Merge pull request #263 from jmmastey/fixing-password-vuln-makes-seeds-invalid

Fixing password vuln makes seeds invalid

db/seeds.rb

@@ -4,49 +4,49 @@
 
 users = [
      {
-       :email => "admin@metacorp.com", 
+       :email => "admin@metacorp.com",
-       :admin => true, 
+       :admin => true,
-       :password => "admin1234", 
+       :password => "admin1234",
-       :password_confirmation => "admin1234", 
+       :password_confirmation => "admin1234",
-       :first_name => "Admin", 
+       :first_name => "Admin",
-       :last_name => "", 
+       :last_name => "",
-       :user_id =>1 
+       :user_id =>1
       },
      {
-       :email => "jack@metacorp.com", 
+       :email => "jack@metacorp.com",
-       :admin => false, 
+       :admin => false,
-       :password => "yankeessuck", 
+       :password => "yankeessuck",
-       :password_confirmation => "yankeessuck", 
+       :password_confirmation => "yankeessuck",
-       :first_name => "Jack", 
+       :first_name => "Jack",
-       :last_name => "Mannino", 
+       :last_name => "Mannino",
        :user_id => 2
      },
      {
-       :email => "jim@metacorp.com", 
+       :email => "jim@metacorp.com",
-       :admin => false, 
+       :admin => false,
-       :password => "alohaowasp", 
+       :password => "alohaowasp",
-       :password_confirmation => "alohaowasp", 
+       :password_confirmation => "alohaowasp",
-       :first_name => "Jim", 
+       :first_name => "Jim",
-       :last_name => "Manico", 
+       :last_name => "Manico",
-       :user_id =>3 
+       :user_id =>3
      },
      {
-       :email => "mike@metacorp.com", 
+       :email => "mike@metacorp.com",
-       :admin => false, 
+       :admin => false,
-       :password => "motocross1445", 
+       :password => "motocross1445",
-       :password_confirmation => "motocross1445", 
+       :password_confirmation => "motocross1445",
-       :first_name => "Mike", 
+       :first_name => "Mike",
-       :last_name => "McCabe", 
+       :last_name => "McCabe",
-       :user_id =>4 
+       :user_id =>4
       },
      {
-       :email => "ken@metacorp.com", 
+       :email => "ken@metacorp.com",
-       :admin => false, 
+       :admin => false,
-       :password => "citrusblend", 
+       :password => "citrusblend",
-       :password_confirmation => "citrusblend", 
+       :password_confirmation => "citrusblend",
-       :first_name => "Ken", 
+       :first_name => "Ken",
-       :last_name => "Johnson", 
+       :last_name => "Johnson",
-       :user_id =>5 
+       :user_id =>5
       }
 ]
 
@@ -75,7 +75,7 @@ retirements = [
         :employer_contrib => "6000",
         :total => "12500"
       }
-      
+
 ]
 
 paid_time_off = [
@@ -107,9 +107,9 @@ paid_time_off = [
         :pto_taken => 10,
         :pto_earned => 30
       }
-  
+
   ]
-  
+
   schedule = [
         {
           :user_id => 2,
@@ -117,8 +117,8 @@ paid_time_off = [
           :date_end => Date.new(2014, 8, 2),
           :event_type => "pto",
           :event_desc => "vacation to france",
-          :event_name => "My 2014 Vacation"        
+          :event_name => "My 2014 Vacation"
-          
+
         },
         {
           :user_id => 3,
@@ -127,7 +127,7 @@ paid_time_off = [
           :event_type => "pto",
           :event_desc => "Going Home to see folks",
           :event_name => "Visit Parents"
-          
+
         },
         {
           :user_id => 4,
@@ -136,7 +136,7 @@ paid_time_off = [
           :event_type => "pto",
           :event_desc => "Taking kids to Grand Canyon",
           :event_name => "AZ Trip"
-        
+
         },
         {
           :user_id => 5,
@@ -148,7 +148,7 @@ paid_time_off = [
         }
 
