From 8c38edd90b4da3a68667bac5b26c25492063f4f8 Mon Sep 17 00:00:00 2001
From: Joseph Mastey <jmmastey@gmail.com>
Date: Thu, 19 Jan 2017 15:53:24 -0600
Subject: [PATCH] upgrade(rails-5): we updated the db/config, broke the test
 that extracts it

---
 README.md                                 | 7 ++++---
 spec/vulnerabilities/insecure_dor_spec.rb | 3 ++-
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index c26bd7a..f8b7754 100755
--- a/README.md
+++ b/README.md
@@ -1,6 +1,6 @@
 # RailsGoat [![Build Status](https://api.travis-ci.org/OWASP/railsgoat.png?branch=master)](https://travis-ci.org/OWASP/railsgoat) [![Code Climate](https://codeclimate.com/github/OWASP/railsgoat.png)](https://codeclimate.com/github/OWASP/railsgoat)
 
-RailsGoat is a vulnerable version of the Ruby on Rails Framework both versions 3 and 4. It includes vulnerabilities from the OWASP Top 10, as well as some "extras" that the initial project contributors felt worthwhile to share. This project is designed to educate both developers, as well as security professionals.
+RailsGoat is a vulnerable version of the Ruby on Rails Framework from versions 3 to 5. It includes vulnerabilities from the OWASP Top 10, as well as some "extras" that the initial project contributors felt worthwhile to share. This project is designed to educate both developers, as well as security professionals.
 
 ## Support
 
@@ -20,11 +20,12 @@ After installing the package, clone this repo:
 $ git clone git@github.com:OWASP/railsgoat.git
 ```
 
-**NOTE: NOT NECESSARY IF YOU WANT TO WORK WITH RAILS 4.** Otherwise, if you wish to use the Rails 3 version, you'll need to switch branches
+**NOTE: NOT NECESSARY IF YOU WANT TO WORK WITH RAILS 5.** Otherwise, if you wish to use the Rails 3 or 4 versions, you'll need to switch branches:
 
 ```bash
 $ cd railsgoat
 $ git checkout rails_3_2
+$ git checkout rails_4_2
 ```
 
 Navigate into the directory (already there if you followed the previous step) and install the dependencies:
@@ -93,7 +94,7 @@ Note: if your container exits with an error, it may be because a server is alrea
 ```
 A server is already running. Check /myapp/tmp/pids/server.pid.
 => Booting Thin
-=> Rails 4.2.6 application starting in development on
+=> Rails 5.0.1 application starting in development on
 http://0.0.0.0:3000
 => Run `rails server -h` for more startup options
 => Ctrl-C to shutdown server
diff --git a/spec/vulnerabilities/insecure_dor_spec.rb b/spec/vulnerabilities/insecure_dor_spec.rb
index 88df889..c192773 100644
--- a/spec/vulnerabilities/insecure_dor_spec.rb
+++ b/spec/vulnerabilities/insecure_dor_spec.rb
@@ -14,9 +14,10 @@ feature 'insecure direct object reference' do
     visit download_url.sub(/name=(.*?)&/, 'name=config/database.yml&')
 
     pending if verifying_fixed?
+
     expect(page.status_code).to eq(200)
     expect(page.response_headers['Content-Disposition']).to include('database.yml')
-    expect(page.response_headers['Content-Length']).to eq('709')
+    expect(page.response_headers['Content-Length']).to eq('710')
   end
 
   scenario "attack two\nTutorial: https://github.com/OWASP/railsgoat/wiki/A4-Insecure-Direct-Object-Reference" do