team-alpha/railsgoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #263 from jmmastey/fixing-password-vuln-makes-seeds-invalid

Browse Source 
Fixing password vuln makes seeds invalid
This commit is contained in:
Ken Johnson
2017-09-19 19:32:50 -04:00
committed by GitHub
parent 59857671f1 b934194ffe
commit 87e8ebc8e5
3 changed files with 67 additions and 68 deletions
Download Patch File Download Diff File Expand all files Collapse all files
db/seeds.rb
+7 -8
View File
@@ -267,44 +267,43 @@ paid_time_off = [
users.each do |user_info| users.each do |user_info|
user = User.new(user_info.reject {|k| k == :user_id }) user = User.new(user_info.reject {|k| k == :user_id })
user.user_id = user_info[:user_id] user.user_id = user_info[:user_id]
user.save user.save!
end end
retirements.each do |r| retirements.each do |r|
ret = Retirement.new(r.reject {|k| k == :user_id}) ret = Retirement.new(r.reject {|k| k == :user_id})
ret.user_id = r[:user_id] ret.user_id = r[:user_id]
ret.save ret.save!
end end
paid_time_off.each do |pto| paid_time_off.each do |pto|
ptoff = PaidTimeOff.new(pto.reject {|k| k == :user_id}) ptoff = PaidTimeOff.new(pto.reject {|k| k == :user_id})
ptoff.user_id = pto[:user_id] ptoff.user_id = pto[:user_id]
ptoff.save ptoff.save!
end end
schedule.each do |event| schedule.each do |event|
sched = Schedule.new(event.reject {|k| k == :user_id}) sched = Schedule.new(event.reject {|k| k == :user_id})
sched.user_id = event[:user_id] sched.user_id = event[:user_id]
sched.save sched.save!
end end
performance.each do |perf| performance.each do |perf|
p = Performance.new(perf.reject {|k| k == :user_id}) p = Performance.new(perf.reject {|k| k == :user_id})
p.user_id = perf[:user_id] p.user_id = perf[:user_id]
p.save p.save!
end end
messages.each do |message| messages.each do |message|
m = Message.new(message.reject {|k| k == :creator_id}) m = Message.new(message.reject {|k| k == :creator_id})
m.creator_id = message[:creator_id] m.creator_id = message[:creator_id]
m.save m.save!
end end
work_info.each do |wi| work_info.each do |wi|
info = WorkInfo.new(wi.reject {|k| k == :user_id } ) info = WorkInfo.new(wi.reject {|k| k == :user_id } )
info.user_id = wi[:user_id] info.user_id = wi[:user_id]
info.save info.save!
end end
spec/vulnerabilities/password_hashing_spec.rb
+1 -1
View File
@@ -7,7 +7,7 @@ feature 'improper password hashing' do
end end
scenario "with just md5\nTutorial: https://github.com/OWASP/railsgoat/wiki/A6-Sensitive-Data-Exposure-Insecure-Password-Storage" do scenario "with just md5\nTutorial: https://github.com/OWASP/railsgoat/wiki/A6-Sensitive-Data-Exposure-Insecure-Password-Storage" do
new_pass = 'testpassword' new_pass = 'testPassw0rd!'
@normal_user.password = new_pass @normal_user.password = new_pass
@normal_user.password_confirmation = new_pass @normal_user.password_confirmation = new_pass
@normal_user.save @normal_user.save
spec/vulnerabilities/sql_injection_spec.rb
+3 -3
View File
@@ -7,7 +7,7 @@ feature 'sql injection' do
@admin_user = User.where("admin='t'").first @admin_user = User.where("admin='t'").first
end end
scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/R5-A1-SQL-Injection-Concatentation" do scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/R4-A1-SQL-Injection-Concatentation" do
expect(@admin_user.admin).to be_truthy expect(@admin_user.admin).to be_truthy
login(@normal_user) login(@normal_user)
@@ -15,8 +15,8 @@ feature 'sql injection' do
visit "/users/#{@normal_user.user_id}/account_settings" visit "/users/#{@normal_user.user_id}/account_settings"
within('#account_edit') do within('#account_edit') do
fill_in 'Email', :with => 'joe.admin@schmoe.com' fill_in 'Email', :with => 'joe.admin@schmoe.com'
fill_in 'user_password', :with => 'hacketyhack' fill_in 'user_password', :with => 'H4cketyhack'
fill_in 'user_password_confirmation', :with => 'hacketyhack' fill_in 'user_password_confirmation', :with => 'H4cketyhack'
# this is a hidden field, so cannot use fill_in to access it. # this is a hidden field, so cannot use fill_in to access it.
find(:xpath, "//input[@id='user_user_id']", :visible => false).set "8' OR admin='t') --" find(:xpath, "//input[@id='user_user_id']", :visible => false).set "8' OR admin='t') --"