Merge pull request #269 from jasnow/master

Upgraded to Ruby 2.4.2 plus misc gems

.ruby-version

@@ -1 +1 @@
-2.3.5
+2.4.2

.travis.yml

@@ -1,6 +1,6 @@
 language: ruby
 rvm:
-  - "2.3.5"
+  - "2.4.2"
 
 before_install:
   - "phantomjs --version"

Dockerfile

@@ -1,4 +1,4 @@
-FROM ruby:2.3.5
+FROM ruby:2.4.2
 RUN apt-get update -qq && apt-get install -y build-essential libpq-dev nodejs
 RUN mkdir /myapp
 WORKDIR /myapp

Gemfile

@@ -3,7 +3,7 @@ source 'https://rubygems.org'
 #don't upgrade
 gem 'rails', '5.1.4'
 
-ruby '2.3.5'
+ruby '2.4.2'
 
 gem 'rake'
 gem 'rails-perftest'

Gemfile.lock

@@ -55,7 +55,7 @@ GEM
       rack (>= 0.9.0)
     binding_of_caller (0.7.2)
       debug_inspector (>= 0.0.1)
-    brakeman (3.7.2)
+    brakeman (4.0.1)
     builder (3.2.3)
     bundler-audit (0.6.0)
       bundler (~> 1.2)
@@ -81,6 +81,7 @@ GEM
     concurrent-ruby (1.0.5)
     contracts (0.16.0)
     crack (0.3.1)
+    crass (1.0.2)
     cucumber (2.4.0)
       builder (>= 2.1.2)
       cucumber-core (~> 1.5.0)
@@ -153,7 +154,8 @@ GEM
       rb-fsevent (~> 0.9, >= 0.9.4)
       rb-inotify (~> 0.9, >= 0.9.7)
       ruby_dep (~> 1.2)
-    loofah (2.0.3)
+    loofah (2.1.1)
+      crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
     lumberjack (1.0.12)
     mail (2.6.6)
@@ -163,15 +165,15 @@ GEM
       mime-types-data (~> 3.2015)
     mime-types-data (3.2016.0521)
     mini_mime (0.1.4)
-    mini_portile2 (2.2.0)
+    mini_portile2 (2.3.0)
     minitest (5.10.3)
     multi_json (1.12.2)
     multi_test (0.1.2)
     mysql2 (0.4.9)
     nenv (0.3.0)
     nio4r (2.1.0)
-    nokogiri (1.8.0)
+    nokogiri (1.8.1)
-      mini_portile2 (~> 2.2.0)
+      mini_portile2 (~> 2.3.0)
     notiffany (0.1.1)
       nenv (~> 0.1)
       shellany (~> 0.0)
@@ -182,10 +184,9 @@ GEM
     powder (0.3.2)
       thor (>= 0.11.5)
     power_assert (1.1.0)
-    pry (0.10.4)
+    pry (0.11.0)
       coderay (~> 1.1.0)
       method_source (~> 0.8.1)
-      slop (~> 3.4)
     pry-rails (0.3.6)
       pry (>= 0.10.4)
     public_suffix (3.0.0)
@@ -267,7 +268,6 @@ GEM
       json (>= 1.8, < 3)
       simplecov-html (~> 0.10.0)
     simplecov-html (0.10.2)
-    slop (3.6.0)
     sprockets (3.7.1)
       concurrent-ruby (~> 1.0)
       rack (> 1, < 3)
@@ -276,7 +276,7 @@ GEM
       activesupport (>= 4.0)
       sprockets (>= 3.0.0)
     sqlite3 (1.3.13)
-    test-unit (3.2.5)
+    test-unit (3.2.6)
       power_assert
     therubyracer (0.12.3)
       libv8 (~> 3.16.14.15)
@@ -350,7 +350,7 @@ DEPENDENCIES
   unicorn
 
 RUBY VERSION
-   ruby 2.3.5p376
+   ruby 2.4.2p198
 
 BUNDLED WITH
-   1.16.0.pre.2
+   1.15.4

README.md

@@ -11,7 +11,7 @@ If you are looking for support or troubleshooting assistance, please visit our [
 To begin, install the Ruby Version Manager (RVM):
 
 ```bash
-$ curl -L https://get.rvm.io | bash -s stable --autolibs=3 --ruby=2.3.5
+$ curl -L https://get.rvm.io | bash -s stable --autolibs=3 --ruby=2.4.2
 ```
 
