team-alpha/railsgoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Added command injection Capybara spec.

Browse Source
This commit is contained in:
chrismo
2013-09-27 14:59:30 -05:00
parent df9efa915b
commit e0bca0139e
3 changed files with 49 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
app/controllers/users_controller.rb
+1 -4
View File
@@ -9,10 +9,7 @@ class UsersController < ApplicationController
def create def create
user = User.new(params[:user]) user = User.new(params[:user])
user.build_retirement(POPULATE_RETIREMENTS.shuffle.first) user.build_benefits_data
user.build_paid_time_off(POPULATE_PAID_TIME_OFF.shuffle.first).schedule.build(POPULATE_SCHEDULE.shuffle.first)
user.build_work_info(POPULATE_WORK_INFO.shuffle.first)
user.performance.build(POPULATE_PERFORMANCE.shuffle.first)
if user.save if user.save
session[:user_id] = user.user_id session[:user_id] = user.user_id
redirect_to home_dashboard_index_path redirect_to home_dashboard_index_path
app/models/user.rb
+9 -2
View File
@@ -16,8 +16,15 @@ class User < ActiveRecord::Base
has_one :paid_time_off, :foreign_key => :user_id, :primary_key => :user_id, :dependent => :destroy has_one :paid_time_off, :foreign_key => :user_id, :primary_key => :user_id, :dependent => :destroy
has_one :work_info, :foreign_key => :user_id, :primary_key => :user_id, :dependent => :destroy has_one :work_info, :foreign_key => :user_id, :primary_key => :user_id, :dependent => :destroy
has_many :performance, :foreign_key => :user_id, :primary_key => :user_id, :dependent => :destroy has_many :performance, :foreign_key => :user_id, :primary_key => :user_id, :dependent => :destroy
def build_benefits_data
build_retirement(POPULATE_RETIREMENTS.shuffle.first)
build_paid_time_off(POPULATE_PAID_TIME_OFF.shuffle.first).schedule.build(POPULATE_SCHEDULE.shuffle.first)
build_work_info(POPULATE_WORK_INFO.shuffle.first)
performance.build(POPULATE_PERFORMANCE.shuffle.first)
end
private private
def full_name def full_name
spec/features/command_injection_spec.rb
+39
View File
@@ -0,0 +1,39 @@
require 'spec_helper'
require 'tmpdir'
feature 'command injection' do
before do
User.delete_all
Rails.application.load_seed
@normal_user = User.new(:first_name => 'Joe', :last_name => 'Schmoe',
:email => 'joe@schmoe.com', :password => 'aoeuaoeu', :password_confirmation => 'aoeuaoeu')
@normal_user.build_benefits_data
@normal_user.save!
end
scenario 'injection attack on file upload', :js => true do
visit '/'
within('.signup') do
fill_in 'email', :with => 'joe@schmoe.com'
fill_in 'password', :with => 'aoeuaoeu'
end
click_on 'Login'
legit_file = File.join(Rails.root, 'public', 'data', 'legit.txt')
File.open(legit_file, 'w') { |f| f.puts 'totes legit' }
visit "/users/#{@normal_user.user_id}/benefit_forms"
Dir.mktmpdir do |dir|
hackety_file = File.join(dir, '; cd public && cd data && rm -f * ;')
File.open(hackety_file, 'w') { |f| f.print 'mwahaha' }
within('.new_benefits') do
attach_file 'benefits_upload', hackety_file
find(:xpath, "//input[@id='benefits_backup']", :visible => false).set 'true'
end
save_screenshot('screenshot.before.upload.png')
click_on 'Start Upload'
end
save_screenshot('screenshot.after.upload.png')
File.exists?(legit_file).should be_false
end
end