chore(rubocop): giganto rubocop commit.

muahahahah

spec/controllers/api/v1/users_controller_spec.rb

@@ -1,6 +1,6 @@
-=begin require 'spec_helper'
-
-describe Api::V1::UsersController do
-
-end
-=end
+# frozen_string_literal: true
+# require 'spec_helper'
+#
+# describe Api::V1::UsersController do
+#
+# end

spec/controllers/messages_controller_spec.rb

@@ -1 +1,2 @@
-require 'spec_helper'
+# frozen_string_literal: true
+require "spec_helper"

spec/controllers/password_resets_controller_spec.rb

@@ -1 +1,2 @@
-require 'spec_helper'
+# frozen_string_literal: true
+require "spec_helper"

spec/controllers/pay_controller_spec.rb

@@ -1,6 +1,6 @@
-=begin require 'spec_helper'
-
-describe PayController do
-
-end
-=end
+# frozen_string_literal: true
+# require 'spec_helper'
+#
+# describe PayController do
+#
+# end

spec/helpers/api/v1/users_helper_spec.rb

@@ -1,5 +1,6 @@
-=begin require 'spec_helper'
-
+# frozen_string_literal: true
+# require 'spec_helper'
+#
 # Specs in this file have access to a helper object that includes
 # the Api::V1::UsersHelper. For example:
 #
@@ -10,7 +11,6 @@
 #     end
 #   end
 # end
-describe Api::V1::UsersHelper do
-  pending "add some examples to (or delete) #{__FILE__}"
-end
-=end
+# describe Api::V1::UsersHelper do
+#   pending "add some examples to (or delete) #{__FILE__}"
+# end

spec/helpers/messages_helper_spec.rb

@@ -1 +1,2 @@
-require 'spec_helper'
+# frozen_string_literal: true
+require "spec_helper"

spec/helpers/password_resets_helper_spec.rb

@@ -1,5 +1,6 @@
-=begin require 'spec_helper'
-
+# frozen_string_literal: true
+# require 'spec_helper'
+#
 # Specs in this file have access to a helper object that includes
 # the PasswordResetsHelper. For example:
 #
@@ -10,7 +11,6 @@
 #     end
 #   end
 # end
-describe PasswordResetsHelper do
-  pending "add some examples to (or delete) #{__FILE__}"
-end
-=end
+# describe PasswordResetsHelper do
+#   pending "add some examples to (or delete) #{__FILE__}"
+# end

spec/helpers/pay_helper_spec.rb

@@ -1,5 +1,6 @@
-=begin require 'spec_helper'
-
+# frozen_string_literal: true
+# require 'spec_helper'
+#
 # Specs in this file have access to a helper object that includes
 # the PayHelper. For example:
 #
@@ -10,7 +11,6 @@
 #     end
 #   end
 # end
-describe PayHelper do
-  pending "add some examples to (or delete) #{__FILE__}"
-end
-=end
+# describe PayHelper do
+#   pending "add some examples to (or delete) #{__FILE__}"
+# end

spec/mailers/user_mailer_spec.rb

@@ -1 +1,2 @@
-require "spec_helper"
+# frozen_string_literal: true
+require "spec_helper"

spec/models/benefits_spec.rb

@@ -1,4 +1,5 @@
-require 'spec_helper.rb'
+# frozen_string_literal: true
+require "spec_helper.rb"
 
 describe User do
   before(:all) do

spec/models/key_management_spec.rb

@@ -1 +1,2 @@
-require 'spec_helper'
+# frozen_string_literal: true
+require "spec_helper"

spec/models/message_spec.rb

@@ -1 +1,2 @@
-require 'spec_helper'
+# frozen_string_literal: true
+require "spec_helper"

spec/models/pay_spec.rb

@@ -1,6 +1,6 @@
-=begin require 'spec_helper'
-
-describe Pay do
-  pending "add some examples to (or delete) #{__FILE__}"
-end
-=end
+# frozen_string_literal: true
+# require 'spec_helper'
+#
+# describe Pay do
+#   pending "add some examples to (or delete) #{__FILE__}"
+# end

spec/models/user_spec.rb

@@ -1,4 +1,5 @@
-require 'spec_helper.rb'
+# frozen_string_literal: true
+require "spec_helper.rb"
 
 describe User do
   before(:all) do
@@ -15,16 +16,16 @@ describe User do
   end
 
   it "should require a email" do
-    expect(User.new(:email => "")).not_to be_valid
+    expect(User.new(email: "")).not_to be_valid
   end
 
