1ead42626e
I have moved the build_benefits_data invocation from the controller to the model using before_create. This has not affected behavior afaict. Tested by running rake db:drop db:setup and RAILSGOAT_MAINTAINER=yes rake (all tests passed).
2017-09-19 11:21:08 -04:00
692fb99e51
upgrade(rails 5): add application record
2017-01-19 13:55:03 -06:00
7f5af27478
removed comments and Fixed Issue #184
2016-04-19 08:43:18 -04:00
ca0526ccc9
Upgraded to Rails 4.0.13; Rebuilt Gemfile.lock file
2015-01-10 09:45:51 -05:00
73e8ab972b
assign_user_id and UserFixture password fixes.
...
When the database is empty, which can happen in the test database and in
the dev database if the seeds.rb aren't applied, the assign_user_id
method would not assign an id and the newer before_filter block to
generate_token would fail.
UserFixture had a password on it that wouldn't pass the new validation
rules once that vulnerability is patched.
2015-01-06 13:21:45 -05:00
ea8e9901f4
On branch strong-params
...
Your branch is behind 'origin/strong-params' by 1 commit, and can be fast-forwarded.
I'll pull to catch up after this commit
Change code to whitelist params
Remove attr_accessible lines
Add strong_params to Gemfile, since this branch is still on Rails 3
Mixin to ActiveRecord::Base ActiveModel::ForbiddenAttributesProtection
Use an initializer for the mixin
2014-12-05 15:04:01 -05:00
7e38ac845f
oops, omitted a couple important features/vulnerabilities
2014-09-11 11:13:15 -04:00
ef2bc20c97
working on the httponly tutorial
2014-09-11 11:01:56 -04:00
7e4fad462b
Convert file indentation to spaces
2014-07-05 20:17:27 -05:00
68e6a01743
Clean up trailing and leading whitespace
2014-07-05 19:15:32 -05:00
2c8781ebc1
added a pay controller and model
2014-03-14 20:29:14 -04:00
7823eadf3c
first round of tests look okay, now we can re-use this function :-)
2014-03-14 16:32:44 -04:00
62920b535c
Merge branch 'master' of github.com:OWASP/railsgoat into pr-96
2014-03-14 14:00:56 -04:00
d0e825fc17
making sure this is up to date
2014-03-14 14:00:51 -04:00
48ddc99955
some basic api functionality with a few gotchas
2014-03-12 17:45:08 -04:00
4e6006dcc8
added before_create generate token to user model
2014-03-11 20:29:43 -04:00
e7c30151d4
added token to users model and generate token method to users controller
2014-03-11 20:28:15 -04:00
84fd9503ca
Removed duplicated code from exemplary validations for password
2014-03-06 19:40:33 +01:00
b84c8d4cc7
finished write-up for broken auth
2013-11-14 10:47:27 -05:00
b605a42812
got the code kicked off so we can encrypt SSN(s) in the database
2013-11-13 19:51:42 -05:00
a65a20a647
Merge branch 'master' of github.com:OWASP/railsgoat into top-10-2013
2013-10-14 08:29:39 -04:00
8c17a3df0e
adding messaging function, needs tests...
2013-10-13 21:49:17 -04:00
dbd0c2548d
making full_name method public
2013-10-11 16:03:37 -04:00
e2c4fb4bd8
change to the user model based on a merge with master. Master is the correct code
2013-10-11 12:04:19 -04:00
da061c79b6
intended to remove some of the weirdness when updating a users account. A blank password basically ends up causing the previously existing password to be hashed twice. Probably move to has_secure_password at some point although that may end up screwing up the intent of the particular tutorial item
2013-09-30 13:03:03 -04:00
ef8a9c1a46
merged with master
2013-09-27 21:55:50 -04:00
e0bca0139e
Added command injection Capybara spec.
2013-09-27 14:59:30 -05:00
c56dbe54a7
no change really
2013-09-11 10:58:46 -04:00
d5801f0684
Merge branch 'master' of github.com:OWASP/railsgoat into top-10-2013
2013-09-10 13:31:48 -04:00
69c180e845
minor changes to spec_helper and user model
2013-09-06 15:54:06 -04:00
bc74edf28d
lastest work towards the secure_compare tutorial
2013-08-18 20:10:36 -04:00
3c7a3fc9e4
still working on the timing attack prevention tutorial
2013-08-18 17:39:13 -04:00
979b6a229a
working on avoiding timing attacks piece
2013-08-17 21:27:33 -04:00
65eb2caeaf
made a suggestion based on digininjas comment on Rails tutorials blog post. Better to change method name to hash_password than encrypt_password
2013-08-08 16:57:58 -04:00
e1dfb8309c
finished the write-up for crytpo vuln, close issue #5
2013-06-03 18:08:21 -04:00
0b09e0d4c1
added the primary insecure crypto storage vuln
2013-06-03 12:52:24 -04:00
912c34a26e
finished the writeup for password complexity
2013-06-03 01:11:51 -04:00
06dce1f8b2
I believe this has resolved the dependent destruction and we can close issue #18
2013-06-02 13:08:56 -04:00
0319cc4768
added a few things here. Firstly, I fixed the broken delete function with the admin page. Secondly, whenever you register for this application, we will automatically populate your user data to make the application functional. Seemed like the easiest way to do this
2013-06-01 00:19:07 -04:00
4813ba9349
added visualization chart for performance history
2013-05-31 15:20:58 -04:00
379c442049
I have added the performance model, controller, route and seed data, now I am working on the actual visual aspects of the page
2013-05-31 14:45:31 -04:00
97ca13632d
removed mass assignment of user_id in the users model
2013-05-31 11:08:38 -04:00
08a8c60276
added route, controller, model, sidebar link, and basic index page for the work info section so that we can render user data
2013-05-31 10:48:20 -04:00
af763d40bf
added the PTO section
2013-05-24 20:54:07 -04:00
b59c85fade
I feel like this is fairly important to make sure we avoid causing headaches, lol
2013-05-24 19:19:37 -04:00
471c5851c7
okay, so, we have associations rocking
2013-05-24 19:15:36 -04:00
0d841124f5
assigned a user id, does not "appear" to have screwed anything up
2013-05-24 15:25:06 -04:00
dbbb2ce651
finished the first instance of broken auth and sess mgmt
2013-05-23 20:06:24 -04:00
671095e030
added a vuln for broken auth and session mgmt, issue #2
2013-05-21 00:58:11 -04:00
5fd72fcd6f
update users info via ajax is working, yay. Next thing is we need to move the datatables into an ajax call and so that we can refresh the table upon any changes occuring
2013-05-20 16:31:59 -04:00
cktricky