team-alpha/railsgoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1,831 Commits 1 Branch 0 Tags
9f157012b0f4af7f766b063a3dc8b81dc2147c6d
Commit Graph

1831 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Ken Johnson 9f157012b0 Add Rails 8 vulnerabilities aligned with OWASP Top 10 2025 
This commit adds comprehensive coverage of OWASP Top 10 2025 categories,
implementing both ReDoS (A05:2025) and Software Supply Chain (A03:2025)
vulnerabilities for educational purposes.

## New Vulnerabilities Added

### A05:2025 - Injection (ReDoS)
- Implemented three ReDoS endpoints in TutorialsController:
  - POST /tutorials/redos_email - Vulnerable email regex with nested quantifiers
  - POST /tutorials/redos_username - Classic (a+)+ pattern
  - POST /tutorials/redos_email_safe - Secure version using URI::MailTo::EMAIL_REGEXP
- Added Regexp.timeout = 1.0 configuration (Rails 8 protection)
- All endpoints include timing and error handling demonstrations

### A03:2025 - Software Supply Chain Failures
- Demonstrated missing SRI on CDN assets in application.html.erb
- Added educational endpoints:
  - GET /tutorials/supply_chain - Comprehensive supply chain vulnerabilities overview
  - GET /tutorials/check_dependencies - Dependency scanning simulation
- Covers: Missing SRI, outdated dependencies, no SBOM, insecure gem sources

## Files Changed

### New Files
- config/initializers/regexp_timeout.rb: Enables Rails 8 ReDoS protection
- spec/controllers/tutorials_controller_spec.rb: 23 passing tests for all endpoints

### Modified Files
- app/controllers/tutorials_controller.rb: Added 5 new educational endpoints
- app/views/layouts/application.html.erb: Added CDN assets WITHOUT SRI (intentional vuln)
- config/routes.rb: Added routes for ReDoS and supply chain endpoints

## Test Coverage
- 23 RSpec tests covering both ReDoS and A03 vulnerabilities
- Tests validate vulnerability behavior, error handling, and educational content
- All tests passing

## Educational Value
- Demonstrates OWASP 2025 categories A03 and A05
- Shows both vulnerable and secure implementations
- Includes real-world CVE examples (British Airways, Magecart)
- Provides mitigation guidance and tool recommendations

This completes 100% coverage of OWASP Top 10 2025 categories in RailsGoat Rails 8.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
 2025-12-06 15:11:54 -05:00
Ken Johnson f716836c15 Upgrade to Ruby 3.3.6 and Rails 8.0.4 
This major upgrade brings RailsGoat up to date with the latest versions:
- Ruby 2.6.5 → 3.3.6
- Rails 6.0.0 → 8.0.4

## Key Changes

### Dependencies
- Upgraded all gems to Rails 8-compatible versions
- Removed deprecated gems: therubyracer, coffee-rails, poltergeist,
  travis-lint, rails-perftest, unicorn, powder, rubocop-github
- Updated puma to 6.6.1, sqlite3 to 2.8.1, rspec-rails to 8.0.2
- Added modern Rails 8 features: importmap-rails, stimulus-rails, turbo-rails
- Replaced poltergeist with selenium-webdriver for integration tests

### Code Changes
- Converted CoffeeScript files to plain JavaScript
- Updated test configuration to use Selenium headless driver
- Updated database schema to Rails 8 format

## Testing
- Application starts successfully and responds to requests
- Test suite runs with 23 examples (14 intentional vulnerability failures)
- Database migrations applied successfully

