From 907045488d404bb6f608b1757279fef31e9485c6 Mon Sep 17 00:00:00 2001
From: cktricky <cktricky@gmail.com>
Date: Fri, 9 Jan 2015 11:40:37 -0500
Subject: [PATCH 1/5] this change allows the app to get the csrf fixes working
 when running rake training

---
 config/environments/test.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/environments/test.rb b/config/environments/test.rb
index 71d265d..d842cdd 100755
--- a/config/environments/test.rb
+++ b/config/environments/test.rb
@@ -22,7 +22,7 @@ Railsgoat::Application.configure do
   config.action_dispatch.show_exceptions = false
 
   # Disable request forgery protection in test environment
-  config.action_controller.allow_forgery_protection    = false
+  config.action_controller.allow_forgery_protection    = true
 
   # Tell Action Mailer not to deliver emails to the real world.
   # The :test delivery method accumulates sent emails in the

From 3d29293bd46b0c3a27b98df0f034f925c3ff8c5f Mon Sep 17 00:00:00 2001
From: cktricky <cktricky@gmail.com>
Date: Sun, 8 Feb 2015 18:10:27 -0500
Subject: [PATCH 2/5] pry instead of rails c

---
 Gemfile      | 3 +++
 Gemfile.lock | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/Gemfile b/Gemfile
index 3539b41..f00a614 100755
--- a/Gemfile
+++ b/Gemfile
@@ -11,6 +11,9 @@ ruby '2.1.5'
 gem 'sqlite3'
 gem 'foreman'
 
+# Pry for Rails, not in dev group in case running via prod/staging @ a training
+gem 'pry-rails'
+
 group :development, :mysql do
   gem 'brakeman'
   gem 'bundler-audit'
diff --git a/Gemfile.lock b/Gemfile.lock
index 5516b7c..4034036 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -184,6 +184,8 @@ GEM
       coderay (~> 1.1.0)
       method_source (~> 0.8.1)
       slop (~> 3.4)
+    pry-rails (0.3.3)
+      pry (>= 0.9.10)
     rack (1.4.5)
     rack-cache (1.2)
       rack (>= 0.4)
@@ -328,6 +330,7 @@ DEPENDENCIES
   poltergeist
   powder
   pry
+  pry-rails
   rack-livereload
   rails (= 3.2.21)
   rb-fsevent

From 1eee953f62653b30f6c46ec0b8c3b9b4e1a7997e Mon Sep 17 00:00:00 2001
From: Mike McCabe <mccabe615@gmail.com>
Date: Mon, 23 Feb 2015 20:36:53 -0500
Subject: [PATCH 3/5] adding render vuln

---
 app/controllers/dashboard_controller.rb | 5 ++++-
 app/views/dashboard/home.html.erb       | 4 +++-
 config/routes.rb                        | 2 +-
 3 files changed, 8 insertions(+), 3 deletions(-)
 mode change 100755 => 100644 app/controllers/dashboard_controller.rb
 mode change 100755 => 100644 app/views/dashboard/home.html.erb
 mode change 100755 => 100644 config/routes.rb

diff --git a/app/controllers/dashboard_controller.rb b/app/controllers/dashboard_controller.rb
old mode 100755
new mode 100644
index 8b351bf..cfa0921
--- a/app/controllers/dashboard_controller.rb
+++ b/app/controllers/dashboard_controller.rb
@@ -22,5 +22,8 @@ class DashboardController < ApplicationController
      @user = current_user
      render :partial => "layouts/dashboard/dashboard_stats"
   end
-  
+
+  def doc
+    render "../../doc/" + params[:doc]
+  end 
 end
diff --git a/app/views/dashboard/home.html.erb b/app/views/dashboard/home.html.erb
old mode 100755
new mode 100644
index 5b0811a..cee5c39
--- a/app/views/dashboard/home.html.erb
+++ b/app/views/dashboard/home.html.erb
@@ -27,13 +27,15 @@
 		        </div>
 			  </div>
 			</div>	
-
+			<center><b>Need help using this portal? Check out the <a href="doc?doc=README_FOR_APP">Readme</a></b></center>
         </div> <!-- end span12 -->
     </div>
   </div>
 </div>
 