 After installing the package, clone this repo:

app/models/work_info.rb

@@ -9,18 +9,18 @@ class WorkInfo < ApplicationRecord
   end
 
   def encrypt_ssn
-    aes = OpenSSL::Cipher::Cipher.new(cipher_type)
+    aes = OpenSSL::Cipher.new(cipher_type)
     aes.encrypt
-    aes.key = key
+    aes.key = key[0..31]
     aes.iv = iv if iv != nil
     self.encrypted_ssn = aes.update(self.SSN) + aes.final
     self.SSN = nil
   end
 
   def decrypt_ssn
-    aes = OpenSSL::Cipher::Cipher.new(cipher_type)
+    aes = OpenSSL::Cipher.new(cipher_type)
     aes.decrypt
-    aes.key = key
+    aes.key = key[0..31]
     aes.iv = iv if iv != nil
     aes.update(self.encrypted_ssn) + aes.final
   end

lib/encryption.rb

@@ -2,19 +2,19 @@ module Encryption
 
   # Added a re-usable encryption routine, shouldn't be an issue!
   def self.encrypt_sensitive_value(val="")
-     aes = OpenSSL::Cipher::Cipher.new(cipher_type)
+     aes = OpenSSL::Cipher.new(cipher_type)
      aes.encrypt
-     aes.key = key
+     aes.key = key[0..31]
-     aes.iv = iv if iv != nil
+     aes.iv = iv[0..15] if iv != nil
      new_val = aes.update("#{val}") + aes.final
      Base64.strict_encode64(new_val).encode('utf-8')
   end
 
   def self.decrypt_sensitive_value(val="")
-     aes = OpenSSL::Cipher::Cipher.new(cipher_type)
+     aes = OpenSSL::Cipher.new(cipher_type)
      aes.decrypt
-     aes.key = key
+     aes.key = key[0..31]
-     aes.iv = iv if iv != nil
+     aes.iv = iv[0.15] if iv != nil
      decoded = Base64.strict_decode64("#{val}")
      aes.update("#{decoded}") + aes.final
   end

