decf82962d
Simplify admin user editing - remove modal, use regular CRUD pages
...
Remove complex modal implementation and replace with simple page navigation:
- Convert get_user view from modal partial to full edit page
- Add proper form with Bootstrap 5 styling
- Link directly from users list to edit page
- Update controller actions to redirect instead of returning JSON
- Add flash messages for success/error feedback
- Remove all modal JavaScript and markup
- Remove modal CSS and backdrop handling
Benefits:
- Much simpler and more maintainable
- No JavaScript errors or complexity
- Standard Rails CRUD pattern
- Better user experience with proper navigation
🤖 Generated with [Claude Code](https://claude.com/claude-code )
Co-Authored-By: Claude <noreply@anthropic.com >
2025-12-07 22:26:17 +00:00
feba9b7889
Replace modal with dedicated credentials page
...
Removed complex modal implementation and replaced with simple
link to dedicated credentials page to eliminate all modal issues.
Changes:
- Add credentials action to TutorialsController
- Remove layout false restriction for credentials
- Replace button with simple link_to for Demo Credentials
- Remove entire modal HTML structure
- Remove all JavaScript for modal initialization
- Remove fetch/AJAX complexity
The credentials view already existed but was modal-only. Now it's
a proper page that users can navigate to directly. Much simpler!
🤖 Generated with [Claude Code](https://claude.com/claude-code )
Co-Authored-By: Claude <noreply@anthropic.com >
2025-12-07 01:50:54 -05:00
9f157012b0
Add Rails 8 vulnerabilities aligned with OWASP Top 10 2025
...
This commit adds comprehensive coverage of OWASP Top 10 2025 categories,
implementing both ReDoS (A05:2025) and Software Supply Chain (A03:2025)
vulnerabilities for educational purposes.
## New Vulnerabilities Added
### A05:2025 - Injection (ReDoS)
- Implemented three ReDoS endpoints in TutorialsController:
- POST /tutorials/redos_email - Vulnerable email regex with nested quantifiers
- POST /tutorials/redos_username - Classic (a+)+ pattern
- POST /tutorials/redos_email_safe - Secure version using URI::MailTo::EMAIL_REGEXP
- Added Regexp.timeout = 1.0 configuration (Rails 8 protection)
- All endpoints include timing and error handling demonstrations
### A03:2025 - Software Supply Chain Failures
- Demonstrated missing SRI on CDN assets in application.html.erb
- Added educational endpoints:
- GET /tutorials/supply_chain - Comprehensive supply chain vulnerabilities overview
- GET /tutorials/check_dependencies - Dependency scanning simulation
- Covers: Missing SRI, outdated dependencies, no SBOM, insecure gem sources
## Files Changed
### New Files
- config/initializers/regexp_timeout.rb: Enables Rails 8 ReDoS protection
- spec/controllers/tutorials_controller_spec.rb: 23 passing tests for all endpoints
### Modified Files
- app/controllers/tutorials_controller.rb: Added 5 new educational endpoints
- app/views/layouts/application.html.erb: Added CDN assets WITHOUT SRI (intentional vuln)
- config/routes.rb: Added routes for ReDoS and supply chain endpoints
## Test Coverage
- 23 RSpec tests covering both ReDoS and A03 vulnerabilities
- Tests validate vulnerability behavior, error handling, and educational content
- All tests passing
## Educational Value
- Demonstrates OWASP 2025 categories A03 and A05
- Shows both vulnerable and secure implementations
- Includes real-world CVE examples (British Airways, Magecart)
- Provides mitigation guidance and tool recommendations
This completes 100% coverage of OWASP Top 10 2025 categories in RailsGoat Rails 8.
🤖 Generated with [Claude Code](https://claude.com/claude-code )
Co-Authored-By: Claude <noreply@anthropic.com >
2025-12-06 15:11:54 -05:00
ad708f5546
fix api does not work
2021-04-30 17:39:10 +09:00
6acf74aa35
Strip whitespace from email when logging in
...
Makes it a little easier to copy-paste credentials
2020-03-25 11:22:20 -07:00
23d145129d
Upgraded Ruby to 2.7.0-preview1 and Rails to 6.0.0 - fixed 1 spec
2019-09-09 15:13:29 -04:00
b8262ecb0a
Fixed rubocop messages
2018-03-08 17:02:24 -05:00
bb863f5156
appease our new robot overlords.
...
(I voted for Krang)
2017-12-12 21:00:45 -06:00
4587a5ff67
more fixes for tests post-merge
2017-12-12 15:25:37 -06:00
b6c2259b88
removes user_id column from User model to use idiomatic Rails automatic IDs
2017-12-12 15:19:22 -06:00
6e0a0a8312
feat(cops): clean rubocop run
...
1. ignoring one file because it's an intentional vuln
2. made a few small semantic changes, but verified that they're equivalent.
2017-12-06 17:14:25 -06:00
9902345291
chore(rubocop): giganto rubocop commit.
...
muahahahah
2017-12-05 18:46:21 -06:00
b6d5fbbc3a
Merge pull request #276 from jmmastey/fix-password-reset-path
...
Awesome @jmmastey. I think we went with a match route, later changed it as match was *sorta-ish* deprecated in Rails 4+. Anyways, believe those changes might have caused some issues.
Either way, verified everything worked locally and performed PR. Thanks again!