   it "should require valid email" do
-    expect(User.new(:email => "@gmail.com")).not_to be_valid
+    expect(User.new(email: "@gmail.com")).not_to be_valid
   end
 
   it "should require unique email" do
     user = User.all.first
-    expect(User.new(:email => user.email)).not_to be_valid
+    expect(User.new(email: user.email)).not_to be_valid
   end
 
   it "name can be updated" do

spec/spec_helper.rb

@@ -1,15 +1,16 @@
+# frozen_string_literal: true
 # This file is copied to spec/ when you run 'rails generate rspec:install'
-ENV["RAILS_ENV"] ||= 'test'
+ENV["RAILS_ENV"] ||= "test"
 
 # To use simplecov, do this: COVERAGE=true rake
-require 'simplecov'
+require "simplecov"
 SimpleCov.start if ENV["COVERAGE"]
 
 require File.expand_path("../../config/environment", __FILE__)
-require 'rspec/rails'
-require 'capybara/rails'
-require 'capybara/poltergeist'
-require 'database_cleaner'
+require "rspec/rails"
+require "capybara/rails"
+require "capybara/poltergeist"
+require "database_cleaner"
 
 # Requires supporting ruby files with custom matchers and macros, etc,
 # in spec/support/ and its subdirectories.

spec/support/capybara_shared.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 # By default this will return true, and thus all of the Capybara specs will
 # fail until a developer using the site for training has patched up all of
 # the vulnerabilities.
@@ -8,7 +9,7 @@
 $displayed_spec_notice = false
 
 def verifying_fixed?
-  maintainer_env_name = 'RAILSGOAT_MAINTAINER'
+  maintainer_env_name = "RAILSGOAT_MAINTAINER"
   result = !ENV[maintainer_env_name]
   if !$displayed_spec_notice && result
     puts <<-NOTICE
@@ -35,13 +36,13 @@ def verifying_fixed?
 end
 
 def login(user)
-  visit '/'
-  within('.signup') do
-    fill_in 'email', :with => user.email
-    fill_in 'password', :with => user.clear_password
+  visit "/"
+  within(".signup") do
+    fill_in "email", with: user.email
+    fill_in "password", with: user.clear_password
   end
-  within('.actions') do
-    click_on 'Login'
+  within(".actions") do
+    click_on "Login"
   end
 end
 
@@ -72,7 +73,7 @@ end
 class WarningSuppressor
   class << self
     def write(message)
-      if message =~ /QFont::setPixelSize: Pixel size <= 0/ || message =~/CoreText performance note:/ || message =~/Method userSpaceScaleFactor in class NSView/ then 0 else puts(message);1;end
+      (message =~ /QFont::setPixelSize: Pixel size <= 0/ || message =~/CoreText performance note:/ || message =~/Method userSpaceScaleFactor in class NSView/) ? 0 : puts(message); 1
     end
   end
 end

spec/support/user_fixture.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 class UserFixture
   def self.reset_all_users
     User.delete_all
@@ -5,11 +6,11 @@ class UserFixture
   end
 
   def self.normal_user
-    password = 'thi$ 1s cOmplExEr'
-    user = User.new(:first_name => 'Joe', :last_name => 'Schmoe',
-                    :email => 'joe@schmoe.com', :password => password, :password_confirmation => password)
+    password = "thi$ 1s cOmplExEr"
+    user = User.new(first_name: "Joe", last_name: "Schmoe",
+                    email: "joe@schmoe.com", password: password, password_confirmation: password)
     def user.clear_password
-      'thi$ 1s cOmplExEr'
+      "thi$ 1s cOmplExEr"
     end
     user.save!
     user

spec/views/password_resets/new.html.erb_spec.rb

@@ -1,6 +1,6 @@
-=begin require 'spec_helper'
-
-describe "password_resets/new.html.erb" do
-  pending "add some examples to (or delete) #{__FILE__}"
-end
-=end
+# frozen_string_literal: true
+# require 'spec_helper'
+#
+# describe "password_resets/new.html.erb" do
+#   pending "add some examples to (or delete) #{__FILE__}"
+# end

spec/vulnerabilities/broken_auth_spec.rb

@@ -1,34 +1,35 @@
-require 'spec_helper'
+# frozen_string_literal: true
+require "spec_helper"
 