r

@@ -0,0 +1,393 @@
+
+Randomized with seed 33309
+FFFFFFFFFFFFFFFFFFFFF
+
+Failures:
+
+  1) improper password hashing with just md5
+Tutorial: https://github.com/OWASP/railsgoat/wiki/A6-Sensitive-Data-Exposure-Insecure-Password-Storage
+     Failure/Error: aes.iv = iv if iv != nil
+
+     ArgumentError:
+       iv must be 16 bytes
+     # ./lib/encryption.rb:8:in `iv='
+     # ./lib/encryption.rb:8:in `encrypt_sensitive_value'
+     # ./app/models/user.rb:82:in `generate_token'
+     # ./app/models/user.rb:23:in `block in <class:User>'
+     # /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize'
+     # ./db/seeds.rb:270:in `block in <top (required)>'
+     # ./db/seeds.rb:267:in `each'
+     # ./db/seeds.rb:267:in `<top (required)>'
+     # ./spec/support/user_fixture.rb:4:in `reset_all_users'
+     # ./spec/vulnerabilities/password_hashing_spec.rb:5:in `block (2 levels) in <top (required)>'
+
+  2) command injection attack
+Tutorial: https://github.com/OWASP/railsgoat/wiki/A1-Command-Injection
+     Failure/Error: aes.iv = iv if iv != nil
+
+     ArgumentError:
+       iv must be 16 bytes
+     # ./lib/encryption.rb:8:in `iv='
+     # ./lib/encryption.rb:8:in `encrypt_sensitive_value'
+     # ./app/models/user.rb:82:in `generate_token'
+     # ./app/models/user.rb:23:in `block in <class:User>'
+     # /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize'
+     # ./db/seeds.rb:270:in `block in <top (required)>'
+     # ./db/seeds.rb:267:in `each'
+     # ./db/seeds.rb:267:in `<top (required)>'
+     # ./spec/support/user_fixture.rb:4:in `reset_all_users'
+     # ./spec/vulnerabilities/command_injection_spec.rb:6:in `block (2 levels) in <top (required)>'
+
+  3) csrf attack
+Tutorial: https://github.com/OWASP/railsgoat/wiki/R5-A8-CSRF
+     Failure/Error: aes.iv = iv if iv != nil
+
+     ArgumentError:
+       iv must be 16 bytes
+     # ./lib/encryption.rb:8:in `iv='
+     # ./lib/encryption.rb:8:in `encrypt_sensitive_value'
+     # ./app/models/user.rb:82:in `generate_token'
+     # ./app/models/user.rb:23:in `block in <class:User>'
+     # /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize'
+     # ./db/seeds.rb:270:in `block in <top (required)>'
+     # ./db/seeds.rb:267:in `each'
+     # ./db/seeds.rb:267:in `<top (required)>'
+     # ./spec/support/user_fixture.rb:4:in `reset_all_users'
+     # ./spec/vulnerabilities/csrf_spec.rb:6:in `block (2 levels) in <top (required)>'
+
+  4) url access attack
+Tutorial: https://github.com/OWASP/railsgoat/wiki/A7-Missing-Function-Level-Access-Control--(Admin-Controller)
+     Failure/Error: aes.iv = iv if iv != nil
+
+     ArgumentError:
+       iv must be 16 bytes
+     # ./lib/encryption.rb:8:in `iv='
+     # ./lib/encryption.rb:8:in `encrypt_sensitive_value'
+     # ./app/models/user.rb:82:in `generate_token'
+     # ./app/models/user.rb:23:in `block in <class:User>'
+     # /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize'
+     # ./db/seeds.rb:270:in `block in <top (required)>'
+     # ./db/seeds.rb:267:in `each'
+     # ./db/seeds.rb:267:in `<top (required)>'
+     # ./spec/support/user_fixture.rb:4:in `reset_all_users'
+     # ./spec/vulnerabilities/url_access_spec.rb:5:in `block (2 levels) in <top (required)>'
+
+  5) broken_auth one
+Tutorial: https://github.com/OWASP/railsgoat/wiki/A2-Credential-Enumeration
+     Failure/Error: aes.iv = iv if iv != nil
+
+     ArgumentError:
+       iv must be 16 bytes
+     # ./lib/encryption.rb:8:in `iv='
+     # ./lib/encryption.rb:8:in `encrypt_sensitive_value'
+     # ./app/models/user.rb:82:in `generate_token'
+     # ./app/models/user.rb:23:in `block in <class:User>'
+     # /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize'
+     # ./db/seeds.rb:270:in `block in <top (required)>'
