Added command injection Capybara spec.

app/controllers/users_controller.rb

@@ -9,10 +9,7 @@ class UsersController < ApplicationController
   
   def create
     user = User.new(params[:user])
-    user.build_retirement(POPULATE_RETIREMENTS.shuffle.first)
-    user.build_paid_time_off(POPULATE_PAID_TIME_OFF.shuffle.first).schedule.build(POPULATE_SCHEDULE.shuffle.first)
-    user.build_work_info(POPULATE_WORK_INFO.shuffle.first)
-    user.performance.build(POPULATE_PERFORMANCE.shuffle.first)
+    user.build_benefits_data
     if user.save
       session[:user_id] = user.user_id
       redirect_to home_dashboard_index_path

app/models/user.rb

@@ -18,6 +18,13 @@ class User < ActiveRecord::Base
   has_many :performance, :foreign_key => :user_id, :primary_key => :user_id, :dependent => :destroy
 
 
+  def build_benefits_data
+    build_retirement(POPULATE_RETIREMENTS.shuffle.first)
+    build_paid_time_off(POPULATE_PAID_TIME_OFF.shuffle.first).schedule.build(POPULATE_SCHEDULE.shuffle.first)
+    build_work_info(POPULATE_WORK_INFO.shuffle.first)
+    performance.build(POPULATE_PERFORMANCE.shuffle.first)
+  end
+
   private
   
   def full_name

spec/features/command_injection_spec.rb

@@ -0,0 +1,39 @@
+require 'spec_helper'
+require 'tmpdir'
+
+feature 'command injection' do
+  before do
+    User.delete_all
+    Rails.application.load_seed
+    @normal_user = User.new(:first_name => 'Joe', :last_name => 'Schmoe',
+                            :email => 'joe@schmoe.com', :password => 'aoeuaoeu', :password_confirmation => 'aoeuaoeu')
+    @normal_user.build_benefits_data
+    @normal_user.save!
+  end
+
+  scenario 'injection attack on file upload', :js => true do
+    visit '/'
+    within('.signup') do
+      fill_in 'email', :with => 'joe@schmoe.com'
+      fill_in 'password', :with => 'aoeuaoeu'
+    end
+    click_on 'Login'
+
+    legit_file = File.join(Rails.root, 'public', 'data', 'legit.txt')
+    File.open(legit_file, 'w') { |f| f.puts 'totes legit' }
+
+    visit "/users/#{@normal_user.user_id}/benefit_forms"
+    Dir.mktmpdir do |dir|
+      hackety_file = File.join(dir, '; cd public && cd data && rm -f * ;')
+      File.open(hackety_file, 'w') { |f| f.print 'mwahaha' }
+      within('.new_benefits') do
+        attach_file 'benefits_upload', hackety_file
+        find(:xpath, "//input[@id='benefits_backup']", :visible => false).set 'true'
+      end
+      save_screenshot('screenshot.before.upload.png')
+      click_on 'Start Upload'
+    end
+    save_screenshot('screenshot.after.upload.png')
+    File.exists?(legit_file).should be_false
+  end
+end