-feature 'broken_auth' do
+feature "broken_auth" do
   before do
     UserFixture.reset_all_users
     @normal_user = UserFixture.normal_user
   end
 
   scenario "one\nTutorial: https://github.com/OWASP/railsgoat/wiki/A2-Credential-Enumeration" do
-    visit '/'
-    within('.signup') do
-      fill_in 'email', :with => @normal_user.email + 'not'
-      fill_in 'password', :with => @normal_user.clear_password
+    visit "/"
+    within(".signup") do
+      fill_in "email", with: @normal_user.email + "not"
+      fill_in "password", with: @normal_user.clear_password
     end
-    within('.actions') do
-      click_on 'Login'
+    within(".actions") do
+      click_on "Login"
     end
     pending if verifying_fixed?
-    expect(find('div#flash_notice').text).to eq("#{@normal_user.email}not doesn't exist!")
+    expect(find("div#flash_notice").text).to eq("#{@normal_user.email}not doesn't exist!")
   end
 
   scenario "two\nTutorial: https://github.com/OWASP/railsgoat/wiki/A2-Credential-Enumeration" do
-    visit '/'
-    within('.signup') do
-      fill_in 'email', :with => @normal_user.email
-      fill_in 'password', :with => @normal_user.clear_password + 'not'
+    visit "/"
+    within(".signup") do
+      fill_in "email", with: @normal_user.email
+      fill_in "password", with: @normal_user.clear_password + "not"
     end
-    within('.actions') do
-      click_on 'Login'
+    within(".actions") do
+      click_on "Login"
     end
     pending if verifying_fixed?
-    expect(find('div#flash_notice').text).to eq('Incorrect Password!')
+    expect(find("div#flash_notice").text).to eq("Incorrect Password!")
   end
 end

spec/vulnerabilities/command_injection_spec.rb

@@ -1,29 +1,30 @@
-require 'spec_helper'
-require 'tmpdir'
+# frozen_string_literal: true
+require "spec_helper"
+require "tmpdir"
 
-feature 'command injection' do
+feature "command injection" do
   before do
     UserFixture.reset_all_users
     @normal_user = UserFixture.normal_user
   end
 
-  scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/A1-Command-Injection", :js => true do
+  scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/A1-Command-Injection", js: true do
     login @normal_user
 
-    legit_file = File.join(Rails.root, 'public', 'data', 'legit.txt')
-    File.open(legit_file, 'w') { |f| f.puts 'totes legit' }
+    legit_file = File.join(Rails.root, "public", "data", "legit.txt")
+    File.open(legit_file, "w") { |f| f.puts "totes legit" }
 
     visit "/users/#{@normal_user.user_id}/benefit_forms"
     Dir.mktmpdir do |dir|
-      hackety_file = File.join(dir, 'test; cd public && cd data && rm -f * ;')
-      File.open(hackety_file, 'w') { |f| f.print 'mwahaha' }
-      within('.new_benefits') do
-        attach_file 'benefits_upload', hackety_file
-        find(:xpath, "//input[@id='benefits_backup']", :visible => false).set 'true'
+      hackety_file = File.join(dir, "test; cd public && cd data && rm -f * ;")
+      File.open(hackety_file, "w") { |f| f.print "mwahaha" }
+      within(".new_benefits") do
+        attach_file "benefits_upload", hackety_file
+        find(:xpath, "//input[@id='benefits_backup']", visible: false).set "true"
       end
-      click_on 'Start Upload'
+      click_on "Start Upload"
     end
     pending if verifying_fixed?
-    expect(File.exists?(legit_file)).to be_falsey
+    expect(File.exist?(legit_file)).to be_falsey
   end
 end

spec/vulnerabilities/csrf_spec.rb

@@ -1,23 +1,24 @@
-require 'spec_helper'
-require 'tmpdir'
+# frozen_string_literal: true
+require "spec_helper"
+require "tmpdir"
 
-feature 'csrf' do
+feature "csrf" do
   before do
     UserFixture.reset_all_users
     @normal_user = UserFixture.normal_user
   end
 
