removes user_id column from User model to use idiomatic Rails automatic IDs

spec/vulnerabilities/command_injection_spec.rb

@@ -14,7 +14,7 @@ feature "command injection" do
     legit_file = File.join(Rails.root, "public", "data", "legit.txt")
     File.open(legit_file, "w") { |f| f.puts "totes legit" }
 
-    visit "/users/#{@normal_user.user_id}/benefit_forms"
+    visit "/users/#{@normal_user.id}/benefit_forms"
     Dir.mktmpdir do |dir|
       hackety_file = File.join(dir, "test; cd public && cd data && rm -f * ;")
       File.open(hackety_file, "w") { |f| f.print "mwahaha" }

spec/vulnerabilities/insecure_dor_spec.rb

@@ -10,9 +10,9 @@ feature "insecure direct object reference" do
   scenario "attack one" do
     login(@normal_user)
 
-    visit "/users/#{@normal_user.user_id}/benefit_forms"
-    download_url = first(".widget-body a")[:href]
-    visit download_url.sub(/name=(.*?)&/, "name=config/database.yml&")
+    visit "/users/#{@normal_user.id}/benefit_forms"
+    download_url = first('.widget-body a')[:href]
+    visit download_url.sub(/name=(.*?)&/, 'name=config/database.yml&')
 
     pending if verifying_fixed?
 
@@ -24,8 +24,8 @@ feature "insecure direct object reference" do
   scenario "attack two\nTutorial: https://github.com/OWASP/railsgoat/wiki/A4-Insecure-Direct-Object-Reference" do
     login(@normal_user)
 
-    expect(@normal_user.user_id).not_to eq(2)
-    visit "/users/2/work_info"
+    expect(@normal_user.id).not_to eq(2)
+    visit '/users/2/work_info'
 
     pending if verifying_fixed?
     expect(first("td").text).to eq("Joseph Mastey")

spec/vulnerabilities/mass_assignment_spec.rb

@@ -13,10 +13,10 @@ feature "mass assignment" do
     login(@normal_user)
 
     params = {user: {admin: "t",
-                        user_id: @normal_user.user_id,
+                        user_id: @normal_user.id,
                         password: @normal_user.clear_password,
                         password_confirmation: @normal_user.clear_password}}
-    page.driver.put "/users/#{@normal_user.user_id}.json", params
+    page.driver.put "/users/#{@normal_user.id}.json", params
 
     pending if verifying_fixed?
     expect(@normal_user.reload.admin).to be_truthy

spec/vulnerabilities/sensitive_data_exposure.rb

@@ -13,7 +13,7 @@ feature "sensitive data exposure" do
   scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/A6-Sensitive-Data-Exposure-Cleartext-Storage-SSNs" do
     login @normal_user
 
-    visit "/users/#{@normal_user.user_id}/work_info"
+    visit "/users/#{@normal_user.id}/work_info"
     pending if verifying_fixed?
     expect(page.source).to include "999-99-9999"
   end

spec/vulnerabilities/sql_injection_spec.rb

@@ -4,8 +4,9 @@ require "spec_helper"
 feature "sql injection" do
   before(:each) do
     UserFixture.reset_all_users
+
     @normal_user = UserFixture.normal_user
-    @admin_user = User.where("admin='t'").first
+    @admin_user = UserFixture.admin_user
   end
 
   scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/R4-A1-SQL-Injection-Concatentation" do
@@ -13,14 +14,15 @@ feature "sql injection" do
 
     login(@normal_user)
 
-    visit "/users/#{@normal_user.user_id}/account_settings"
-    within("#account_edit") do
-      fill_in "Email", with: "joe.admin@schmoe.com"
-      fill_in "user_password", with: "H4cketyhack"
-      fill_in "user_password_confirmation", with: "H4cketyhack"
+    visit "/users/#{@normal_user.id}/account_settings"
+
+    within('#account_edit') do
+      fill_in 'Email', :with => 'joe.admin@schmoe.com'
+      fill_in 'user_password', :with => 'H4cketyhack'
+      fill_in 'user_password_confirmation', :with => 'H4cketyhack'
 
       # this is a hidden field, so cannot use fill_in to access it.
-      find(:xpath, "//input[@id='user_user_id']", visible: false).set "8' OR admin='t') --"
+      find(:xpath, "//input[@id='user_id']", :visible => false).set "8' OR admin='t') --"
     end
     click_on "Submit"
 

spec/vulnerabilities/unvalidated_redirects_spec.rb

@@ -7,15 +7,17 @@ feature "unvalidated redirect" do
     @normal_user = UserFixture.normal_user
   end
 
-  scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/A10-Unvalidated-Redirects-and-Forwards-(redirect_to)", js: true do
-    visit "/?url=http://example.com/do/evil/things"
-    within(".signup") do
-      fill_in "email", with: @normal_user.email
-      fill_in "password", with: @normal_user.clear_password
+  scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/A10-Unvalidated-Redirects-and-Forwards-(redirect_to)", :js => true do
+    visit '/?url=http://example.com/do/evil/things'
+
+    within('.signup') do
+      fill_in 'email', with: @normal_user.email
+      fill_in 'password', with: @normal_user.clear_password
     end
     within(".actions") do
       click_on "Login"
     end
+
     pending if verifying_fixed?
     expect(current_url).to eq("http://example.com/do/evil/things")
   end

spec/vulnerabilities/xss_spec.rb

@@ -10,9 +10,9 @@ feature "xss" do
   scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/A3-Cross-Site-Scripting", js: true do
     login @normal_user
 
-    visit "/users/#{@normal_user.user_id}/account_settings"
-    within("#account_edit") do
-      fill_in "First name", with: "<script>$(function() { $('div input.btn').val('RailsGoat h4x0r3d') } )</script>"
+    visit "/users/#{@normal_user.id}/account_settings"
+    within('#account_edit') do
+      fill_in 'First name', :with => "<script>$(function() { $('div input.btn').val('RailsGoat h4x0r3d') } )</script>"
 
       # password gets screwed up if you don't re-submit - need to fix
       fill_in "user_password", with: @normal_user.clear_password
@@ -22,7 +22,7 @@ feature "xss" do
 
     sleep(1)
 
-    visit "/users/#{@normal_user.user_id}/account_settings"
+    visit "/users/#{@normal_user.id}/account_settings"
 
     pending if verifying_fixed?
     expect(find("#submit_button").value).to eq("RailsGoat h4x0r3d")