team-alpha/railsgoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #372 from rifkinni/clean_up_specs

Browse Source 
Clean up specs
This commit is contained in:
Ken Johnson
2020-03-19 12:43:49 -04:00
committed by GitHub
parent 415c771da2 5191409db6
commit ce7482aec6
5 changed files with 11 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files
spec/vulnerabilities/csrf_spec.rb
+1 -1
View File
@@ -10,7 +10,7 @@ feature "csrf" do
pending unless verifying_fixed? pending unless verifying_fixed?
end end
scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/R5-A8-CSRF", js: true do scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/R4-A8-CSRF", js: true do
visit "/" visit "/"
# TODO: is there a way to get this without visiting root first? # TODO: is there a way to get this without visiting root first?
base_url = current_url base_url = current_url
spec/vulnerabilities/insecure_dor_spec.rb
+5 -3
View File
@@ -18,15 +18,17 @@ feature "insecure direct object reference" do
visit download_url.sub(/name=(.*?)&/, "name=config/database.yml&") visit download_url.sub(/name=(.*?)&/, "name=config/database.yml&")
expect(page.status_code).not_to eq(200) expect(page.status_code).not_to eq(200)
expect(page.response_headers["Content-Disposition"]).not_to include("database.yml") expect(page.response_headers["Content-Disposition"].to_a).not_to include("database.yml")
end end
scenario "attack two\nTutorial: https://github.com/OWASP/railsgoat/wiki/A4-Insecure-Direct-Object-Reference" do scenario "attack two\nTutorial: https://github.com/OWASP/railsgoat/wiki/A4-Insecure-Direct-Object-Reference" do
login(normal_user)
expect(normal_user.id).not_to eq(another_user.id) expect(normal_user.id).not_to eq(another_user.id)
visit "/users/#{another_user.id}/work_info" visit "/users/#{another_user.id}/work_info"
expect(first("td").text).not_to include(another_user.name) expect(first("td").text).not_to include(another_user.full_name)
expect(first("td").text).to include(normal_user.name) expect(first("td").text).to include(normal_user.full_name)
end end
end end
spec/vulnerabilities/mass_assignment_spec.rb
+2 -2
View File
@@ -23,7 +23,7 @@ feature "mass assignment" do
expect(normal_user.reload.admin).to be_falsy expect(normal_user.reload.admin).to be_falsy
end end
scenario "attack two, Tutorial: https://github.com/OWASP/railsgoat/wiki/R5-Extras-Mass-Assignment-Admin-Role" do scenario "attack two, Tutorial: https://github.com/OWASP/railsgoat/wiki/R4-Extras-Mass-Assignment-Admin-Role" do
params = { user: { admin: "t", params = { user: { admin: "t",
email: "hackety@h4x0rs.c0m", email: "hackety@h4x0rs.c0m",
first_name: "hackety", first_name: "hackety",
@@ -33,6 +33,6 @@ feature "mass assignment" do
page.driver.post "/users", params page.driver.post "/users", params
expect(User.find_by(email: "hackety@h4x0rs.c0m")).to be_nil expect(User.find_by(email: "hackety@h4x0rs.c0m").admin).to be_falsy
end end
end end
spec/vulnerabilities/unvalidated_redirects_spec.rb
+2 -1
View File
@@ -20,6 +20,7 @@ feature "unvalidated redirect" do
click_on "Login" click_on "Login"
end end
expect(current_url).to eq("/dashboard/home") expect(current_url).to start_with("http://127.0.0.1")
expect(current_path).to eq("/dashboard/home")
end end
end end
spec/vulnerabilities/url_access_spec.rb
+1 -1
View File
@@ -15,6 +15,6 @@ feature "url access" do
visit "/admin/1/dashboard" visit "/admin/1/dashboard"
expect(current_path).to eq("/") expect(current_path).to eq("/dashboard/home")
end end
end end