-  scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/R5-A8-CSRF", :js => true do
-    visit '/'
+  scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/R5-A8-CSRF", js: true do
+    visit "/"
     # TODO: is there a way to get this without visiting root first?
     base_url = current_url
 
     login @normal_user
 
     Dir.mktmpdir do |dir|
-      hackety_file = File.join(dir, 'form.on.bad.guy.site.html')
+      hackety_file = File.join(dir, "form.on.bad.guy.site.html")
       post_url = "#{base_url}schedule.json"
-      File.open(hackety_file, 'w') do |f|
+      File.open(hackety_file, "w") do |f|
         f.print <<-HTML
         <html>
           <body>
@@ -34,12 +35,12 @@ feature 'csrf' do
       end
 
       page.driver.visit "file://#{hackety_file}"
-      within('#submit_me') do
-        click_on 'Submit request'
+      within("#submit_me") do
+        click_on "Submit request"
       end
     end
 
     pending if verifying_fixed?
-    expect(@normal_user.reload.paid_time_off.schedule.last.event_name).to eq('Bad Guy')
+    expect(@normal_user.reload.paid_time_off.schedule.last.event_name).to eq("Bad Guy")
   end
 end

spec/vulnerabilities/insecure_dor_spec.rb

@@ -1,32 +1,33 @@
-require 'spec_helper'
+# frozen_string_literal: true
+require "spec_helper"
 
-feature 'insecure direct object reference' do
+feature "insecure direct object reference" do
   before do
     UserFixture.reset_all_users
     @normal_user = UserFixture.normal_user
   end
 
-  scenario 'attack one' do
+  scenario "attack one" do
     login(@normal_user)
 
     visit "/users/#{@normal_user.user_id}/benefit_forms"
-    download_url = first('.widget-body a')[:href]
-    visit download_url.sub(/name=(.*?)&/, 'name=config/database.yml&')
+    download_url = first(".widget-body a")[:href]
+    visit download_url.sub(/name=(.*?)&/, "name=config/database.yml&")
 
     pending if verifying_fixed?
 
     expect(page.status_code).to eq(200)
-    expect(page.response_headers['Content-Disposition']).to include('database.yml')
-    expect(page.response_headers['Content-Length']).to eq('710')
+    expect(page.response_headers["Content-Disposition"]).to include("database.yml")
+    expect(page.response_headers["Content-Length"]).to eq("710")
   end
 
   scenario "attack two\nTutorial: https://github.com/OWASP/railsgoat/wiki/A4-Insecure-Direct-Object-Reference" do
     login(@normal_user)
 
     expect(@normal_user.user_id).not_to eq(2)
-    visit '/users/2/work_info'
+    visit "/users/2/work_info"
 
     pending if verifying_fixed?
-    expect(first('td').text).to eq('Joseph Mastey')
+    expect(first("td").text).to eq("Joseph Mastey")
   end
 end

spec/vulnerabilities/mass_assignment_spec.rb

@@ -1,37 +1,38 @@
-require 'spec_helper'
+# frozen_string_literal: true
+require "spec_helper"
 
-feature 'mass assignment' do
+feature "mass assignment" do
   before do
     UserFixture.reset_all_users
     @normal_user = UserFixture.normal_user
   end
 
-  scenario 'attack one' do
+  scenario "attack one" do
     expect(@normal_user.admin).to be_falsey
 
     login(@normal_user)
 
-    params = {:user => {:admin => 't',
-                        :user_id => @normal_user.user_id,
-                        :password => @normal_user.clear_password,
-                        :password_confirmation => @normal_user.clear_password}}
+    params = {user: {admin: "t",
+                        user_id: @normal_user.user_id,
+                        password: @normal_user.clear_password,
+                        password_confirmation: @normal_user.clear_password}}
     page.driver.put "/users/#{@normal_user.user_id}.json", params
 
     pending if verifying_fixed?
     expect(@normal_user.reload.admin).to be_truthy
   end
 
-  scenario 'attack two, Tutorial: https://github.com/OWASP/railsgoat/wiki/R5-Extras-Mass-Assignment-Admin-Role' do
-    params = {:user => {:admin => 't',
-                        :email => 'hackety@h4x0rs.c0m',
-                        :first_name => 'hackety',
-                        :last_name => 'hax',
-                        :password => 'foobarewe',
-                        :password_confirmation => 'foobarewe'}}
-    page.driver.post '/users', params
+  scenario "attack two, Tutorial: https://github.com/OWASP/railsgoat/wiki/R5-Extras-Mass-Assignment-Admin-Role" do
+    params = {user: {admin: "t",
+                        email: "hackety@h4x0rs.c0m",
+                        first_name: "hackety",
+                        last_name: "hax",
+                        password: "foobarewe",
+                        password_confirmation: "foobarewe"}}
+    page.driver.post "/users", params
 
     pending if verifying_fixed?
-    expect(User.last.email).to eq('hackety@h4x0rs.c0m')
+    expect(User.last.email).to eq("hackety@h4x0rs.c0m")
     expect(User.last.admin).to be_truthy
   end
 end

spec/vulnerabilities/password_complexity_spec.rb

@@ -1,22 +1,23 @@
-require 'spec_helper'
+# frozen_string_literal: true
+require "spec_helper"
 