## Notes
This upgrade maintains all intentional security vulnerabilities that make
RailsGoat an effective training tool. The failing tests are expected and
demonstrate the vulnerabilities the application is designed to teach.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
 2025-12-04 15:30:49 -05:00
Ken Johnson dc91666d3a Merge pull request #475 from arkid15r/turbolift-owasp-backronym 
Update OWASP backronym: Web -> Worldwide
 2025-12-04 13:14:58 -05:00
Arkadii Yakovets 215116728d Update OWASP backronym: Web -> Worldwide 2025-12-03 08:40:05 -08:00
Ken Johnson c1e8ff1e3b Merge pull request #406 from tdtds/improve_a11y 
improve accessibility
 2022-08-16 18:43:54 -04:00
Ken Johnson fe7d6d7e77 Merge pull request #407 from tdtds/fix/api 
fix api does not work
 2022-08-16 18:41:28 -04:00
Ken Johnson 9752016533 Merge pull request #429 from horvatic/master 
add setup for mac apple silicon
 2022-08-16 18:38:35 -04:00
horvatic 3ebae3dd03 add setup for mac apple silicon 2022-03-15 20:11:46 +00:00
Ken Johnson d2338f7a9a Merge pull request #405 from tkmru/fix-bundle-mimemagic 
Update bundler version for docker-compose build & mimemagic gpl version
 2021-05-24 10:02:28 -04:00
Tada, Tadashi ad708f5546 fix api does not work 2021-04-30 17:39:10 +09:00
Tada, Tadashi 27f02c2dc9 improve accessibility 
* add 'aria-label' into some elements without the label
* add 'aris-label' into some visual elements
* replace some 'a' elements have a button action to 'button'
 2021-04-30 17:23:48 +09:00
tkmru 9d606742fb fix bundle version&mimemagic gpl version 2021-04-27 15:31:05 +09:00
Ken Johnson 87846e6cda Merge pull request #391 from OWASP/dependabot/bundler/nokogiri-1.10.10 
Bump nokogiri from 1.10.5 to 1.10.10
 2020-12-21 13:23:35 -05:00
Ken Johnson 7745555584 Merge pull request #388 from eliblock/eb-hint-password-policy 
feat: add password minimum to placeholder text
 2020-12-21 13:23:15 -05:00
dependabot[bot] 798ac4753d Bump nokogiri from 1.10.5 to 1.10.10 
Bumps [nokogiri](https://github.com/sparklemotion/nokogiri) from 1.10.5 to 1.10.10.
- [Release notes](https://github.com/sparklemotion/nokogiri/releases)
- [Changelog](https://github.com/sparklemotion/nokogiri/blob/master/CHANGELOG.md)
- [Commits](https://github.com/sparklemotion/nokogiri/compare/v1.10.5...v1.10.10)

Signed-off-by: dependabot[bot] <support@github.com>
 2020-12-21 18:22:41 +00:00
Ken Johnson 1ea084730f Merge pull request #386 from OWASP/dependabot/bundler/rack-2.2.3 
Bump rack from 2.0.7 to 2.2.3
 2020-12-21 13:22:26 -05:00
Ken Johnson 1ec342512b Merge pull request #385 from OWASP/dependabot/bundler/puma-4.3.5 
Bump puma from 4.2.1 to 4.3.5
 2020-12-21 13:22:05 -05:00
Ken Johnson 45a394487f Merge pull request #384 from OWASP/dependabot/bundler/websocket-extensions-0.1.5 
Bump websocket-extensions from 0.1.4 to 0.1.5
 2020-12-21 13:21:46 -05:00
Ken Johnson c18849db12 Merge pull request #389 from OWASP/dependabot/bundler/json-2.3.1 
Bump json from 2.2.0 to 2.3.1
 2020-12-21 13:21:28 -05:00
dependabot[bot] 144659d528 Bump json from 2.2.0 to 2.3.1 
Bumps [json](https://github.com/flori/json) from 2.2.0 to 2.3.1.
- [Release notes](https://github.com/flori/json/releases)
- [Changelog](https://github.com/flori/json/blob/master/CHANGES.md)
- [Commits](https://github.com/flori/json/compare/v2.2.0...v2.3.1)

Signed-off-by: dependabot[bot] <support@github.com>
 2020-07-28 04:01:07 +00:00
Eli Block 5f15cabfd2 feat: add password minimum to placeholder text 2020-07-09 15:03:54 -07:00
dependabot[bot] 0802d0021f Bump rack from 2.0.7 to 2.2.3 
Bumps [rack](https://github.com/rack/rack) from 2.0.7 to 2.2.3.
- [Release notes](https://github.com/rack/rack/releases)
- [Changelog](https://github.com/rack/rack/blob/master/CHANGELOG.md)
- [Commits](https://github.com/rack/rack/compare/2.0.7...2.2.3)

Signed-off-by: dependabot[bot] <support@github.com>
 2020-06-25 01:55:32 +00:00
dependabot[bot] 0281a360ee Bump puma from 4.2.1 to 4.3.5 
Bumps [puma](https://github.com/puma/puma) from 4.2.1 to 4.3.5.
- [Release notes](https://github.com/puma/puma/releases)
- [Changelog](https://github.com/puma/puma/blob/master/History.md)
- [Commits](https://github.com/puma/puma/commits)

