From b934194ffe8e5dd27f25b57e9071ecc405dedc86 Mon Sep 17 00:00:00 2001 From: Joseph Mastey Date: Mon, 18 Sep 2017 12:58:26 -0500 Subject: [PATCH] bug(passwords): fix situations where better password rules inadvertently break tests * use bang version of save methods in the seeds file, so that when you fix validation, it will at least explode, rather than silently failing to create users * fix two tests where passwords are hardcoded so that they use stronger passwords, since password complexity is not the important bit of either of those tests. --- db/seeds.rb | 14 +++++++------- spec/vulnerabilities/password_hashing_spec.rb | 2 +- spec/vulnerabilities/sql_injection_spec.rb | 6 +++--- 3 files changed, 11 insertions(+), 11 deletions(-) diff --git a/db/seeds.rb b/db/seeds.rb index 9aed4d5..1da1499 100755 --- a/db/seeds.rb +++ b/db/seeds.rb @@ -267,43 +267,43 @@ paid_time_off = [ users.each do |user_info| user = User.new(user_info.reject {|k| k == :user_id }) user.user_id = user_info[:user_id] - user.save + user.save! end retirements.each do |r| ret = Retirement.new(r.reject {|k| k == :user_id}) ret.user_id = r[:user_id] - ret.save + ret.save! end paid_time_off.each do |pto| ptoff = PaidTimeOff.new(pto.reject {|k| k == :user_id}) ptoff.user_id = pto[:user_id] - ptoff.save + ptoff.save! end schedule.each do |event| sched = Schedule.new(event.reject {|k| k == :user_id}) sched.user_id = event[:user_id] - sched.save + sched.save! end performance.each do |perf| p = Performance.new(perf.reject {|k| k == :user_id}) p.user_id = perf[:user_id] - p.save + p.save! end messages.each do |message| m = Message.new(message.reject {|k| k == :creator_id}) m.creator_id = message[:creator_id] - m.save + m.save! end work_info.each do |wi| info = WorkInfo.new(wi.reject {|k| k == :user_id } ) info.user_id = wi[:user_id] - info.save + info.save! end diff --git a/spec/vulnerabilities/password_hashing_spec.rb b/spec/vulnerabilities/password_hashing_spec.rb index 19f7b6f..ee54232 100644 --- a/spec/vulnerabilities/password_hashing_spec.rb +++ b/spec/vulnerabilities/password_hashing_spec.rb @@ -7,7 +7,7 @@ feature 'improper password hashing' do end scenario "with just md5\nTutorial: https://github.com/OWASP/railsgoat/wiki/A6-Sensitive-Data-Exposure-Insecure-Password-Storage" do - new_pass = 'testpassword' + new_pass = 'testPassw0rd!' @normal_user.password = new_pass @normal_user.password_confirmation = new_pass @normal_user.save diff --git a/spec/vulnerabilities/sql_injection_spec.rb b/spec/vulnerabilities/sql_injection_spec.rb index a963a56..b8b95b6 100644 --- a/spec/vulnerabilities/sql_injection_spec.rb +++ b/spec/vulnerabilities/sql_injection_spec.rb @@ -7,7 +7,7 @@ feature 'sql injection' do @admin_user = User.where("admin='t'").first end - scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/R5-A1-SQL-Injection-Concatentation" do + scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/R4-A1-SQL-Injection-Concatentation" do expect(@admin_user.admin).to be_truthy login(@normal_user) @@ -15,8 +15,8 @@ feature 'sql injection' do visit "/users/#{@normal_user.user_id}/account_settings" within('#account_edit') do fill_in 'Email', :with => 'joe.admin@schmoe.com' - fill_in 'user_password', :with => 'hacketyhack' - fill_in 'user_password_confirmation', :with => 'hacketyhack' + fill_in 'user_password', :with => 'H4cketyhack' + fill_in 'user_password_confirmation', :with => 'H4cketyhack' # this is a hidden field, so cannot use fill_in to access it. find(:xpath, "//input[@id='user_user_id']", :visible => false).set "8' OR admin='t') --"