/account_settings" within('#account_edit') do fill_in 'Email', :with => 'joe.admin@schmoe.com' - fill_in 'user_password', :with => 'hacketyhack' - fill_in 'user_password_confirmation', :with => 'hacketyhack' + fill_in 'user_password', :with => 'H4cketyhack' + fill_in 'user_password_confirmation', :with => 'H4cketyhack' # this is a hidden field, so cannot use fill_in to access it. find(:xpath, "//input[@id='user_user_id']", :visible => false).set "8' OR admin='t') --"