appease our new robot overlords.

(I voted for Krang)
2017-12-12 21:00:45 -06:00
parent 4587a5ff67
commit bb863f5156
9 changed files with 34 additions and 32 deletions
@@ -36,7 +36,7 @@ class UsersController < ApplicationController
      message = true if user.save!
      respond_to do |format|
        format.html { redirect_to user_account_settings_path(user_id: current_user.id) }
-        format.json { render :json => {:msg => message ? "success" : "false "} }
+        format.json { render json: {msg: message ? "success" : "false "} }
      end
    else
      flash[:error] = "Could not update user!"
@@ -10,7 +10,7 @@ class User < ApplicationRecord

  validates_presence_of :email
  validates_uniqueness_of :email
-  validates_format_of :email, :with => /.+@.+\..+/i
+  validates_format_of :email, with: /.+@.+\..+/i

  has_one :retirement, dependent: :destroy
  has_one :paid_time_off, dependent: :destroy
@@ -57,9 +57,10 @@ class User < ApplicationRecord
  end

  def generate_token(column)
-    begin
+    loop do
      self[column] = Encryption.encrypt_sensitive_value(self.id)
-    end while User.exists?(column => self[column])
+      break unless User.exists?(column => self[column])
+    end

    self.save!
  end
@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 class RemoveUsersUserId < ActiveRecord::Migration[5.1]
  def change
    remove_column :users, :user_id, :integer
@@ -14,12 +14,12 @@ users = [
  },

  {
-    :email => "jmmastey@metacorp.com",
-    :admin => false,
-    :password => "railsgoat!",
-    :password_confirmation => "railsgoat!",
-    :first_name => "Joseph",
-    :last_name => "Mastey",
+    email: "jmmastey@metacorp.com",
+    admin: false,
+    password: "railsgoat!",
+    password_confirmation: "railsgoat!",
+    first_name: "Joseph",
+    last_name: "Mastey",
  },

  {
@@ -252,25 +252,25 @@ messages = [
  {
    creator: "ken@metacorp.com",
    receiver: "jack@metacorp.com",
-    message: 'Your benefits have been updated.',
+    message: "Your benefits have been updated.",
    read: false
  },
  {
    creator: "mike@metacorp.com",
    receiver: "jim@metacorp.com",
-    message: 'Please update your profile.',
+    message: "Please update your profile.",
    read: false
  },
  {
    creator: "jim@metacorp.com",
    receiver: "mike@metacorp.com",
-    message: 'Welcome to Railsgoat.',
+    message: "Welcome to Railsgoat.",
    read: false
  },
  {
    creator: "jack@metacorp.com",
    receiver: "ken@metacorp.com",
-    message: 'Hello friend.',
+    message: "Hello friend.",
    read: false
  }
 ]
@@ -6,11 +6,11 @@ class UserFixture
  end

  def self.normal_user
-    password = 'thi$ 1s cOmplExEr'
-    User.create!(first_name: 'Joe', last_name: 'Schmoe', email: 'joe@schmoe.com',
+    password = "thi$ 1s cOmplExEr"
+    User.create!(first_name: "Joe", last_name: "Schmoe", email: "joe@schmoe.com",
                 password: password, password_confirmation: password).tap do |user|
      def user.clear_password
-        'thi$ 1s cOmplExEr'
+        "thi$ 1s cOmplExEr"
      end
    end
  end
@@ -11,8 +11,8 @@ feature "insecure direct object reference" do
    login(@normal_user)

    visit "/users/#{@normal_user.id}/benefit_forms"
-    download_url = first('.widget-body a')[:href]
-    visit download_url.sub(/name=(.*?)&/, 'name=config/database.yml&')
+    download_url = first(".widget-body a")[:href]
+    visit download_url.sub(/name=(.*?)&/, "name=config/database.yml&")

    pending if verifying_fixed?

@@ -29,6 +29,6 @@ feature "insecure direct object reference" do
    visit "/users/#{another_user.id}/work_info"

    pending if verifying_fixed?
-    expect(first('td').text).to eq(another_user.full_name)
+    expect(first("td").text).to eq(another_user.full_name)
  end
 end
@@ -16,13 +16,13 @@ feature "sql injection" do

    visit "/users/#{@normal_user.id}/account_settings"

-    within('#account_edit') do
-      fill_in 'Email', :with => 'joe.admin@schmoe.com'
-      fill_in 'user_password', :with => 'H4cketyhack'
-      fill_in 'user_password_confirmation', :with => 'H4cketyhack'
+    within("#account_edit") do
+      fill_in "Email", with: "joe.admin@schmoe.com"
+      fill_in "user_password", with: "H4cketyhack"
+      fill_in "user_password_confirmation", with: "H4cketyhack"

      # this is a hidden field, so cannot use fill_in to access it.
-      find(:xpath, "//input[@id='user_id']", :visible => false).set "8' OR admin='t') --"
+      find(:xpath, "//input[@id='user_id']", visible: false).set "8' OR admin='t') --"
    end
    click_on "Submit"

@@ -7,12 +7,12 @@ feature "unvalidated redirect" do
    @normal_user = UserFixture.normal_user
  end

-  scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/A10-Unvalidated-Redirects-and-Forwards-(redirect_to)", :js => true do
-    visit '/?url=http://example.com/do/evil/things'
+  scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/A10-Unvalidated-Redirects-and-Forwards-(redirect_to)", js: true do
+    visit "/?url=http://example.com/do/evil/things"

-    within('.signup') do
-      fill_in 'email', with: @normal_user.email
-      fill_in 'password', with: @normal_user.clear_password
+    within(".signup") do
+      fill_in "email", with: @normal_user.email
+      fill_in "password", with: @normal_user.clear_password
    end
    within(".actions") do
      click_on "Login"
@@ -11,8 +11,8 @@ feature "xss" do
    login @normal_user

    visit "/users/#{@normal_user.id}/account_settings"
-    within('#account_edit') do
-      fill_in 'First name', :with => "<script>$(function() { $('div input.btn').val('RailsGoat h4x0r3d') } )</script>"
+    within("#account_edit") do
+      fill_in "First name", with: "<script>$(function() { $('div input.btn').val('RailsGoat h4x0r3d') } )</script>"

      # password gets screwed up if you don't re-submit - need to fix
      fill_in "user_password", with: @normal_user.clear_password