From fe9d8b266fc414b2aa265079c821b84d3634635c Mon Sep 17 00:00:00 2001
From: Mike McCabe <mccabe615@gmail.com>
Date: Tue, 12 Nov 2013 18:53:28 -0500
Subject: [PATCH] adding security misconfig text

---
 .../misconfig/_misconfig_first.html.erb       | 23 +++++-
 .../misconfig/_misconfig_second.html.erb      | 80 +++++++++++++++++++
 app/views/tutorials/misconfig.html.erb        |  5 ++
 config/application.rb                         |  2 +-
 config/initializers/html_entities.rb          |  1 +
 5 files changed, 106 insertions(+), 5 deletions(-)
 create mode 100644 app/views/layouts/tutorial/misconfig/_misconfig_second.html.erb
 create mode 100644 config/initializers/html_entities.rb

diff --git a/app/views/layouts/tutorial/misconfig/_misconfig_first.html.erb b/app/views/layouts/tutorial/misconfig/_misconfig_first.html.erb
index 4c2bdc6..076fab2 100755
--- a/app/views/layouts/tutorial/misconfig/_misconfig_first.html.erb
+++ b/app/views/layouts/tutorial/misconfig/_misconfig_first.html.erb
@@ -16,7 +16,7 @@
           </div>
           <div class="accordion-body in collapse" id="collapseOne" style="height: auto;">
             <div class="accordion-inner">
-              Under progress...
+              Security misconfiguration can happen at any level of an application stack, including the platform, web server, application server, database, framework, and custom code. Developers and system administrators need to work together to ensure that the entire stack is configured properly. Automated scanners are useful for detecting missing patches, misconfigurations, use of default accounts, unnecessary services, etc.
             </div>
           </div>
         </div>
@@ -30,7 +30,15 @@
           </div>
           <div class="accordion-body collapse" id="collapseTwo" style="height: 0px;">
             <div class="accordion-inner">
-              Under progress...
+              <p>Rails has quite a few security related configurations. One of which relates to enforcing mass assignment protection.<p>
+               <p>
+            <pre class="ruby">
+            <%= %q{
+              config.active_record.whitelist_attributes=false
+            } %>
+         </pre>
+         </p>
+            <p>This configuration forces an application developer to whitelist attributes that can be modified with mass-assignment. When this configuration is set to false <b>any attribute can be mass-assigned.</b></p>
             </div>
           </div>
         </div>
@@ -44,7 +52,14 @@
           </div>
           <div class="accordion-body collapse" id="collapseThree" style="height: 0px;">
             <div class="accordion-inner">
-             Under progress...
+             The solution for this issue is quite simple. In your application.rb file set the configuration as follows. 
+            <pre class="ruby">
+            <%= %q{
+              config.active_record.whitelist_attributes=true
+            } %>
+            </pre>
+            Once this configuration is updated to true and the application is restarted, any attributes to be mass-assigned will have to be defined as attr_accessible.
+         </p>
             </div>
           </div>
         </div>
@@ -58,7 +73,7 @@
           </div>
           <div class="accordion-body collapse" id="collapseFour" style="height: 0px;">
             <div class="accordion-inner">
-             Under progress...
+             It has to do with mass-assignment, whitelisting and configuration. 
             </div>
           </div>
         </div>
diff --git a/app/views/layouts/tutorial/misconfig/_misconfig_second.html.erb b/app/views/layouts/tutorial/misconfig/_misconfig_second.html.erb
new file mode 100644
index 0000000..db874d7
--- /dev/null
+++ b/app/views/layouts/tutorial/misconfig/_misconfig_second.html.erb
@@ -0,0 +1,80 @@
+<div class="widget">
+    <div class="widget-header">
+      <div class="title">
+        <span class="fs1" aria-hidden="true" data-icon="&#xe092;"></span> A6 - Security Misconfiguration
+      </div>
+    </div>
+    <div class="widget-body">
+      <div id="accordion1" class="accordion no-margin">
+        <div class="accordion-group">
+          <div class="accordion-heading">
