Merge pull request #255 from jmmastey/rails_5

Rails 5 Candidate Branch
2017-07-12 09:05:33 -04:00
parent 3474385141 563ada1e04
commit f1a3bc7bcf
38 changed files with 144 additions and 152 deletions
@@ -11,8 +11,7 @@ before_install:
  - "if [ $(phantomjs --version) != '2.1.1' ]; then tar -xvf ${PWD}/travis_phantomjs/phantomjs-2.1.1-linux-x86_64.tar.bz2 -C ${PWD}/travis_phantomjs; fi"
  - "phantomjs --version"

-before_script: rake db:setup
-before_script: bundle exec rake db:setup
+before_script: bundle exec rails db:test:prepare
 cache: bundler
 sudo: false
-env: RAILSGOAT_MAINTAINER=true
+env: RAILSGOAT_MAINTAINER=true
@@ -1,7 +1,7 @@
 source 'https://rubygems.org'

 #don't upgrade
-gem 'rails', '4.2.7.1'
+gem 'rails', '5.0.1'

 ruby '2.3.3'

@@ -53,7 +53,7 @@ gem 'sass-rails'
 gem 'coffee-rails'
 gem 'jquery-fileupload-rails'
 gem 'uglifier'
-gem 'turbolinks' # New for Rails 4.0
+gem 'turbolinks'

 # See https://github.com/sstephenson/execjs#readme for more supported runtimes
 # gem 'therubyracer', :platforms => :ruby
@@ -87,11 +87,12 @@ gem 'execjs'
 gem 'therubyracer'

 # Add SMTP server support using MailCatcher
-gem 'mailcatcher'
+# NOTE: https://github.com/sj26/mailcatcher#bundler
+# gem 'mailcatcher'

 #For Rails 4.0
 #group :doc do
-#  # bundle exec rake doc:rails generates the API under doc/api.
+#  # bundle exec rails doc:rails generates the API under doc/api.
 #  gem 'sdoc', require: false
 #end