+     # ./db/seeds.rb:267:in `each'
+     # ./db/seeds.rb:267:in `<top (required)>'
+     # ./spec/support/user_fixture.rb:4:in `reset_all_users'
+     # ./spec/vulnerabilities/broken_auth_spec.rb:5:in `block (2 levels) in <top (required)>'
+
+  6) broken_auth two
+Tutorial: https://github.com/OWASP/railsgoat/wiki/A2-Credential-Enumeration
+     Failure/Error: aes.iv = iv if iv != nil
+
+     ArgumentError:
+       iv must be 16 bytes
+     # ./lib/encryption.rb:8:in `iv='
+     # ./lib/encryption.rb:8:in `encrypt_sensitive_value'
+     # ./app/models/user.rb:82:in `generate_token'
+     # ./app/models/user.rb:23:in `block in <class:User>'
+     # /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize'
+     # ./db/seeds.rb:270:in `block in <top (required)>'
+     # ./db/seeds.rb:267:in `each'
+     # ./db/seeds.rb:267:in `<top (required)>'
+     # ./spec/support/user_fixture.rb:4:in `reset_all_users'
+     # ./spec/vulnerabilities/broken_auth_spec.rb:5:in `block (2 levels) in <top (required)>'
+
+  7) xss attack
+Tutorial: https://github.com/OWASP/railsgoat/wiki/A3-Cross-Site-Scripting
+     Failure/Error: aes.iv = iv if iv != nil
+
+     ArgumentError:
+       iv must be 16 bytes
+     # ./lib/encryption.rb:8:in `iv='
+     # ./lib/encryption.rb:8:in `encrypt_sensitive_value'
+     # ./app/models/user.rb:82:in `generate_token'
+     # ./app/models/user.rb:23:in `block in <class:User>'
+     # /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize'
+     # ./db/seeds.rb:270:in `block in <top (required)>'
+     # ./db/seeds.rb:267:in `each'
+     # ./db/seeds.rb:267:in `<top (required)>'
+     # ./spec/support/user_fixture.rb:4:in `reset_all_users'
+     # ./spec/vulnerabilities/xss_spec.rb:5:in `block (2 levels) in <top (required)>'
+
+  8) insecure direct object reference attack one
+     Failure/Error: aes.iv = iv if iv != nil
+
+     ArgumentError:
+       iv must be 16 bytes
+     # ./lib/encryption.rb:8:in `iv='
+     # ./lib/encryption.rb:8:in `encrypt_sensitive_value'
+     # ./app/models/user.rb:82:in `generate_token'
+     # ./app/models/user.rb:23:in `block in <class:User>'
+     # /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize'
+     # ./db/seeds.rb:270:in `block in <top (required)>'
+     # ./db/seeds.rb:267:in `each'
+     # ./db/seeds.rb:267:in `<top (required)>'
+     # ./spec/support/user_fixture.rb:4:in `reset_all_users'
+     # ./spec/vulnerabilities/insecure_dor_spec.rb:5:in `block (2 levels) in <top (required)>'
+
+  9) insecure direct object reference attack two
+Tutorial: https://github.com/OWASP/railsgoat/wiki/A4-Insecure-Direct-Object-Reference
+     Failure/Error: aes.iv = iv if iv != nil
+
+     ArgumentError:
+       iv must be 16 bytes
+     # ./lib/encryption.rb:8:in `iv='
+     # ./lib/encryption.rb:8:in `encrypt_sensitive_value'
+     # ./app/models/user.rb:82:in `generate_token'
+     # ./app/models/user.rb:23:in `block in <class:User>'
+     # /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize'
+     # ./db/seeds.rb:270:in `block in <top (required)>'
+     # ./db/seeds.rb:267:in `each'
+     # ./db/seeds.rb:267:in `<top (required)>'
+     # ./spec/support/user_fixture.rb:4:in `reset_all_users'
+     # ./spec/vulnerabilities/insecure_dor_spec.rb:5:in `block (2 levels) in <top (required)>'
+
+  10) sql injection attack
+Tutorial: https://github.com/OWASP/railsgoat/wiki/R4-A1-SQL-Injection-Concatentation
+      Failure/Error: aes.iv = iv if iv != nil
+
+      ArgumentError:
+        iv must be 16 bytes
+      # ./lib/encryption.rb:8:in `iv='
+      # ./lib/encryption.rb:8:in `encrypt_sensitive_value'
+      # ./app/models/user.rb:82:in `generate_token'
+      # ./app/models/user.rb:23:in `block in <class:User>'
