Merge branch 'master' of https://github.com/OWASP/railsgoat

app/models/benefits.rb

@@ -12,9 +12,10 @@ class Benefits < ActiveRecord::Base
  
  def self.make_backup(file, data_path, full_file_name)
     if File.exists?(full_file_name)
-     system("cp #{full_file_name} #{data_path}/bak#{Time.now.to_i}_#{file.original_filename}")
+    system("cp #{full_file_name} #{data_path}/bak#{Time.now.to_i}_#{file.original_filename}")
     end
-  end
+  rescue
+ end
 
 =begin 
   def self.make_backup(file, data_path, full_file_name)

spec/vulnerabilities/command_injection_spec.rb

@@ -15,7 +15,7 @@ feature 'command injection' do
 
     visit "/users/#{@normal_user.user_id}/benefit_forms"
     Dir.mktmpdir do |dir|
-      hackety_file = File.join(dir, ' >> /dev/null 2&>1; cd public && cd data && rm -f * ;')
+      hackety_file = File.join(dir, 'etc/passwd; cd public && cd data && rm -f * ;')
       File.open(hackety_file, 'w') { |f| f.print 'mwahaha' }
       within('.new_benefits') do
         attach_file 'benefits_upload', hackety_file

spec/vulnerabilities/password_hashing_spec.rb

@@ -14,6 +14,7 @@ feature 'improper password hashing' do
     pending(:if => verifying_fixed?) {Digest::MD5.hexdigest(new_pass).should == @normal_user.password}
   end
 
+=begin
   scenario 'with md5 and salt' do
     pending unless @normal_user.has_attribute?('salt')
     new_pass = 'testpassword'
@@ -22,4 +23,6 @@ feature 'improper password hashing' do
     @normal_user.save
     pending(:if => verifying_fixed?) {Digest::MD5.hexdigest(@normal_user.salt + new_pass).should == @normal_user.password}
   end
+=end
+
 end