@@ -1,44 +1,46 @@
 GEM
  remote: https://rubygems.org/
  specs:
-    actionmailer (4.2.7.1)
-      actionpack (= 4.2.7.1)
-      actionview (= 4.2.7.1)
-      activejob (= 4.2.7.1)
+    actioncable (5.0.1)
+      actionpack (= 5.0.1)
+      nio4r (~> 1.2)
+      websocket-driver (~> 0.6.1)
+    actionmailer (5.0.1)
+      actionpack (= 5.0.1)
+      actionview (= 5.0.1)
+      activejob (= 5.0.1)
      mail (~> 2.5, >= 2.5.4)
-      rails-dom-testing (~> 1.0, >= 1.0.5)
-    actionpack (4.2.7.1)
-      actionview (= 4.2.7.1)
-      activesupport (= 4.2.7.1)
-      rack (~> 1.6)
-      rack-test (~> 0.6.2)
-      rails-dom-testing (~> 1.0, >= 1.0.5)
+      rails-dom-testing (~> 2.0)
+    actionpack (5.0.1)
+      actionview (= 5.0.1)
+      activesupport (= 5.0.1)
+      rack (~> 2.0)
+      rack-test (~> 0.6.3)
+      rails-dom-testing (~> 2.0)
      rails-html-sanitizer (~> 1.0, >= 1.0.2)
-    actionview (4.2.7.1)
-      activesupport (= 4.2.7.1)
+    actionview (5.0.1)
+      activesupport (= 5.0.1)
      builder (~> 3.1)
      erubis (~> 2.7.0)
-      rails-dom-testing (~> 1.0, >= 1.0.5)
+      rails-dom-testing (~> 2.0)
      rails-html-sanitizer (~> 1.0, >= 1.0.2)
-    activejob (4.2.7.1)
-      activesupport (= 4.2.7.1)
-      globalid (>= 0.3.0)
-    activemodel (4.2.7.1)
-      activesupport (= 4.2.7.1)
-      builder (~> 3.1)
-    activerecord (4.2.7.1)
-      activemodel (= 4.2.7.1)
-      activesupport (= 4.2.7.1)
-      arel (~> 6.0)
-    activesupport (4.2.7.1)
+    activejob (5.0.1)
+      activesupport (= 5.0.1)
+      globalid (>= 0.3.6)
+    activemodel (5.0.1)
+      activesupport (= 5.0.1)
+    activerecord (5.0.1)
+      activemodel (= 5.0.1)
+      activesupport (= 5.0.1)
+      arel (~> 7.0)
+    activesupport (5.0.1)
+      concurrent-ruby (~> 1.0, >= 1.0.2)
      i18n (~> 0.7)
-      json (~> 1.7, >= 1.7.7)
      minitest (~> 5.1)
-      thread_safe (~> 0.3, >= 0.3.4)
      tzinfo (~> 1.1)
    addressable (2.5.0)
      public_suffix (~> 2.0, >= 2.0.2)
-    arel (6.0.3)
+    arel (7.1.4)
    aruba (0.14.2)
      childprocess (~> 0.5.6)
      contracts (~> 0.9)
@@ -54,7 +56,7 @@ GEM
    binding_of_caller (0.7.2)
      debug_inspector (>= 0.0.1)
    brakeman (3.4.1)
-    builder (3.2.2)
+    builder (3.2.3)
    bundler-audit (0.5.0)
      bundler (~> 1.2)
      thor (~> 0.18)
@@ -76,7 +78,7 @@ GEM
      coffee-script-source
      execjs
    coffee-script-source (1.12.2)
-    concurrent-ruby (1.0.2)
+    concurrent-ruby (1.0.4)
    contracts (0.14.0)
    crack (0.3.1)
    cucumber (2.4.0)
@@ -90,7 +92,6 @@ GEM
    cucumber-core (1.5.0)
      gherkin (~> 4.0)
    cucumber-wire (0.0.1)
-    daemons (1.2.4)
    database_cleaner (1.5.3)
    debug_inspector (0.0.2)
    diff-lcs (1.2.5)
@@ -99,7 +100,7 @@ GEM
      eventmachine (>= 0.12.9)
      http_parser.rb (~> 0.6.0)
    erubis (2.7.0)
-    eventmachine (1.0.9.1)
+    eventmachine (1.2.1)
    execjs (2.7.0)
    ffi (1.9.14)
    foreman (0.82.0)
@@ -143,7 +144,7 @@ GEM
      rails-dom-testing (>= 1, < 3)
      railties (>= 4.2.0)
      thor (>= 0.14, < 2.0)
-    json (1.8.3)
+    json (2.0.3)
    kgio (2.11.0)
    launchy (2.4.3)
      addressable (~> 2.3)
@@ -157,14 +158,6 @@ GEM