Signed-off-by: dependabot[bot] <support@github.com>
 2020-06-23 18:50:37 +00:00
dependabot[bot] 326e97082b Bump websocket-extensions from 0.1.4 to 0.1.5 
Bumps [websocket-extensions](https://github.com/faye/websocket-extensions-ruby) from 0.1.4 to 0.1.5.
- [Release notes](https://github.com/faye/websocket-extensions-ruby/releases)
- [Changelog](https://github.com/faye/websocket-extensions-ruby/blob/master/CHANGELOG.md)
- [Commits](https://github.com/faye/websocket-extensions-ruby/compare/0.1.4...0.1.5)

Signed-off-by: dependabot[bot] <support@github.com>
 2020-06-23 18:50:36 +00:00
Ken Johnson ef9ec5929e merged in Ken Tolers PR without the updated gemfile.lock - whoops 2020-06-18 13:54:35 -04:00
Ken Johnson 7f05a48649 Merge pull request #376 from relotnek/openshift 
Added Openshift Support
 2020-06-18 13:03:56 -04:00
Ken Johnson 89af66d70c Merge pull request #383 from presidentbeef/center_that_company_name 
Center that company name
 2020-06-18 13:02:36 -04:00
Ken Toler 77a223b385 Document Dockerfile changes 2020-06-08 19:39:20 -04:00
Ken Toler 438945cb57 Openshift specific Dockerfile 2020-06-08 19:27:09 -04:00
Ken Toler 5a375752b3 Merge remote-tracking branch 'upstream/master' into openshift 2020-06-08 19:13:53 -04:00
Justin Collins a2aa0f1eb7 Center company name on login page 2020-05-13 17:26:33 -07:00
Justin Collins 8aebfbcc11 Center company name on password reset pages 2020-05-13 17:22:53 -07:00
Ken Toler e53e47d252 fixing Dockerfile mistakes so that it will build 2020-04-17 16:03:25 -04:00
Ken Toler 63737625b5 minor mistake with permission order in Dockerfile 2020-04-17 16:00:51 -04:00
Ken Toler 4cc0a8f96c updated Gemfile to include openshift group 2020-04-17 15:56:48 -04:00
Ken Toler cc0ff6055b added openshift group to dockerfile 2020-04-17 15:42:06 -04:00
Ken Toler 11819bf14c Squashing changes associated with pg 2020-04-17 15:38:24 -04:00
Ken Johnson df1bae06b9 Merge pull request #379 from presidentbeef/strip_whitespace_email_at_login 
Strip whitespace from email when logging in
 2020-04-05 13:13:25 -04:00
Ken Johnson 55b4e21dc5 Merge pull request #380 from presidentbeef/fix_alert_box_profile_settings 
Fix alert box on account settings
 2020-04-05 13:12:51 -04:00
Ken Johnson e93e28d762 Merge pull request #381 from presidentbeef/fix_bonus_html 
Add missing < on bonus work info
 2020-04-05 13:12:03 -04:00
Justin Collins de04f0fff1 Fix missing < on bonus work info 
Plus some whitespace adjustment for clarity
 2020-03-27 09:43:51 -07:00
Justin Collins d25e62db1c Fix alert boxes on bank account settings page 2020-03-26 10:50:41 -07:00
Justin Collins fc77a98461 Fix alert box on account settings 
Remove unnecessary divs that were adding extra whitespace to top of page
 2020-03-25 11:57:59 -07:00
Justin Collins 6acf74aa35 Strip whitespace from email when logging in 
Makes it a little easier to copy-paste credentials
 2020-03-25 11:22:20 -07:00
Ken Johnson ce7482aec6 Merge pull request #372 from rifkinni/clean_up_specs 
Clean up specs
 2020-03-19 12:43:49 -04:00
Ken Johnson 415c771da2 Merge pull request #378 from presidentbeef/remove_dashboard_readme_link 
Remove unused dashboard README link
 2020-03-19 12:28:32 -04:00
Ken Johnson 9ebaf18d58 Merge pull request #377 from presidentbeef/fix_decryption_iv 
Fix decryption IV
 2020-03-19 12:27:30 -04:00
Justin Collins 4c7286d088 Remove unused dashboard README link 2020-03-18 14:17:55 -07:00
Justin Collins 7e25fd0f6c Fix decryption IV 2020-03-18 09:12:58 -07:00
Ken Toler 0dd2ed173c updated Gemfile.lock 2020-03-01 16:00:39 -05:00