+            <a href="#collapseFive" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
+              <i class="icon-info icon-white">
+              </i>
+              Description
+            </a>
+          </div>
+          <div class="accordion-body in collapse" id="collapseFive" style="height: auto;">
+            <div class="accordion-inner">
+              Another one of the Rails security configurations relates to escaping HTML entities in JSON.
+            </div>
+          </div>
+        </div>
+        <div class="accordion-group">
+          <div class="accordion-heading">
+            <a href="#collapseSix" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
+              <i class="icon-bug icon-white">
+              </i>
+              Bug
+            </a>
+          </div>
+          <div class="accordion-body collapse" id="collapseSix" style="height: 0px;">
+            <div class="accordion-inner">
+              <p>When the following setting is set to false, HTML entities in JSON response will not be encoded.<p>
+               <p>
+            <pre class="ruby">
+            <%= %q{
+              ActiveSupport::escape_html_entities_in_json = false
+            } %>
+         </pre>
+         </p>
+            </div>
+          </div>
+        </div>
+        <div class="accordion-group">
+          <div class="accordion-heading">
+            <a href="#collapseSeven" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
+              <i class="icon-lightning icon-white">
+              </i>
+              Solution
+            </a>
+          </div>
+          <div class="accordion-body collapse" id="collapseSeven" style="height: 0px;">
+            <div class="accordion-inner">
+            <p>Edit the html_entities file at config/initializers/html_entities.rb and set the following to true.</p>
+            <p><pre class="ruby">
+            <%= %q{
+              ActiveSupport::escape_html_entities_in_json = true
+            } %>
+            </pre></p>
+            <p>Once the initializer is edited and the application is restarted, any HTML entities in JSON responses will be encoded.</p>
+            </div>
+          </div>
+        </div>
+      	<div class="accordion-group">
+          <div class="accordion-heading">
+            <a  style="background-color: rgb(181, 121, 158)" href="#collapseEight" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
+              <i class="icon-aid icon-white">
+              </i>
+              Hint
+            </a>
+          </div>
+          <div class="accordion-body collapse" id="collapseEight" style="height: 0px;">
+            <div class="accordion-inner">
+             Think HTML entities, escaping and initializers. 
+            </div>
+          </div>
+        </div>
+	</div>
+    </div>
+  </div>
\ No newline at end of file
diff --git a/app/views/tutorials/misconfig.html.erb b/app/views/tutorials/misconfig.html.erb
index da9c0fc..e7cf527 100755
--- a/app/views/tutorials/misconfig.html.erb
+++ b/app/views/tutorials/misconfig.html.erb
@@ -5,6 +5,11 @@
 		      <%= render :partial => "layouts/tutorial/misconfig/misconfig_first"%>
 		    </div> <!-- End Span12-->
 		</div>
+		<div class="row-fluid">
+		    <div class="span12"> <!-- Begin Span12-->
+		      <%= render :partial => "layouts/tutorial/misconfig/misconfig_second"%>
+		    </div> <!-- End Span12-->
+		</div>		
 	</div>
 </div>
 
diff --git a/config/application.rb b/config/application.rb
index 1d45be7..700c154 100755
--- a/config/application.rb
+++ b/config/application.rb
@@ -40,7 +40,7 @@ module Railsgoat
     config.filter_parameters += [:password]
 
     # Enable escaping HTML in JSON.
-    config.active_support.escape_html_entities_in_json = false
+    #config.active_support.escape_html_entities_in_json = false
 
     # Use SQL instead of Active Record's schema dumper when creating the database.
     # This is necessary if your schema can't be completely dumped by the schema dumper,
diff --git a/config/initializers/html_entities.rb b/config/initializers/html_entities.rb
new file mode 100644
index 0000000..a4df94a
--- /dev/null
+++ b/config/initializers/html_entities.rb
@@ -0,0 +1 @@
+ActiveSupport::escape_html_entities_in_json = false