    lumberjack (1.0.10)
    mail (2.6.4)
      mime-types (>= 1.16, < 4)
-    mailcatcher (0.6.5)
-      eventmachine (= 1.0.9.1)
-      mail (~> 2.3)
-      rack (~> 1.5)
-      sinatra (~> 1.2)
-      skinny (~> 0.2.3)
-      sqlite3 (~> 1.3)
-      thin (~> 1.5.0)
    method_source (0.8.2)
    mime-types (3.1)
      mime-types-data (~> 3.2015)
@@ -175,7 +168,8 @@ GEM
    multi_test (0.1.2)
    mysql2 (0.4.5)
    nenv (0.3.0)
-    nokogiri (1.6.8.1)
+    nio4r (1.2.1)
+    nokogiri (1.7.0.1)
      mini_portile2 (~> 2.1.0)
    notiffany (0.1.1)
      nenv (~> 0.1)
@@ -194,35 +188,32 @@ GEM
    pry-rails (0.3.4)
      pry (>= 0.9.10)
    public_suffix (2.0.4)
-    rack (1.6.5)
+    rack (2.0.1)
    rack-livereload (0.3.16)
      rack
-    rack-protection (1.5.3)
-      rack
    rack-test (0.6.3)
      rack (>= 1.0)
-    rails (4.2.7.1)
-      actionmailer (= 4.2.7.1)
-      actionpack (= 4.2.7.1)
-      actionview (= 4.2.7.1)
-      activejob (= 4.2.7.1)
-      activemodel (= 4.2.7.1)
-      activerecord (= 4.2.7.1)
-      activesupport (= 4.2.7.1)
+    rails (5.0.1)
+      actioncable (= 5.0.1)
+      actionmailer (= 5.0.1)
+      actionpack (= 5.0.1)
+      actionview (= 5.0.1)
+      activejob (= 5.0.1)
+      activemodel (= 5.0.1)
+      activerecord (= 5.0.1)
+      activesupport (= 5.0.1)
      bundler (>= 1.3.0, < 2.0)
-      railties (= 4.2.7.1)
-      sprockets-rails
-    rails-deprecated_sanitizer (1.0.3)
-      activesupport (>= 4.2.0.alpha)
-    rails-dom-testing (1.0.7)
-      activesupport (>= 4.2.0.beta, < 5.0)
-      nokogiri (~> 1.6.0)
-      rails-deprecated_sanitizer (>= 1.0.1)
+      railties (= 5.0.1)
+      sprockets-rails (>= 2.0.0)
+    rails-dom-testing (2.0.2)
+      activesupport (>= 4.2.0, < 6.0)
+      nokogiri (~> 1.6)
    rails-html-sanitizer (1.0.3)
      loofah (~> 2.0)
-    railties (4.2.7.1)
-      actionpack (= 4.2.7.1)
-      activesupport (= 4.2.7.1)
+    railties (5.0.1)
+      actionpack (= 5.0.1)
+      activesupport (= 5.0.1)
+      method_source
      rake (>= 0.8.7)
      thor (>= 0.18.1, < 2.0)
    raindrops (0.17.0)
@@ -268,31 +259,20 @@ GEM
      json (>= 1.8, < 3)
      simplecov-html (~> 0.10.0)
    simplecov-html (0.10.0)
-    sinatra (1.4.7)
-      rack (~> 1.5)
-      rack-protection (~> 1.4)
-      tilt (>= 1.3, < 3)
-    skinny (0.2.4)
-      eventmachine (~> 1.0.0)
-      thin (>= 1.5, < 1.7)
    slop (3.6.0)
-    sprockets (3.7.0)
+    sprockets (3.7.1)
      concurrent-ruby (~> 1.0)
      rack (> 1, < 3)
    sprockets-rails (3.2.0)
      actionpack (>= 4.0)
      activesupport (>= 4.0)
      sprockets (>= 3.0.0)
-    sqlite3 (1.3.12)
+    sqlite3 (1.3.13)
    test-unit (3.2.3)
      power_assert
    therubyracer (0.12.2)
      libv8 (~> 3.16.14.0)
      ref
-    thin (1.5.1)
-      daemons (>= 1.0.9)
-      eventmachine (>= 0.12.6)
-      rack (>= 1.0.0)
    thor (0.19.4)
    thread_safe (0.3.5)
    tilt (2.0.5)
@@ -337,14 +317,13 @@ DEPENDENCIES
  jquery-fileupload-rails
  jquery-rails
  launchy
-  mailcatcher
  mysql2
  poltergeist
  powder
  pry
  pry-rails
  rack-livereload
-  rails (= 4.2.7.1)
+  rails (= 5.0.1)
  rake
  rb-fsevent
  responders
@@ -363,4 +342,4 @@ RUBY VERSION
   ruby 2.3.3p222