+      # /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize'
+      # ./db/seeds.rb:270:in `block in <top (required)>'
+      # ./db/seeds.rb:267:in `each'
+      # ./db/seeds.rb:267:in `<top (required)>'
+      # ./spec/support/user_fixture.rb:4:in `reset_all_users'
+      # ./spec/vulnerabilities/sql_injection_spec.rb:5:in `block (2 levels) in <top (required)>'
+
+  11) User can be instantiated
+      Failure/Error: aes.iv = iv if iv != nil
+
+      ArgumentError:
+        iv must be 16 bytes
+      # ./lib/encryption.rb:8:in `iv='
+      # ./lib/encryption.rb:8:in `encrypt_sensitive_value'
+      # ./app/models/user.rb:82:in `generate_token'
+      # ./app/models/user.rb:23:in `block in <class:User>'
+      # /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize'
+      # ./db/seeds.rb:270:in `block in <top (required)>'
+      # ./db/seeds.rb:267:in `each'
+      # ./db/seeds.rb:267:in `<top (required)>'
+      # ./spec/support/user_fixture.rb:4:in `reset_all_users'
+      # ./spec/models/benefits_spec.rb:5:in `block (2 levels) in <top (required)>'
+
+  12) User name can be updated
+      Failure/Error: aes.iv = iv if iv != nil
+
+      ArgumentError:
+        iv must be 16 bytes
+      # ./lib/encryption.rb:8:in `iv='
+      # ./lib/encryption.rb:8:in `encrypt_sensitive_value'
+      # ./app/models/user.rb:82:in `generate_token'
+      # ./app/models/user.rb:23:in `block in <class:User>'
+      # /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize'
+      # ./db/seeds.rb:270:in `block in <top (required)>'
+      # ./db/seeds.rb:267:in `each'
+      # ./db/seeds.rb:267:in `<top (required)>'
+      # ./spec/support/user_fixture.rb:4:in `reset_all_users'
+      # ./spec/models/benefits_spec.rb:5:in `block (2 levels) in <top (required)>'
+
+  13) mass assignment attack one
+      Failure/Error: aes.iv = iv if iv != nil
+
+      ArgumentError:
+        iv must be 16 bytes
+      # ./lib/encryption.rb:8:in `iv='
+      # ./lib/encryption.rb:8:in `encrypt_sensitive_value'
+      # ./app/models/user.rb:82:in `generate_token'
+      # ./app/models/user.rb:23:in `block in <class:User>'
+      # /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize'
+      # ./db/seeds.rb:270:in `block in <top (required)>'
+      # ./db/seeds.rb:267:in `each'
+      # ./db/seeds.rb:267:in `<top (required)>'
+      # ./spec/support/user_fixture.rb:4:in `reset_all_users'
+      # ./spec/vulnerabilities/mass_assignment_spec.rb:5:in `block (2 levels) in <top (required)>'
+
+  14) mass assignment attack two, Tutorial: https://github.com/OWASP/railsgoat/wiki/R5-Extras-Mass-Assignment-Admin-Role
+      Failure/Error: aes.iv = iv if iv != nil
+
+      ArgumentError:
+        iv must be 16 bytes
+      # ./lib/encryption.rb:8:in `iv='
+      # ./lib/encryption.rb:8:in `encrypt_sensitive_value'
+      # ./app/models/user.rb:82:in `generate_token'
+      # ./app/models/user.rb:23:in `block in <class:User>'
+      # /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize'
+      # ./db/seeds.rb:270:in `block in <top (required)>'
+      # ./db/seeds.rb:267:in `each'
+      # ./db/seeds.rb:267:in `<top (required)>'
+      # ./spec/support/user_fixture.rb:4:in `reset_all_users'
+      # ./spec/vulnerabilities/mass_assignment_spec.rb:5:in `block (2 levels) in <top (required)>'
+
+  15) password complexity one
+Tutorial: https://github.com/OWASP/railsgoat/wiki/A2-Lack-of-Password-Complexity
+      Failure/Error: aes.iv = iv if iv != nil
+
+      ArgumentError:
+        iv must be 16 bytes
+      # ./lib/encryption.rb:8:in `iv='
+      # ./lib/encryption.rb:8:in `encrypt_sensitive_value'
+      # ./app/models/user.rb:82:in `generate_token'
+      # ./app/models/user.rb:23:in `block in <class:User>'
