team-alpha/railsgoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1,086 Commits 1 Branch 0 Tags
384faa5cc6103c23d4113832cd71b65ef1192e69
Commit Graph

63 Commits

Author SHA1 Message Date
cktricky 79c1ddd45d Fixes #165 2016-06-09 22:33:53 -04:00
Al Snow 0cc4980c46 Upgraded rspec-rails from 2.99.0 to 3.4.0 2016-04-14 17:34:27 -04:00
Al Snow fb923baee4 Upgraded rspec 2.14.2 to 2.99.0 2016-03-19 18:33:01 -04:00
mccabe615 7e11dee133 trying to fix the broken specs. still doesn't pass but it may be due to changes in capybara 2015-11-22 14:55:54 -05:00
Al Snow b6d766329c Based on cane gem, removed tab indents and trailing blanks 2015-09-14 10:11:03 -04:00
cktricky a2c4f46c26 I have changed the second visit statement from the root path (/) to the account settings page. The reason is that the submit button is changed via JS but you need to be at the account settings page to see that change 2015-07-06 13:25:46 -04:00
Al Snow 890b77bdaf Upgraded 5 gems by rebuilding Gemfile.lock file 2015-03-28 10:46:52 -04:00
cktricky 48986b1bbb fixes xss spec failure 2015-03-27 15:04:31 -04:00
Al Snow 4bf596f95f Upgraded 1 gem by rebuilding Gemfile.lock file; Added sleep to try to fix fragile spec 2015-03-19 16:51:22 -04:00
Al Snow ca0526ccc9 Upgraded to Rails 4.0.13; Rebuilt Gemfile.lock file 2015-01-10 09:45:51 -05:00
chrismo 73e8ab972b assign_user_id and UserFixture password fixes. 
When the database is empty, which can happen in the test database and in
the dev database if the seeds.rb aren't applied, the assign_user_id
method would not assign an id and the newer before_filter block to
generate_token would fail.

