team-alpha/railsgoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

chore(rubocop): giganto rubocop commit.

Browse Source 
muahahahah
This commit is contained in:
Joseph Mastey
2017-12-05 18:46:21 -06:00
parent 284cd8811c
commit 9902345291
120 changed files with 743 additions and 635 deletions
Download Patch File Download Diff File Expand all files Collapse all files
spec/vulnerabilities/mass_assignment_spec.rb
+17 -16
View File
@@ -1,37 +1,38 @@
require 'spec_helper'
# frozen_string_literal: true
require "spec_helper"
feature 'mass assignment' do
feature "mass assignment" do
before do
UserFixture.reset_all_users
@normal_user = UserFixture.normal_user
end
scenario 'attack one' do
scenario "attack one" do
expect(@normal_user.admin).to be_falsey
login(@normal_user)
params = {:user => {:admin => 't',
:user_id => @normal_user.user_id,
:password => @normal_user.clear_password,
:password_confirmation => @normal_user.clear_password}}
params = {user: {admin: "t",
user_id: @normal_user.user_id,
password: @normal_user.clear_password,
password_confirmation: @normal_user.clear_password}}
page.driver.put "/users/#{@normal_user.user_id}.json", params
pending if verifying_fixed?
expect(@normal_user.reload.admin).to be_truthy
end
scenario 'attack two, Tutorial: https://github.com/OWASP/railsgoat/wiki/R5-Extras-Mass-Assignment-Admin-Role' do
params = {:user => {:admin => 't',
:email => 'hackety@h4x0rs.c0m',
:first_name => 'hackety',
:last_name => 'hax',
:password => 'foobarewe',
:password_confirmation => 'foobarewe'}}
page.driver.post '/users', params
scenario "attack two, Tutorial: https://github.com/OWASP/railsgoat/wiki/R5-Extras-Mass-Assignment-Admin-Role" do
params = {user: {admin: "t",
email: "hackety@h4x0rs.c0m",
first_name: "hackety",
last_name: "hax",
password: "foobarewe",
password_confirmation: "foobarewe"}}
page.driver.post "/users", params
pending if verifying_fixed?
expect(User.last.email).to eq('hackety@h4x0rs.c0m')
expect(User.last.email).to eq("hackety@h4x0rs.c0m")
expect(User.last.admin).to be_truthy
end
end