+      # /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize'
+      # ./db/seeds.rb:270:in `block in <top (required)>'
+      # ./db/seeds.rb:267:in `each'
+      # ./db/seeds.rb:267:in `<top (required)>'
+      # ./spec/support/user_fixture.rb:4:in `reset_all_users'
+      # ./spec/vulnerabilities/password_complexity_spec.rb:5:in `block (2 levels) in <top (required)>'
+
+  16) User can be instantiated
+      Failure/Error: aes.iv = iv if iv != nil
+
+      ArgumentError:
+        iv must be 16 bytes
+      # ./lib/encryption.rb:8:in `iv='
+      # ./lib/encryption.rb:8:in `encrypt_sensitive_value'
+      # ./app/models/user.rb:82:in `generate_token'
+      # ./app/models/user.rb:23:in `block in <class:User>'
+      # /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize'
+      # ./db/seeds.rb:270:in `block in <top (required)>'
+      # ./db/seeds.rb:267:in `each'
+      # ./db/seeds.rb:267:in `<top (required)>'
+      # ./spec/support/user_fixture.rb:4:in `reset_all_users'
+      # ./spec/models/user_spec.rb:5:in `block (2 levels) in <top (required)>'
+
+  17) User should require a email
+      Failure/Error: aes.iv = iv if iv != nil
+
+      ArgumentError:
+        iv must be 16 bytes
+      # ./lib/encryption.rb:8:in `iv='
+      # ./lib/encryption.rb:8:in `encrypt_sensitive_value'
+      # ./app/models/user.rb:82:in `generate_token'
+      # ./app/models/user.rb:23:in `block in <class:User>'
+      # /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize'
+      # ./db/seeds.rb:270:in `block in <top (required)>'
+      # ./db/seeds.rb:267:in `each'
+      # ./db/seeds.rb:267:in `<top (required)>'
+      # ./spec/support/user_fixture.rb:4:in `reset_all_users'
+      # ./spec/models/user_spec.rb:5:in `block (2 levels) in <top (required)>'
+
+  18) User should require valid email
+      Failure/Error: aes.iv = iv if iv != nil
+
+      ArgumentError:
+        iv must be 16 bytes
+      # ./lib/encryption.rb:8:in `iv='
+      # ./lib/encryption.rb:8:in `encrypt_sensitive_value'
+      # ./app/models/user.rb:82:in `generate_token'
+      # ./app/models/user.rb:23:in `block in <class:User>'
+      # /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize'
+      # ./db/seeds.rb:270:in `block in <top (required)>'
+      # ./db/seeds.rb:267:in `each'
+      # ./db/seeds.rb:267:in `<top (required)>'
+      # ./spec/support/user_fixture.rb:4:in `reset_all_users'
+      # ./spec/models/user_spec.rb:5:in `block (2 levels) in <top (required)>'
+
+  19) User should require unique email
+      Failure/Error: aes.iv = iv if iv != nil
+
+      ArgumentError:
+        iv must be 16 bytes
+      # ./lib/encryption.rb:8:in `iv='
+      # ./lib/encryption.rb:8:in `encrypt_sensitive_value'
+      # ./app/models/user.rb:82:in `generate_token'
+      # ./app/models/user.rb:23:in `block in <class:User>'
+      # /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize'
+      # ./db/seeds.rb:270:in `block in <top (required)>'
+      # ./db/seeds.rb:267:in `each'
+      # ./db/seeds.rb:267:in `<top (required)>'
+      # ./spec/support/user_fixture.rb:4:in `reset_all_users'
+      # ./spec/models/user_spec.rb:5:in `block (2 levels) in <top (required)>'
+
+  20) User name can be updated
+      Failure/Error: aes.iv = iv if iv != nil
+
+      ArgumentError:
+        iv must be 16 bytes
+      # ./lib/encryption.rb:8:in `iv='
+      # ./lib/encryption.rb:8:in `encrypt_sensitive_value'
+      # ./app/models/user.rb:82:in `generate_token'
+      # ./app/models/user.rb:23:in `block in <class:User>'
+      # /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize'
+      # ./db/seeds.rb:270:in `block in <top (required)>'
+      # ./db/seeds.rb:267:in `each'
+      # ./db/seeds.rb:267:in `<top (required)>'
