Updated vulnerability specs to use `skip` instead of `pending` to align
with RSpec 3+ semantics where pending means "expected to fail."
Background:
In RSpec 2, `pending` would skip tests. In RSpec 3+, `pending` marks
a test as expected to fail, and if it passes, that's an error. This was
causing issues in maintainer mode where passing tests were incorrectly
flagged as failures.
Changes:
- Replaced `pending unless verifying_fixed?` with `skip unless verifying_fixed?`
in 11 vulnerability spec files:
- broken_auth_spec.rb
- command_injection_spec.rb
- csrf_spec.rb
- insecure_dor_spec.rb
- mass_assignment_spec.rb
- password_complexity_spec.rb
- sensitive_data_exposure.rb
- sql_injection_spec.rb
- unvalidated_redirects_spec.rb
- url_access_spec.rb
- xss_spec.rb
Impact:
- Maintainer mode: Tests are properly skipped (no false failures)
- Training mode: Tests run and demonstrate vulnerabilities as before
- All tests pass with 0 failures in maintainer mode
Reference: https://rspec.info/blog/2014/05/notable-changes-in-rspec-3🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
This addresses the remaining test failures @jasnow reported in issue #486.
Fixes:
1. Ambiguous Login button - Changed from click_button "Login" to
find("input[type='submit'][value='Login']").click to specifically
target the form submit button and avoid the header Login button
2. Fixed password_complexity_spec field names:
- user_email → email
- user_first_name → first_name
- user_last_name → last_name
- user_password → password
- user_password_confirmation → password_confirmation
- Submit → Create Account (correct button text)
3. Applied same selector fix to login helper in capybara_shared.rb
These changes complete the test suite fixes for the new UI that was
introduced in the file upload UX improvements.
Related: #486🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
The password_hashing_spec was using 'pending unless verifying_fixed?' which caused
confusing output in maintainer mode:
- Before: "1 example, 0 failures, 1 pending" with "(compared using ==)" message
- After: "1 example, 0 failures" - clean output
The spec now uses conditional expectations:
- Training mode: expects password is NOT MD5 hashed (test fails, vulnerability exists)
- Maintainer mode: expects password IS MD5 hashed (test passes, verifies vulnerability)
This addresses the "(compared using ==)" error message that @jasnow reported in issue #486.
Related to #486
* use bang version of save methods in the seeds file, so that when you fix validation,
it will at least explode, rather than silently failing to create users
* fix two tests where passwords are hardcoded so that they use stronger passwords,
since password complexity is not the important bit of either of those tests.
Ken Johnson