UserFixture had a password on it that wouldn't pass the new validation
rules once that vulnerability is patched.
 2015-01-06 13:21:45 -05:00
Al Snow 0957033457 Upgraded to Ruby 2.1.3; Changed timeout value 2014-09-19 19:00:40 -04:00
Al Snow 74d047507a Changed timeout to 25000 for all envs 2014-09-19 11:12:32 -04:00
Al Snow 1ea0c2ddbb More Rails 4.0 upgrade changes 
1. Compared existing branch with empty Rails 4.0 project and
    made changes as needed.
 2. Fix find/first warning.
 3. Fix sqlite timeout issue.
    -- config/database.yml
    -- spec/vulnerabilities/insecure_dor_spec.rb
 2014-09-13 13:44:07 -04:00
cktricky 4af22d952d fixed broken spec test 2014-04-18 09:25:07 -04:00
cktricky c157496b1e fixed broken spec test by changing the reference to an incorrect location when downloading the database.yml file 2014-04-17 20:17:33 -04:00
cktricky ed73ab47e7 Merge branch 'master' of github.com:OWASP/railsgoat 2014-03-15 14:20:41 -04:00
Al Snow bdc529972d Increase Poltergeist timeout to 60; Rebuild Gemfile.lock file 2014-03-15 12:49:42 -04:00
cktricky a06788ff58 commented out currently unused spec tests for the pay controller and model 2014-03-14 20:30:57 -04:00
cktricky 2c8781ebc1 added a pay controller and model 2014-03-14 20:29:14 -04:00
cktricky caaa3ba96d commented out unused spec tests as well as removed unnecessary require statement 2014-03-14 16:57:55 -04:00
cktricky 932d2304f9 okay first run at making an API for railsgoat 2014-03-12 12:38:41 -04:00
James Espinosa bfa3467107 Remove default RSpec tests to fix build 2013-12-10 23:08:46 -06:00
James Espinosa da1845e8f9 Implement working mailer and controller 2013-12-04 00:57:32 -06:00
James Espinosa 93d7c2bd44 Add mailtrap.io SMTP settings 2013-11-24 23:57:52 -06:00
James Espinosa 69078aa404 Add minor text and typo changes 2013-11-14 15:04:45 -06:00
cktricky f53ab56e92 fixes a bug introduced during the transition from info_disclosure to A6 2013-11-14 11:06:27 -05:00
Mike McCabe e826adadbc removing empty spec 2013-11-13 19:55:49 -05:00
cktricky efcb7b8c4b working on encryption 2013-11-13 18:24:26 -05:00
Mike McCabe 4c6dc24200 removing empty tests 2013-11-12 15:07:21 -05:00
mccabe615 032581b3da Merge pull request #64 from jasnow/master 
Rebuilt Gemfile.lock file. Fixed test by using "$" instead of "@@"
 2013-11-12 12:06:47 -08:00
Mike McCabe f8fbc93c75 adding fix for phantomjs errors on mavericks *crossing fingers* 2013-11-12 14:21:32 -05:00
Al Snow 98ccf0bd41 Rebuilt Gemfile.lock file; Changed "@@" (class var) to "$" (global var) in spec/support/capybara_shared.rb 2013-10-28 19:45:42 -04:00
cktricky 11480ac853 tests are working again, I will work on surpressing the errors. Also merged @jasnow work 2013-10-27 21:46:12 -04:00
cktricky 6d1c0c7869 merging 2013-10-27 20:17:52 -04:00
Mike McCabe b8c400b29d commenting out this test until I can get it to go into failure not pending 2013-10-23 18:28:24 -04:00
Mike McCabe 01458fb0f5 this reduces the error but we still need to rescue the file not found error. for another day. 2013-10-23 18:28:24 -04:00
cktricky 7c1d52320a does not fix the error that occurs (as it should, but that we want to obfuscate) when a command is injected into, however, it does pass the build and does not break the entire call 2013-10-23 17:11:28 -05:00
Al Snow 203a7a244f Added simplecov gem code changes 2013-10-23 10:29:20 -04:00
Mike McCabe a921f2118d minor fix 2013-10-22 17:08:27 -04:00
Mike McCabe 6fa175ac61 a little fix for the error running the command injection spec. basically capturing the error from cp and sending it to the gutter 2013-10-22 11:31:47 -04:00
Mike McCabe 8686f6b9d3 adding messages mvc to allow users to send messages. 2013-10-11 16:03:37 -04:00
Mike McCabe c9231233e5 make test go into pending unless salt attribute defined for travis 2013-10-09 14:24:10 -04:00
Mike McCabe 82387a1f92 updating spec to fail if salt is not defined 2013-10-09 13:18:32 -04:00
Mike McCabe e999c02506 adding password hashing spec 2013-10-09 12:55:00 -04:00
Mike McCabe a93159c9f2 adding launchy 2013-10-09 11:07:13 -04:00
Mike McCabe 9b3181eef9 moving vulnerability tests and adding password complexity test 2013-10-07 15:23:38 -04:00
chrismo 525dfa1717 Added notice and removed spoilers from spec names. 2013-10-03 11:00:43 -05:00
chrismo 4ccdca8984 Fixed model specs, some of which I broke. 
There's a fight here between DatabaseCleaner strategies - simpler to use
the default :transaction for model specs, but Capybara lives in a
different world where different connections are in play and
:transactions don't work. So, while introducing the more cumbersome
(though with more control) DatabaseCleaner gem and its truncation
strategy, I forgot to make sure the model specs had the fixtures present
that they depend on. This is fixed up now.

The user spec for invalid email was also failing - the regex there is
not savvy enough to handle rejecting two @ signs, so I made the invalid
value something still invalid to get it passing -- real regex validation
of email is ... impossible, so we'll roll with this and move on.
 2013-10-02 17:53:12 -05:00
chrismo 911a52ee83 Add pending code to flip-flop results of specs. 
This isn't the cleanest approach, but should be good for now.

Obviously, there are two contexts for these specs: one is from the
maintainer's standpoint, the other is from the trainee who is using
RailsGoat for training.

The maintainer wants all of these specs to pass, to ensure the
vulnerabilities are still functional as vulnerabilities.

The trainee could potentially use these specs (though reading the specs
contains spoilers) to track and verify their fixes.

I've wired in a pending block around each assertion that checks a method
to see what the result of the pending call would be. You can see
examples of how this works with conditions here:
https://www.relishapp.com/rspec/rspec-core/v/2-14/docs/pending/pending-examples

This means these specs will all fail now by default (the trainee
context), but will pass, when vulnerable, if the RAILSGOAT_MAINTAINER
env var is set.

The only flaw at the moment is that in the trainee context, fixing the
vulnerabilities will result in the specs going from failing to
_pending_, not passing (which makes sense, given how we're using RSpec's
pending functionality).

Maybe it'd be simpler/better to have a boolean toggle of our own somehow
wrap the assertions in blocks to do explicitly what we want (flip-flop
the result based on the context).
 2013-10-01 23:26:28 -05:00