+      # ./spec/support/user_fixture.rb:4:in `reset_all_users'
+      # ./spec/models/user_spec.rb:5:in `block (2 levels) in <top (required)>'
+
+  21) unvalidated redirect attack
+Tutorial: https://github.com/OWASP/railsgoat/wiki/A10-Unvalidated-Redirects-and-Forwards-(redirect_to)
+      Failure/Error: aes.iv = iv if iv != nil
+
+      ArgumentError:
+        iv must be 16 bytes
+      # ./lib/encryption.rb:8:in `iv='
+      # ./lib/encryption.rb:8:in `encrypt_sensitive_value'
+      # ./app/models/user.rb:82:in `generate_token'
+      # ./app/models/user.rb:23:in `block in <class:User>'
+      # /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize'
+      # ./db/seeds.rb:270:in `block in <top (required)>'
+      # ./db/seeds.rb:267:in `each'
+      # ./db/seeds.rb:267:in `<top (required)>'
+      # ./spec/support/user_fixture.rb:4:in `reset_all_users'
+      # ./spec/vulnerabilities/unvalidated_redirects_spec.rb:5:in `block (2 levels) in <top (required)>'
+
+Finished in 0.2747 seconds (files took 2.04 seconds to load)
+21 examples, 21 failures
+
+Failed examples:
+
+rspec ./spec/vulnerabilities/password_hashing_spec.rb:9 # improper password hashing with just md5
+Tutorial: https://github.com/OWASP/railsgoat/wiki/A6-Sensitive-Data-Exposure-Insecure-Password-Storage
+rspec ./spec/vulnerabilities/command_injection_spec.rb:10 # command injection attack
+Tutorial: https://github.com/OWASP/railsgoat/wiki/A1-Command-Injection
+rspec ./spec/vulnerabilities/csrf_spec.rb:10 # csrf attack
+Tutorial: https://github.com/OWASP/railsgoat/wiki/R5-A8-CSRF
+rspec ./spec/vulnerabilities/url_access_spec.rb:9 # url access attack
+Tutorial: https://github.com/OWASP/railsgoat/wiki/A7-Missing-Function-Level-Access-Control--(Admin-Controller)
+rspec ./spec/vulnerabilities/broken_auth_spec.rb:9 # broken_auth one
+Tutorial: https://github.com/OWASP/railsgoat/wiki/A2-Credential-Enumeration
+rspec ./spec/vulnerabilities/broken_auth_spec.rb:22 # broken_auth two
+Tutorial: https://github.com/OWASP/railsgoat/wiki/A2-Credential-Enumeration
+rspec ./spec/vulnerabilities/xss_spec.rb:9 # xss attack
+Tutorial: https://github.com/OWASP/railsgoat/wiki/A3-Cross-Site-Scripting
+rspec ./spec/vulnerabilities/insecure_dor_spec.rb:9 # insecure direct object reference attack one
+rspec ./spec/vulnerabilities/insecure_dor_spec.rb:23 # insecure direct object reference attack two
+Tutorial: https://github.com/OWASP/railsgoat/wiki/A4-Insecure-Direct-Object-Reference
+rspec ./spec/vulnerabilities/sql_injection_spec.rb:10 # sql injection attack
+Tutorial: https://github.com/OWASP/railsgoat/wiki/R4-A1-SQL-Injection-Concatentation
+rspec ./spec/models/benefits_spec.rb:13 # User can be instantiated
+rspec ./spec/models/benefits_spec.rb:17 # User name can be updated
+rspec ./spec/vulnerabilities/mass_assignment_spec.rb:9 # mass assignment attack one
+rspec ./spec/vulnerabilities/mass_assignment_spec.rb:24 # mass assignment attack two, Tutorial: https://github.com/OWASP/railsgoat/wiki/R5-Extras-Mass-Assignment-Admin-Role
+rspec ./spec/vulnerabilities/password_complexity_spec.rb:9 # password complexity one
+Tutorial: https://github.com/OWASP/railsgoat/wiki/A2-Lack-of-Password-Complexity
+rspec ./spec/models/user_spec.rb:13 # User can be instantiated
+rspec ./spec/models/user_spec.rb:17 # User should require a email
+rspec ./spec/models/user_spec.rb:21 # User should require valid email
+rspec ./spec/models/user_spec.rb:25 # User should require unique email
+rspec ./spec/models/user_spec.rb:30 # User name can be updated
+rspec ./spec/vulnerabilities/unvalidated_redirects_spec.rb:9 # unvalidated redirect attack
+Tutorial: https://github.com/OWASP/railsgoat/wiki/A10-Unvalidated-Redirects-and-Forwards-(redirect_to)
+
+Randomized with seed 33309
+