-feature 'password complexity' do
+feature "password complexity" do
   before do
     UserFixture.reset_all_users
     @normal_user = UserFixture.normal_user
   end
 
   scenario "one\nTutorial: https://github.com/OWASP/railsgoat/wiki/A2-Lack-of-Password-Complexity" do
-    visit '/signup'
-    within('.signup') do
-      fill_in 'user_email', :with => @normal_user.email + 'not'
-      fill_in 'user_first_name', :with => @normal_user.first_name
-      fill_in 'user_last_name', :with => @normal_user.last_name + 'not'
-      fill_in 'user_password', :with => 'password'
-      fill_in 'user_password_confirmation', :with => 'password'
+    visit "/signup"
+    within(".signup") do
+      fill_in "user_email", with: @normal_user.email + "not"
+      fill_in "user_first_name", with: @normal_user.first_name
+      fill_in "user_last_name", with: @normal_user.last_name + "not"
+      fill_in "user_password", with: "password"
+      fill_in "user_password_confirmation", with: "password"
     end
-    click_on 'Submit'
+    click_on "Submit"
     pending if verifying_fixed?
-    expect(current_path).to eq('/dashboard/home')
+    expect(current_path).to eq("/dashboard/home")
   end
 end

spec/vulnerabilities/password_hashing_spec.rb

@@ -1,13 +1,14 @@
-require 'spec_helper'
+# frozen_string_literal: true
+require "spec_helper"
 
-feature 'improper password hashing' do
+feature "improper password hashing" do
   before do
     UserFixture.reset_all_users
     @normal_user = UserFixture.normal_user
   end
 
   scenario "with just md5\nTutorial: https://github.com/OWASP/railsgoat/wiki/A6-Sensitive-Data-Exposure-Insecure-Password-Storage" do
-    new_pass = 'testPassw0rd!'
+    new_pass = "testPassw0rd!"
     @normal_user.password = new_pass
     @normal_user.password_confirmation = new_pass
     @normal_user.save

spec/vulnerabilities/sensitive_data_exposure.rb

@@ -1,10 +1,11 @@
-require 'spec_helper'
+# frozen_string_literal: true
+require "spec_helper"
 
-feature 'sensitive data exposure' do
+feature "sensitive data exposure" do
   before do
     UserFixture.reset_all_users
     @normal_user = UserFixture.normal_user
-    @normal_user.work_info.update_attribute(:SSN, '999-99-9999')
+    @normal_user.work_info.update_attribute(:SSN, "999-99-9999")
   end
 
   # this won't work with javascript_driver, as it'll apply the javascript
@@ -14,6 +15,6 @@ feature 'sensitive data exposure' do
 
     visit "/users/#{@normal_user.user_id}/work_info"
     pending if verifying_fixed?
-    expect(page.source).to include '999-99-9999'
+    expect(page.source).to include "999-99-9999"
   end
 end

spec/vulnerabilities/sql_injection_spec.rb

@@ -1,6 +1,7 @@
-require 'spec_helper'
+# frozen_string_literal: true
+require "spec_helper"
 
-feature 'sql injection' do
+feature "sql injection" do
   before(:each) do
     UserFixture.reset_all_users
     @normal_user = UserFixture.normal_user
@@ -13,19 +14,19 @@ feature 'sql injection' do
     login(@normal_user)
 
     visit "/users/#{@normal_user.user_id}/account_settings"
-    within('#account_edit') do
-      fill_in 'Email', :with => 'joe.admin@schmoe.com'
-      fill_in 'user_password', :with => 'H4cketyhack'
-      fill_in 'user_password_confirmation', :with => 'H4cketyhack'
+    within("#account_edit") do
+      fill_in "Email", with: "joe.admin@schmoe.com"
+      fill_in "user_password", with: "H4cketyhack"
+      fill_in "user_password_confirmation", with: "H4cketyhack"
 
       # this is a hidden field, so cannot use fill_in to access it.
-      find(:xpath, "//input[@id='user_user_id']", :visible => false).set "8' OR admin='t') --"
+      find(:xpath, "//input[@id='user_user_id']", visible: false).set "8' OR admin='t') --"
     end
-    click_on 'Submit'
+    click_on "Submit"
 
     pending if verifying_fixed?
     @admin_user = User.where("admin='t'").first
-    expect(@admin_user.email).to eq('joe.admin@schmoe.com')
+    expect(@admin_user.email).to eq("joe.admin@schmoe.com")
     expect(@admin_user.admin).to eq(true)
   end
 