 BUNDLED WITH
-   1.13.6
+   1.13.7
@@ -1,6 +1,6 @@
 # RailsGoat [![Build Status](https://api.travis-ci.org/OWASP/railsgoat.png?branch=master)](https://travis-ci.org/OWASP/railsgoat) [![Code Climate](https://codeclimate.com/github/OWASP/railsgoat.png)](https://codeclimate.com/github/OWASP/railsgoat)

-RailsGoat is a vulnerable version of the Ruby on Rails Framework both versions 3 and 4. It includes vulnerabilities from the OWASP Top 10, as well as some "extras" that the initial project contributors felt worthwhile to share. This project is designed to educate both developers, as well as security professionals.
+RailsGoat is a vulnerable version of the Ruby on Rails Framework from versions 3 to 5. It includes vulnerabilities from the OWASP Top 10, as well as some "extras" that the initial project contributors felt worthwhile to share. This project is designed to educate both developers, as well as security professionals.

 ## Support

@@ -20,11 +20,12 @@ After installing the package, clone this repo:
 $ git clone git@github.com:OWASP/railsgoat.git
 ```

-**NOTE: NOT NECESSARY IF YOU WANT TO WORK WITH RAILS 4.** Otherwise, if you wish to use the Rails 3 version, you'll need to switch branches
+**NOTE: NOT NECESSARY IF YOU WANT TO WORK WITH RAILS 5.** Otherwise, if you wish to use the Rails 3 or 4 versions, you'll need to switch branches:

 ```bash
 $ cd railsgoat
 $ git checkout rails_3_2
+$ git checkout rails_4_2
 ```

 Navigate into the directory (already there if you followed the previous step) and install the dependencies:
@@ -42,7 +43,7 @@ $ gem install bundler
 Initialize the database:

 ```bash
-$ rake db:setup
+$ rails db:setup
 ```

 Start the Thin web server:
@@ -78,7 +79,7 @@ To run Railsgoat with Docker you must first have [Docker](https://docs.docker.co
 ```
 #~/code/railsgoat
 $ docker-compose build
-$ docker-compose run web rake db:setup
+$ docker-compose run web rails db:setup
 $ docker-compose up
 ...
  Creating railsgoat_web_1
@@ -93,7 +94,7 @@ Note: if your container exits with an error, it may be because a server is alrea
 ```
 A server is already running. Check /myapp/tmp/pids/server.pid.
 => Booting Thin
-=> Rails 4.2.6 application starting in development on
+=> Rails 5.0.1 application starting in development on
 http://0.0.0.0:3000
 => Run `rails server -h` for more startup options
 => Ctrl-C to shutdown server
@@ -103,16 +104,16 @@ In this case, remove that server.pid file and try again. Note also that this fil

 ## Capybara Tests

-RailsGoat now includes a set of failing Capybara RSpecs, each one indicating that a separate vulnerability exists in the application. To run them, you first need to install [PhantomJS](https://github.com/jonleighton/poltergeist#installing-phantomjs) (version 2.1.1 has been tested in Dev and on Travis CI), which is required by the Poltergeist Capybara driver. Upon installation, simply run the following rake task:
+RailsGoat now includes a set of failing Capybara RSpecs, each one indicating that a separate vulnerability exists in the application. To run them, you first need to install [PhantomJS](https://github.com/jonleighton/poltergeist#installing-phantomjs) (version 2.1.1 has been tested in Dev and on Travis CI), which is required by the Poltergeist Capybara driver. Upon installation, simply run the following task:

 ```
-$ rake training
+$ rails training
 ```

 To run just one spec:

 ```
-$ rake training SPEC=spec/vulnerabilities/sql_injection_spec.rb
+$ rails training SPEC=spec/vulnerabilities/sql_injection_spec.rb
 ```

 NOTE: As vulnerabilities are fixed in the application, these specs will not change to `passing`, but to `pending`.
@@ -124,10 +125,10 @@ By default in development mode Railsgoat runs with a SQLite database. There is a

 ```
 #Create the MySQL database
-RAILS_ENV=mysql rake db:create
+RAILS_ENV=mysql rails db:create

 #Run the migrations against the database
-RAILS_ENV=mysql rake db:migrate
+RAILS_ENV=mysql rails db:migrate

 #Boot Rails using MySQl
 RAILS_ENV=mysql rails s
@@ -137,9 +138,10 @@ RAILS_ENV=mysql rails s

 In order for RailsGoat to effectively process email, you will first need to run MailCatcher, an SMTP server that will intercept email messages and display them in a web interface.

