From 0d15dd0a6c196245075242e495181d7371014688 Mon Sep 17 00:00:00 2001 From: Mike McCabe Date: Mon, 7 Oct 2013 13:35:39 -0400 Subject: [PATCH 1/6] pinning dbcleaner to lower version due to https://github.com/bmabey/database_cleaner/issues/224 --- Gemfile | 2 +- Gemfile.lock | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Gemfile b/Gemfile index b175ad7..2d11b1e 100755 --- a/Gemfile +++ b/Gemfile @@ -26,7 +26,7 @@ gem 'gauntlt' group :development, :test do gem 'capybara' - gem 'database_cleaner' + gem 'database_cleaner', '< 1.1.0' gem 'poltergeist' gem 'rspec-rails' end diff --git a/Gemfile.lock b/Gemfile.lock index dc27f3d..7630c7b 100755 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -70,7 +70,7 @@ GEM diff-lcs (>= 1.1.3) gherkin (~> 2.12.0) multi_json (~> 1.3) - database_cleaner (1.1.1) + database_cleaner (1.0.1) diff-lcs (1.2.4) em-websocket (0.5.0) eventmachine (>= 0.12.9) @@ -248,7 +248,7 @@ DEPENDENCIES bundler-audit capybara coffee-rails (~> 3.2.1) - database_cleaner + database_cleaner (< 1.1.0) execjs foreman gauntlt From d0d5165c6cb774e0fd6fcb3abf05a2a1fa4a7b88 Mon Sep 17 00:00:00 2001 From: Mike McCabe Date: Mon, 7 Oct 2013 13:46:55 -0400 Subject: [PATCH 2/6] adding env variable to run vulnerability tests --- .travis.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 8c734ac..4ae7691 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,4 +1,5 @@ language: ruby rvm: - "1.9.3" -before_script: rake db:migrate +before_script: rake db:setup +env: RAILSGOAT_MAINTAINER=true \ No newline at end of file From d9eadddfe3234012f8ee40743046ee3c1b0fbfff Mon Sep 17 00:00:00 2001 From: Mike McCabe Date: Mon, 7 Oct 2013 13:47:33 -0400 Subject: [PATCH 3/6] adding flash message with validation errors, and redirect to sign_up --- app/controllers/users_controller.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb index ce51404..535045e 100755 --- a/app/controllers/users_controller.rb +++ b/app/controllers/users_controller.rb @@ -15,7 +15,8 @@ class UsersController < ApplicationController redirect_to home_dashboard_index_path else @user = user - render :new + flash[:error] = user.errors.full_messages.to_sentence + redirect_to :sign_up end end From 82e40fe581a4045c33950656a57073fab3aee452 Mon Sep 17 00:00:00 2001 From: mccabe615 Date: Mon, 7 Oct 2013 14:05:27 -0400 Subject: [PATCH 4/6] Update README.md --- README.md | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 0740350..805a782 100755 --- a/README.md +++ b/README.md @@ -5,13 +5,11 @@ cd railsgoat - rvm use 1.9.3@railsgoat --create + rvm use 1.9.3@railsgoat --create # https://rvm.io/ bundle - rake db:create - - rake db:migrate + rake db:setup rails s @@ -33,6 +31,7 @@ Then proceed with browsing the site as normal :thumbsup: ### Build Info ### [![Code Climate](https://codeclimate.com/github/OWASP/railsgoat.png)](https://codeclimate.com/github/OWASP/railsgoat) +[![Build Status](https://travis-ci.org/mccabe615/railsgoat.png?branch=master)](https://travis-ci.org/mccabe615/railsgoat) ### License Stuff ### From 0b5be6d55e02f6ccf8f04e9660a0aa1793a63095 Mon Sep 17 00:00:00 2001 From: mccabe615 Date: Mon, 7 Oct 2013 14:05:50 -0400 Subject: [PATCH 5/6] Update README.md --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 805a782..0bf210f 100755 --- a/README.md +++ b/README.md @@ -31,6 +31,7 @@ Then proceed with browsing the site as normal :thumbsup: ### Build Info ### [![Code Climate](https://codeclimate.com/github/OWASP/railsgoat.png)](https://codeclimate.com/github/OWASP/railsgoat) + [![Build Status](https://travis-ci.org/mccabe615/railsgoat.png?branch=master)](https://travis-ci.org/mccabe615/railsgoat) ### License Stuff ### From 398c1bbe8394949138b1536672b064c5773abfd6 Mon Sep 17 00:00:00 2001 From: Mike McCabe Date: Mon, 7 Oct 2013 14:18:17 -0400 Subject: [PATCH 6/6] moving vulnerability tests and adding password complexity test --- .../{ => vulnerabilities}/broken_auth_spec.rb | 0 .../command_injection_spec.rb | 0 .../{ => vulnerabilities}/csrf_spec.rb | 0 .../info_disclosure_spec.rb | 0 .../insecure_dor_spec.rb | 0 .../mass_assignment_spec.rb | 0 .../password_complexity_spec.rb | 21 +++++++++++++++++++ .../sql_injection_spec.rb | 0 .../unvalidated_redirects_spec.rb | 0 .../{ => vulnerabilities}/url_access_spec.rb | 0 .../{ => vulnerabilities}/xss_spec.rb | 0 11 files changed, 21 insertions(+) rename spec/features/{ => vulnerabilities}/broken_auth_spec.rb (100%) rename spec/features/{ => vulnerabilities}/command_injection_spec.rb (100%) rename spec/features/{ => vulnerabilities}/csrf_spec.rb (100%) rename spec/features/{ => vulnerabilities}/info_disclosure_spec.rb (100%) rename spec/features/{ => vulnerabilities}/insecure_dor_spec.rb (100%) rename spec/features/{ => vulnerabilities}/mass_assignment_spec.rb (100%) create mode 100644 spec/features/vulnerabilities/password_complexity_spec.rb rename spec/features/{ => vulnerabilities}/sql_injection_spec.rb (100%) rename spec/features/{ => vulnerabilities}/unvalidated_redirects_spec.rb (100%) rename spec/features/{ => vulnerabilities}/url_access_spec.rb (100%) rename spec/features/{ => vulnerabilities}/xss_spec.rb (100%) diff --git a/spec/features/broken_auth_spec.rb b/spec/features/vulnerabilities/broken_auth_spec.rb similarity index 100% rename from spec/features/broken_auth_spec.rb rename to spec/features/vulnerabilities/broken_auth_spec.rb diff --git a/spec/features/command_injection_spec.rb b/spec/features/vulnerabilities/command_injection_spec.rb similarity index 100% rename from spec/features/command_injection_spec.rb rename to spec/features/vulnerabilities/command_injection_spec.rb diff --git a/spec/features/csrf_spec.rb b/spec/features/vulnerabilities/csrf_spec.rb similarity index 100% rename from spec/features/csrf_spec.rb rename to spec/features/vulnerabilities/csrf_spec.rb diff --git a/spec/features/info_disclosure_spec.rb b/spec/features/vulnerabilities/info_disclosure_spec.rb similarity index 100% rename from spec/features/info_disclosure_spec.rb rename to spec/features/vulnerabilities/info_disclosure_spec.rb diff --git a/spec/features/insecure_dor_spec.rb b/spec/features/vulnerabilities/insecure_dor_spec.rb similarity index 100% rename from spec/features/insecure_dor_spec.rb rename to spec/features/vulnerabilities/insecure_dor_spec.rb diff --git a/spec/features/mass_assignment_spec.rb b/spec/features/vulnerabilities/mass_assignment_spec.rb similarity index 100% rename from spec/features/mass_assignment_spec.rb rename to spec/features/vulnerabilities/mass_assignment_spec.rb diff --git a/spec/features/vulnerabilities/password_complexity_spec.rb b/spec/features/vulnerabilities/password_complexity_spec.rb new file mode 100644 index 0000000..a92bcbd --- /dev/null +++ b/spec/features/vulnerabilities/password_complexity_spec.rb @@ -0,0 +1,21 @@ +require 'spec_helper' + +feature 'password complexity' do + before do + UserFixture.reset_all_users + @normal_user = UserFixture.normal_user + end + + scenario 'one' do + visit '/signup' + within('.signup') do + fill_in 'user_email', :with => @normal_user.email + 'not' + fill_in 'user_first_name', :with => @normal_user.first_name + fill_in 'user_last_name', :with => @normal_user.last_name + 'not' + fill_in 'user_password', :with => 'password' + fill_in 'user_password_confirmation', :with => 'password' + end + click_on 'Submit' + pending(:if => verifying_fixed?) {current_path.should == '/dashboard/home'} + end +end \ No newline at end of file diff --git a/spec/features/sql_injection_spec.rb b/spec/features/vulnerabilities/sql_injection_spec.rb similarity index 100% rename from spec/features/sql_injection_spec.rb rename to spec/features/vulnerabilities/sql_injection_spec.rb diff --git a/spec/features/unvalidated_redirects_spec.rb b/spec/features/vulnerabilities/unvalidated_redirects_spec.rb similarity index 100% rename from spec/features/unvalidated_redirects_spec.rb rename to spec/features/vulnerabilities/unvalidated_redirects_spec.rb diff --git a/spec/features/url_access_spec.rb b/spec/features/vulnerabilities/url_access_spec.rb similarity index 100% rename from spec/features/url_access_spec.rb rename to spec/features/vulnerabilities/url_access_spec.rb diff --git a/spec/features/xss_spec.rb b/spec/features/vulnerabilities/xss_spec.rb similarity index 100% rename from spec/features/xss_spec.rb rename to spec/features/vulnerabilities/xss_spec.rb