@@ -35,8 +36,8 @@ feature 'sql injection' do
 
     visit "/admin/1/analytics"
 
-    within('#analytics_search') do
-      fill_in 'ip', :with => '::1'
+    within("#analytics_search") do
+      fill_in "ip", with: "::1"
       check "field_user_agent"
       payload = "(select group_concat(password) from users where admin='t')"
 

spec/vulnerabilities/unvalidated_redirects_spec.rb

@@ -1,21 +1,22 @@
-require 'spec_helper'
+# frozen_string_literal: true
+require "spec_helper"
 
-feature 'unvalidated redirect' do
+feature "unvalidated redirect" do
   before do
     UserFixture.reset_all_users
     @normal_user = UserFixture.normal_user
   end
 
-  scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/A10-Unvalidated-Redirects-and-Forwards-(redirect_to)", :js => true do
-    visit '/?url=http://example.com/do/evil/things'
-    within('.signup') do
-      fill_in 'email', :with => @normal_user.email
-      fill_in 'password', :with => @normal_user.clear_password
+  scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/A10-Unvalidated-Redirects-and-Forwards-(redirect_to)", js: true do
+    visit "/?url=http://example.com/do/evil/things"
+    within(".signup") do
+      fill_in "email", with: @normal_user.email
+      fill_in "password", with: @normal_user.clear_password
     end
-    within('.actions') do
-      click_on 'Login'
+    within(".actions") do
+      click_on "Login"
     end
     pending if verifying_fixed?
-    expect(current_url).to eq('http://example.com/do/evil/things')
+    expect(current_url).to eq("http://example.com/do/evil/things")
   end
 end

spec/vulnerabilities/url_access_spec.rb

@@ -1,16 +1,17 @@
-require 'spec_helper'
+# frozen_string_literal: true
+require "spec_helper"
 
-feature 'url access' do
+feature "url access" do
   before do
     UserFixture.reset_all_users
     @normal_user = UserFixture.normal_user
   end
 
-  scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/A7-Missing-Function-Level-Access-Control--(Admin-Controller)", :js => true do
+  scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/A7-Missing-Function-Level-Access-Control--(Admin-Controller)", js: true do
     login @normal_user
 
-    visit '/admin/1/dashboard'
+    visit "/admin/1/dashboard"
     pending if verifying_fixed?
-    expect(current_path).to eq('/admin/1/dashboard')
+    expect(current_path).to eq("/admin/1/dashboard")
   end
 end

spec/vulnerabilities/xss_spec.rb

@@ -1,30 +1,31 @@
-require 'spec_helper'
+# frozen_string_literal: true
+require "spec_helper"
 
-feature 'xss' do
+feature "xss" do
   before do
     UserFixture.reset_all_users
     @normal_user = UserFixture.normal_user
   end
 
-  scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/A3-Cross-Site-Scripting", :js => true do
+  scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/A3-Cross-Site-Scripting", js: true do
     login @normal_user
 
     visit "/users/#{@normal_user.user_id}/account_settings"
-    within('#account_edit') do
-      fill_in 'First name', :with => "<script>$(function() { $('div input.btn').val('RailsGoat h4x0r3d') } )</script>"
+    within("#account_edit") do
+      fill_in "First name", with: "<script>$(function() { $('div input.btn').val('RailsGoat h4x0r3d') } )</script>"
 
       # password gets screwed up if you don't re-submit - need to fix
-      fill_in 'user_password', :with => @normal_user.clear_password
-      fill_in 'user_password_confirmation', :with => @normal_user.clear_password
+      fill_in "user_password", with: @normal_user.clear_password
+      fill_in "user_password_confirmation", with: @normal_user.clear_password
     end
-    click_on 'Submit'
+    click_on "Submit"
 
     sleep(1)
 
     visit "/users/#{@normal_user.user_id}/account_settings"
 
     pending if verifying_fixed?
-    expect(find('#submit_button').value).to eq('RailsGoat h4x0r3d')
+    expect(find("#submit_button").value).to eq("RailsGoat h4x0r3d")
 
     # might be nice to demonstrate posting cookie contents or somesuch, but
     # this at least shows the vulnerability still exists.