-To start an instance of MailCatcher, simply run:
+Mailcatcher is not installed by default. To install MailCatcher and start an instance of it, simply run:

 ```
+$ gem install mailcatcher
 $ mailcatcher
 ```

@@ -1,7 +1,6 @@
-#!/usr/bin/env rake
 # Add your own tasks in files placed in lib/tasks ending in .rake,
 # for example lib/tasks/capistrano.rake, and they will automatically be available to Rake.

-require File.expand_path('../config/application', __FILE__)
+require_relative 'config/application'

-Railsgoat::Application.load_tasks
+Rails.application.load_tasks
@@ -1,6 +1,6 @@
 class AdminController < ApplicationController
  before_action :administrative, :if => :admin_param, :except => [:get_user]
-  skip_before_filter :has_info
+  skip_before_action :has_info

  def dashboard
  end
@@ -1,6 +1,6 @@
 class Api::V1::MobileController < ApplicationController
-  skip_before_filter :authenticated
-  before_filter :mobile_request?
+  skip_before_action :authenticated
+  before_action :mobile_request?

  respond_to :json

@@ -1,7 +1,7 @@
 class Api::V1::UsersController < ApplicationController
-  skip_before_filter :authenticated
-  before_filter :valid_api_token
-  before_filter :extrapolate_user
+  skip_before_action :authenticated
+  before_action :valid_api_token
+  before_action :extrapolate_user

  respond_to :json

@@ -18,7 +18,9 @@ class Api::V1::UsersController < ApplicationController
  def valid_api_token
    authenticate_or_request_with_http_token do |token, options|
      # TODO :add some functionality to check if the HTTP Header is valid
-      identify_user(token)
+      if !identify_user(token)
+        redirect_to root_url
+      end
    end
  end

@@ -29,8 +31,8 @@ class Api::V1::UsersController < ApplicationController
    @clean_token =~ /(.*?)-(.*)/
    id = $1
    hash = $2
-    (id && hash) ? true : false
-    check_hash(id, hash) ? true : false
+
+    check_hash(id, hash)
  end

  def check_hash(id, hash)
@@ -1,5 +1,5 @@
 class DashboardController < ApplicationController
-  skip_before_filter :has_info
+  skip_before_action :has_info

  def home
    @user = current_user
@@ -1,5 +1,5 @@
 class PasswordResetsController < ApplicationController
-  skip_before_filter :authenticated
+  skip_before_action :authenticated

  def reset_password
    user = Marshal.load(Base64.decode64(params[:user])) unless params[:user].nil?
@@ -1,6 +1,6 @@
 class SessionsController < ApplicationController
-  skip_before_filter :has_info
-  skip_before_filter :authenticated, :only => [:new, :create]
+  skip_before_action :has_info
+  skip_before_action :authenticated, :only => [:new, :create]

  def new
    @url = params[:url]
@@ -1,6 +1,6 @@
 class TutorialsController < ApplicationController
-  skip_before_filter :has_info
-  skip_before_filter :authenticated
+  skip_before_action :has_info
+  skip_before_action :authenticated

  def credentials
    render :partial => "layouts/tutorial/credentials/creds"
@@ -1,6 +1,6 @@
 class UsersController < ApplicationController
-  skip_before_filter :has_info
-  skip_before_filter :authenticated, :only => [:new, :create]
+  skip_before_action :has_info
+  skip_before_action :authenticated, :only => [:new, :create]

  def new
    @user = User.new
@@ -25,8 +25,9 @@ class UsersController < ApplicationController

  def update
    message = false
-  
-    user = User.where("user_id = '#{params[:user][:user_id]}'").first
+
+    user = User.where("user_id = '#{params[:user][:user_id]}'")[0]
+
    if user
      user.skip_user_id_assign = true
      user.skip_hash_password = true
@@ -1,4 +1,4 @@
-class Analytics < ActiveRecord::Base
+class Analytics < ApplicationRecord
  scope :hits_by_ip, ->(ip,col="*") { select("#{col}").where(:ip_address => ip).order("id DESC")}

