From e999c0250624b18a96b689e79113f5efdaffaa7b Mon Sep 17 00:00:00 2001
From: Mike McCabe <mccabe615@gmail.com>
Date: Wed, 9 Oct 2013 12:55:00 -0400
Subject: [PATCH] adding password hashing spec

---
 spec/support/capybara_shared.rb               |  2 +-
 spec/vulnerabilities/password_hashing_spec.rb | 26 +++++++++++++++++++
 2 files changed, 27 insertions(+), 1 deletion(-)
 create mode 100644 spec/vulnerabilities/password_hashing_spec.rb

diff --git a/spec/support/capybara_shared.rb b/spec/support/capybara_shared.rb
index 6e3657d..2f982f9 100644
--- a/spec/support/capybara_shared.rb
+++ b/spec/support/capybara_shared.rb
@@ -16,7 +16,7 @@ def verifying_fixed?
 ******************************************************************************
   You are running the RailsGoat Capybara Specs in Training mode. These specs
   are supposed to fail, indicating vulnerabilities exist. They contain
-  spoilers, so do not read the code in spec/features if your goal is to
+  spoilers, so do not read the code in spec/vulnerabilities if your goal is to
   learn more about patching the vulnerabilities. You should fix the
   vulnerabilities in the application in order to get these specs to pass**.
   You can use them to measure your progress.
diff --git a/spec/vulnerabilities/password_hashing_spec.rb b/spec/vulnerabilities/password_hashing_spec.rb
new file mode 100644
index 0000000..2c2e7a6
--- /dev/null
+++ b/spec/vulnerabilities/password_hashing_spec.rb
@@ -0,0 +1,26 @@
+require 'spec_helper'
+
+feature 'improper password hashing' do
+  before do
+    UserFixture.reset_all_users
+    @normal_user = UserFixture.normal_user
+  end
+
+  scenario 'with just md5' do
+    new_pass = 'testpassword'
+    @normal_user.password = new_pass
+    @normal_user.password_confirmation = new_pass
+    @normal_user.save
+    pending(:if => verifying_fixed?) {Digest::MD5.hexdigest(new_pass).should == @normal_user.password}
+  end
+
+  scenario 'with md5 and salt' do
+    if @normal_user.has_attribute?('salt')
+      new_pass = 'testpassword'
+      @normal_user.password = new_pass
+      @normal_user.password_confirmation = new_pass
+      @normal_user.save
+      pending(:if => verifying_fixed?) {Digest::MD5.hexdigest(@normal_user.salt + new_pass).should == @normal_user.password}
+    end
+  end
+end
\ No newline at end of file