2017-10-11 11:20:15 -04:00
97e8b82e0c
bug(password): fixes URL for password reset
2017-10-06 19:52:37 -05:00
f5cfec3bf4
Merge branch 'add-test-case-for-a1-field-injection' of https://github.com/jmmastey/railsgoat into jmmastey-add-test-case-for-a1-field-injection
2017-10-02 19:06:11 -04:00
e139019c4c
Merge pull request #271 from jmmastey/dont-reencrypt-password
...
fix user password field to not accidentally re-encrypt itself on save
2017-10-02 18:58:02 -04:00
d3fce41e60
change to idiomatic use of layouts versus regular views
...
no functional change here, but familiar Rails users will see view files in the
locations they expect. this also slightly simplifies controller code
there is one attendant change in the wiki at `rails_3/A1-SQL-Injection-Interpolation.md`
that I'm happy to make after the PR is merged.
2017-09-27 19:22:44 -05:00
8b2f93516d
fix user password field to not accidentally re-encrypt itself on save
...
currently this is flagged manually in one place, but there's no reason not to
let the user model handle it. this way, you can update your user model from a
console or some other area without accidentally changing your password.
2017-09-27 18:57:40 -05:00
1ead42626e
I have moved the build_benefits_data invocation from the controller to the model using before_create. This has not affected behavior afaict. Tested by running rake db:drop db:setup and RAILSGOAT_MAINTAINER=yes rake (all tests passed).
2017-09-19 11:21:08 -04:00
ca9ddb6a14
bug(rails): fix incompatibility with Rails 5
2017-09-18 20:08:02 -05:00
11ab30eb90
bug(pto): fix issue where not having a PTO record causes the app to barf
...
closes #187
2017-09-18 12:43:47 -05:00
d51f48f2d9
Fixes several issues with version migration.
2017-01-29 18:08:44 -06:00
c310273606
upgrade(rails 5): change before_filter to before_action
2017-01-19 13:59:14 -06:00
7f5af27478
removed comments and Fixed Issue #184
2016-04-19 08:43:18 -04:00
2919d57945
fixed messages create error
2016-04-07 16:49:22 +09:00
55ceb1ad59
removing render vuln since we are no longer vulnerable to it
2016-03-10 09:46:12 -05:00
e49dfd5bb4
Added DOS vulnerability
...
Added a sleep to the show messages page to show how using slow blocking
methods can allow DOS to occur.
2016-02-18 22:01:37 -05:00
b6d766329c
Based on cane gem, removed tab indents and trailing blanks
2015-09-14 10:11:03 -04:00
cdbf2d7d92
mass assignment vulnerability, how it manifests in Rails 4
2015-08-18 20:23:35 -04:00
1e5962a1ca
Revert "not sure why this was removed in the first place"
...
This reverts commit b89f520a7d
2015-07-10 17:52:37 -04:00
b89f520a7d
not sure why this was removed in the first place
2015-07-10 17:38:37 -04:00
5945b4956d
better spacing while troubleshooting
2015-07-03 11:49:10 -04:00
890b77bdaf
Upgraded 5 gems by rebuilding Gemfile.lock file
2015-03-28 10:46:52 -04:00
efe81fb6a6
okay, a lot of changes but this basically gets us out of tutorials being hosted locally
2015-03-25 19:32:12 -04:00
f8c771a84b
Merge branch 'master' of github.com:OWASP/railsgoat into tuts
2015-03-20 18:46:51 -04:00
9e7eb02cde
Merge branch 'master' of https://github.com/OWASP/railsgoat
...
Conflicts:
Gemfile.lock
2015-02-26 09:13:15 -05:00
1eee953f62
adding render vuln
2015-02-23 20:36:53 -05:00
09ba2b3270
going to dynamically load the tutorial page depending on the route folks decide to take
2015-01-06 19:43:23 -05:00
80e1ede02b
Added Fred's Strong Parameter work
2014-12-28 17:20:39 -05:00
ea8e9901f4
On branch strong-params
...
Your branch is behind 'origin/strong-params' by 1 commit, and can be fast-forwarded.
I'll pull to catch up after this commit
Change code to whitelist params
Remove attr_accessible lines
Add strong_params to Gemfile, since this branch is still on Rails 3
Mixin to ActiveRecord::Base ActiveModel::ForbiddenAttributesProtection
Use an initializer for the mixin
2014-12-05 15:04:01 -05:00
789ccff349
Upgraded 2 gems by rebuilding Gemfile.lock file; Fixed find/first dep warning #158
2014-10-10 15:38:00 -04:00
d6a6864f73
Undid my find/first fix
2014-09-17 14:11:01 -04:00
1ea0c2ddbb
More Rails 4.0 upgrade changes
...
1. Compared existing branch with empty Rails 4.0 project and
made changes as needed.
2. Fix find/first warning.
3. Fix sqlite timeout issue.
-- config/database.yml
-- spec/vulnerabilities/insecure_dor_spec.rb
2014-09-13 13:44:07 -04:00
23513cf8d2
Initial Rails 4.0.x upgrade
2014-09-07 13:00:54 -04:00
88ed0e2b50
need to create the bar graph version, write up the remaining parts of the tutorial, and ensure it did not break the DOM vuln
2014-07-29 17:56:33 -05:00
561e404e29
Fixes #142 with dynamic ActionMailer url options
2014-07-25 23:04:19 -05:00
b5c202ef40
Resolves issue #138
2014-07-11 06:38:36 -04:00
7e4fad462b
Convert file indentation to spaces
2014-07-05 20:17:27 -05:00
68e6a01743
Clean up trailing and leading whitespace
2014-07-05 19:15:32 -05:00
8ed2714f3f
changed constantize to metaprogramming for the addition of tutorials specific to metaprogramming flaws. In addition, the messages portion of the app needed some generic TLC so I have removed the "new" view in order to bring that functionality into the seed message page/view.
2014-05-20 14:25:45 -04:00
Ken Johnson