     ]
-    
+
   work_info = [
     {
       :user_id => 2,
@@ -156,7 +156,7 @@ paid_time_off = [
       :bonuses => "$10,000",
       :years_worked => 2,
       :SSN => "555-55-5555",
-      :DoB => "01-01-1980"         
+      :DoB => "01-01-1980"
     },
     {
       :user_id => 3,
@@ -164,7 +164,7 @@ paid_time_off = [
       :bonuses => "$10,000",
       :years_worked => 1,
       :SSN => "333-33-3333",
-      :DoB => "01-01-1979"         
+      :DoB => "01-01-1979"
     },
     {
       :user_id => 4,
@@ -172,7 +172,7 @@ paid_time_off = [
       :bonuses => "$12,000",
       :years_worked => 3,
       :SSN => "444-44-4444",
-      :DoB => "01-01-1981"         
+      :DoB => "01-01-1981"
     },
     {
       :user_id => 5,
@@ -180,57 +180,57 @@ paid_time_off = [
       :bonuses => "7,000",
       :years_worked => 1,
       :SSN => "222-22-2222",
-      :DoB => "01-01-1982"         
+      :DoB => "01-01-1982"
-    }   
+    }
   ]
-  
+
   performance = [
     {
       :user_id => 2,
       :reviewer => 1,
-      :comments => "Great job! You are my hero", 
+      :comments => "Great job! You are my hero",
       :date_submitted => Date.new(2012, 01, 01),
       :score => 5
     },
     {
     :user_id => 2,
     :reviewer => 1,
-    :comments => "Once again, you've done a great job this year. We greatly appreciate your hard work.", 
+    :comments => "Once again, you've done a great job this year. We greatly appreciate your hard work.",
     :date_submitted => Date.new(2013, 01, 01),
     :score => 5
     },
     {
       :user_id => 3,
       :reviewer => 1,
-      :comments => "Great worker, great attitude for this newcomer!", 
+      :comments => "Great worker, great attitude for this newcomer!",
       :date_submitted => Date.new(2013, 01, 01),
       :score => 5
     },
     {
       :user_id => 4,
       :reviewer => 1,
-      :comments => "Wow, right out of the gate we've been very impressed but unfortunately, our system doesn't allow us to give you a full 5.0 because other ppl have gotten 5.0 ratings.", 
+      :comments => "Wow, right out of the gate we've been very impressed but unfortunately, our system doesn't allow us to give you a full 5.0 because other ppl have gotten 5.0 ratings.",
       :date_submitted => Date.new(2011, 01, 01),
       :score => 4
     },
     {
       :user_id => 4,
       :reviewer => 1,
-      :comments => "We highly recommend promotion for this employee! Consistent performer with proven leadership qualities.", 
+      :comments => "We highly recommend promotion for this employee! Consistent performer with proven leadership qualities.",
       :date_submitted => Date.new(2012, 01, 01),
       :score => 5
     },
     {
       :user_id => 4,
       :reviewer => 1,
-      :comments => "Right out of the gate, Mike has made incredible moves as a newly appointed leader. His only improvement would be more cowbell. Not enough of it.", 
+      :comments => "Right out of the gate, Mike has made incredible moves as a newly appointed leader. His only improvement would be more cowbell. Not enough of it.",
       :date_submitted => Date.new(2013, 01, 01),
       :score => 4
     },
     {
        :user_id => 5,
        :reviewer => 1,
-       :comments => "Ehh, you are okay, we will let you stay..... barely", 
+       :comments => "Ehh, you are okay, we will let you stay..... barely",
        :date_submitted => Date.new(2013, 01, 01),
        :score => 2
      }
@@ -267,44 +267,43 @@ paid_time_off = [
 users.each do |user_info|
   user = User.new(user_info.reject {|k| k == :user_id })
   user.user_id = user_info[:user_id]
-  user.save
+  user.save!
 end
 
 retirements.each do |r|
  ret = Retirement.new(r.reject {|k| k == :user_id})
  ret.user_id = r[:user_id]
- ret.save
+ ret.save!
-end  
+end
 
 paid_time_off.each do |pto|
   ptoff = PaidTimeOff.new(pto.reject {|k| k == :user_id})
   ptoff.user_id = pto[:user_id]
-  ptoff.save
+  ptoff.save!
-  
 end
 
 schedule.each do |event|
   sched = Schedule.new(event.reject {|k| k == :user_id})
   sched.user_id = event[:user_id]
-  sched.save
+  sched.save!
 end
 
 performance.each do |perf|
   p = Performance.new(perf.reject {|k| k == :user_id})
   p.user_id = perf[:user_id]
-  p.save
+  p.save!
 end
 
 messages.each do |message|
   m = Message.new(message.reject {|k| k == :creator_id})
   m.creator_id = message[:creator_id]
-  m.save
+  m.save!
 end
 
 work_info.each do |wi|
   info = WorkInfo.new(wi.reject {|k| k == :user_id } )
   info.user_id = wi[:user_id]
-  info.save
+  info.save!
 end
 
 

spec/vulnerabilities/password_hashing_spec.rb

@@ -7,7 +7,7 @@ feature 'improper password hashing' do
   end
 
   scenario "with just md5\nTutorial: https://github.com/OWASP/railsgoat/wiki/A6-Sensitive-Data-Exposure-Insecure-Password-Storage" do
-    new_pass = 'testpassword'
+    new_pass = 'testPassw0rd!'
     @normal_user.password = new_pass
     @normal_user.password_confirmation = new_pass
     @normal_user.save

spec/vulnerabilities/sql_injection_spec.rb

@@ -7,7 +7,7 @@ feature 'sql injection' do
     @admin_user = User.where("admin='t'").first
   end
 
-  scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/R5-A1-SQL-Injection-Concatentation" do
+  scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/R4-A1-SQL-Injection-Concatentation" do
     expect(@admin_user.admin).to be_truthy
 
     login(@normal_user)
@@ -15,8 +15,8 @@ feature 'sql injection' do
     visit "/users/#{@normal_user.user_id}/account_settings"
     within('#account_edit') do
       fill_in 'Email', :with => 'joe.admin@schmoe.com'
-      fill_in 'user_password', :with => 'hacketyhack'
+      fill_in 'user_password', :with => 'H4cketyhack'
-      fill_in 'user_password_confirmation', :with => 'hacketyhack'
+      fill_in 'user_password_confirmation', :with => 'H4cketyhack'
 
       # this is a hidden field, so cannot use fill_in to access it.
       find(:xpath, "//input[@id='user_user_id']", :visible => false).set "8' OR admin='t') --"