  def self.count_by_col(col)
@@ -0,0 +1,3 @@
+class ApplicationRecord < ActiveRecord::Base
+  self.abstract_class = true
+end
@@ -1,4 +1,4 @@
-class Benefits < ActiveRecord::Base
+class Benefits < ApplicationRecord

  def self.save(file, backup=false)
    data_path = Rails.root.join("public", "data")
@@ -1,4 +1,4 @@
-class KeyManagement < ActiveRecord::Base
+class KeyManagement < ApplicationRecord
  belongs_to :work_info
  belongs_to :user
 end
@@ -1,4 +1,4 @@
-class Message < ActiveRecord::Base
+class Message < ApplicationRecord
  belongs_to :user
  validates_presence_of :creator_id, :receiver_id, :message

@@ -1,4 +1,4 @@
-class PaidTimeOff < ActiveRecord::Base
+class PaidTimeOff < ApplicationRecord
  belongs_to :user
  has_many :schedule, :foreign_key => :user_id, :primary_key => :user_id, :dependent => :destroy

@@ -1,4 +1,4 @@
-class Pay < ActiveRecord::Base
+class Pay < ApplicationRecord
  # Associations
  belongs_to :user

@@ -1,4 +1,4 @@
-class Performance < ActiveRecord::Base
+class Performance < ApplicationRecord
  belongs_to :user

  def reviewer_name
@@ -1,3 +1,3 @@
-class Retirement < ActiveRecord::Base
+class Retirement < ApplicationRecord
  belongs_to :user
 end
@@ -1,4 +1,4 @@
-class Schedule < ActiveRecord::Base
+class Schedule < ApplicationRecord
  belongs_to :paid_time_off

  validates_presence_of :date_begin, :date_end, :event_desc, :event_name, :event_type
@@ -1,6 +1,6 @@
 require 'encryption'

-class User < ActiveRecord::Base
+class User < ApplicationRecord
  validates :password, :presence => true,
                       :confirmation => true,
                       :length => {:within => 6..40},
@@ -1,4 +1,4 @@
-class WorkInfo < ActiveRecord::Base
+class WorkInfo < ApplicationRecord
  belongs_to :user
  has_one :key_management, :foreign_key => :user_id, :primary_key => :user_id, :dependent => :destroy
  #before_save :encrypt_ssn
@@ -23,7 +23,7 @@ module Railsgoat
    # config.active_record.observers = :cacher, :garbage_collector, :forum_observer

    # Set Time.zone default to the specified zone and make Active Record auto-convert to this zone.
-    # Run "rake -D time" for a list of tasks for finding time zone names. Default is UTC.
+    # Run "rails -D time" for a list of tasks for finding time zone names. Default is UTC.
    # config.time_zone = 'Central Time (US & Canada)'

    # The default locale is :en and all translations from config/locales/*.rb,yml are auto loaded.
@@ -19,7 +19,7 @@ mysql:
  password:

 # Warning: The database defined as "test" will be erased and
-# re-generated from your development database when you run "rake".
+# re-generated from your development database when you run "rails".
 # Do not set this db to the same as development or production.
 test:
  adapter: sqlite3
@@ -33,12 +33,18 @@ Railsgoat::Application.configure do
  config.action_mailer.smtp_settings = { :address => "127.0.0.1", :port => 1025 }
  config.action_mailer.default_url_options = { :host => "127.0.0.1:3000" }