 
+
+
 <script type="text/javascript">
 
 function makeActive(){
diff --git a/config/routes.rb b/config/routes.rb
old mode 100755
new mode 100644
index 35ef733..723b5b1
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -6,7 +6,7 @@ Railsgoat::Application.routes.draw do
   match "forgot_password" => "password_resets#forgot_password"
   get "password_resets" => "password_resets#confirm_token"
   post "password_resets" => "password_resets#reset_password"
-
+  get "dashboard/doc" => "dashboard#doc"
 
   resources :sessions do
   end

From d1c7b0831d0778e422ce031076e56379034c9151 Mon Sep 17 00:00:00 2001
From: Mike McCabe <mccabe615@gmail.com>
Date: Mon, 23 Feb 2015 21:29:44 -0500
Subject: [PATCH 4/5] adding vulnerable gem

---
 Gemfile      | 1 +
 Gemfile.lock | 2 ++
 2 files changed, 3 insertions(+)

diff --git a/Gemfile b/Gemfile
index 3539b41..e894f89 100755
--- a/Gemfile
+++ b/Gemfile
@@ -10,6 +10,7 @@ ruby '2.1.5'
 
 gem 'sqlite3'
 gem 'foreman'
+gem 'crack', '0.3.1'
 
 group :development, :mysql do
   gem 'brakeman'
diff --git a/Gemfile.lock b/Gemfile.lock
index 5516b7c..2322869 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -75,6 +75,7 @@ GEM
       coffee-script-source
       execjs
     coffee-script-source (1.8.0)
+    crack (0.3.1)
     cucumber (1.3.15)
       builder (>= 2.1.2)
       diff-lcs (>= 1.1.3)
@@ -312,6 +313,7 @@ DEPENDENCIES
   bundler-audit
   capybara
   coffee-rails
+  crack (= 0.3.1)
   database_cleaner
   execjs
   foreman

From 449b599703b8307224e0d17bdb267091d9098542 Mon Sep 17 00:00:00 2001
From: cktricky <cktricky@gmail.com>
Date: Tue, 17 Mar 2015 22:12:21 -0400
Subject: [PATCH 5/5] cleaned up the view code here for tomorrows thing

---
 app/views/users/new.html.erb | 32 +++++++++++++-------------------
 1 file changed, 13 insertions(+), 19 deletions(-)

diff --git a/app/views/users/new.html.erb b/app/views/users/new.html.erb
index 5ed6e7e..519f8d3 100755
--- a/app/views/users/new.html.erb
+++ b/app/views/users/new.html.erb
@@ -5,32 +5,26 @@
           <div class="span4 offset4">
             <div class="signup">
       <%= form_for @user, :html => {:id => "account_edit", :class=> "signup-wrapper"} do |f| %>
-
           <div class="header">
-                    <h2>Sign Up</h2>
-                    <p>Fill out the form below to login</p>
-                  </div>
-
+            <h2>Sign Up</h2>
+            <p>Fill out the form below to login</p>
+           </div>
           <div class="content">
-                <%= f.text_field :email, {:class => "input input-block-level", :placeholder => "Email"} %>
-
-                <%= f.text_field :first_name, {:class => "input input-block-level", :placeholder => "First Name"} %>
-
-                <%= f.text_field :last_name, {:class => "input input-block-level", :placeholder => "Last Name"} %>
-
-                  <div class="control-group">
-                  <%= f.password_field :password, {:class => "input input-block-level", :placeholder => "Password"}%>
-              </div>
-              <div class="control-group">
-                  <%= f.password_field :password_confirmation, {:class => "input input-block-level", :placeholder => "Confirm Password"}%>
-              </div>
+            <%= f.text_field :email, {:class => "input input-block-level", :placeholder => "Email"} %>
+            <%= f.text_field :first_name, {:class => "input input-block-level", :placeholder => "First Name"} %>
+            <%= f.text_field :last_name, {:class => "input input-block-level", :placeholder => "Last Name"} %>
+            <div class="control-group">
+              <%= f.password_field :password, {:class => "input input-block-level", :placeholder => "Password"}%>
+            </div>
+            <div class="control-group">
+                <%= f.password_field :password_confirmation, {:class => "input input-block-level", :placeholder => "Confirm Password"}%>
+            </div>
           </div>
-
           <div class="actions">
             <%= f.submit "Submit", {:id => 'submit_button', :class => "btn btn-info btn-large pull-right"} %>
           </div>
           <div class="clearfix"></div>
-        <% end %>
+      <% end %>
 
             </div>
           </div>