-  config.middleware.insert_before(
-       Rack::Lock, Rack::LiveReload,
-       :min_delay => 500,
-       :max_delay => 1000,
-       :port => 35727,
-       :host => 'railsgoat.dev',
-       :ignore => [ %r{dont/modify\.html$} ]
-  )
+ # config.middleware.insert_before(
+ #      Rack::Lock, Rack::LiveReload,
+ #      :min_delay => 500,
+ #      :max_delay => 1000,
+ #      :port => 35727,
+ #      :host => 'railsgoat.dev',
+ #      :ignore => [ %r{dont/modify\.html$} ]
+ # )
+
+  # For Rails 4.0+
+  # Do not eager load code on boot. This avoids loading your whole application
+  # just for the purpose of running a single test. If you are using a tool that
+  # preloads Rails for running tests, you may have to set it to true.
+  config.eager_load = false
 end
@@ -15,7 +15,7 @@ Railsgoat::Application.configure do
  # config.action_dispatch.rack_cache = true

  # Disable Rails's static asset server (Apache or nginx will already do this).
-  config.serve_static_files = false
+  config.public_file_server.enabled = false

  # Compress JavaScripts and CSS
  config.assets.compress = true
@@ -8,8 +8,8 @@ Railsgoat::Application.configure do
  config.cache_classes = true

  # Configure static asset server for tests with Cache-Control for performance.
-  config.serve_static_files = true
-  config.static_cache_control = "public, max-age=3600"
+  config.public_file_server.enabled = true
+  config.public_file_server.headers = { 'Cache-Control' => 'public, max-age=3600' }

  # Show full error reports and disable caching.
  config.consider_all_requests_local       = true
@@ -1,4 +1,3 @@
-# encoding: UTF-8
 # This file is auto-generated from the current state of the database. Instead
 # of editing this file, please use the migrations feature of Active Record to
 # incrementally modify your database, and then regenerate this schema definition.
@@ -1,5 +1,5 @@
 # This file should contain all the record creation needed to seed the database with its default values.
-# The data can then be loaded with the rake db:seed (or created alongside the db with db:setup).
+# The data can then be loaded with the rails db:seed (or created alongside the db with db:setup).
 #

 users = [
@@ -1,2 +1,2 @@
 Use this README file to introduce your application and point to useful places in the API for learning more.
-Run "rake doc:app" to generate API documentation for your models, controllers, helpers, and libraries.
+Run "rails doc:app" to generate API documentation for your models, controllers, helpers, and libraries.
@@ -1,5 +1,5 @@
 #!/bin/bash
 set -e

-rake db:setup
+rails db:setup
 rails server
@@ -7,7 +7,7 @@ feature 'csrf' do
    @normal_user = UserFixture.normal_user
  end

-  scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/R4-A8-CSRF", :js => true do
+  scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/R5-A8-CSRF", :js => true do
    visit '/'
    # TODO: is there a way to get this without visiting root first?
    base_url = current_url
@@ -14,9 +14,10 @@ feature 'insecure direct object reference' do
    visit download_url.sub(/name=(.*?)&/, 'name=config/database.yml&')

    pending if verifying_fixed?
+
    expect(page.status_code).to eq(200)
    expect(page.response_headers['Content-Disposition']).to include('database.yml')
-    expect(page.response_headers['Content-Length']).to eq('709')
+    expect(page.response_headers['Content-Length']).to eq('710')
  end

  scenario "attack two\nTutorial: https://github.com/OWASP/railsgoat/wiki/A4-Insecure-Direct-Object-Reference" do
@@ -21,7 +21,7 @@ feature 'mass assignment' do
    expect(@normal_user.reload.admin).to be_truthy
  end

-  scenario 'attack two, Tutorial: https://github.com/OWASP/railsgoat/wiki/R4-Extras-Mass-Assignment-Admin-Role' do
+  scenario 'attack two, Tutorial: https://github.com/OWASP/railsgoat/wiki/R5-Extras-Mass-Assignment-Admin-Role' do
    params = {:user => {:admin => 't',
                        :email => 'hackety@h4x0rs.c0m',
                        :first_name => 'hackety',
@@ -7,7 +7,7 @@ feature 'sql injection' do
    @admin_user = User.where("admin='t'").first
  end

-  scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/R4-A1-SQL-Injection-Concatentation" do
+  scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/R5-A1-SQL-Injection-Concatentation" do
    expect(@admin_user.admin).to be_truthy

    login(@normal_user)