team-alpha/railsgoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1,317 Commits 1 Branch 0 Tags
a878fd0c763fdfe7c20168276e6210f8e8d2c25d
Commit Graph

159 Commits

Author SHA1 Message Date
Joseph Mastey 6e0a0a8312 feat(cops): clean rubocop run 
1. ignoring one file because it's an intentional vuln
2. made a few small semantic changes, but verified that they're equivalent.
 2017-12-06 17:14:25 -06:00
Joseph Mastey 9902345291 chore(rubocop): giganto rubocop commit. 
muahahahah
 2017-12-05 18:46:21 -06:00
Ken Johnson b6d5fbbc3a Merge pull request #276 from jmmastey/fix-password-reset-path 
Awesome @jmmastey. I think we went with a match route, later changed it as match was *sorta-ish* deprecated in Rails 4+. Anyways, believe those changes might have caused some issues.

Either way, verified everything worked locally and performed PR. Thanks again!
 2017-10-11 11:20:15 -04:00
Joseph Mastey 97e8b82e0c bug(password): fixes URL for password reset 2017-10-06 19:52:37 -05:00
cktricky f5cfec3bf4 Merge branch 'add-test-case-for-a1-field-injection' of https://github.com/jmmastey/railsgoat into jmmastey-add-test-case-for-a1-field-injection 2017-10-02 19:06:11 -04:00
Ken Johnson e139019c4c Merge pull request #271 from jmmastey/dont-reencrypt-password 
fix user password field to not accidentally re-encrypt itself on save
 2017-10-02 18:58:02 -04:00
Joseph Mastey d3fce41e60 change to idiomatic use of layouts versus regular views 
no functional change here, but familiar Rails users will see view files in the
locations they expect. this also slightly simplifies controller code

there is one attendant change in the wiki at `rails_3/A1-SQL-Injection-Interpolation.md`
that I'm happy to make after the PR is merged.
 2017-09-27 19:22:44 -05:00
Joseph Mastey 8b2f93516d fix user password field to not accidentally re-encrypt itself on save 
currently this is flagged manually in one place, but there's no reason not to
let the user model handle it. this way, you can update your user model from a
console or some other area without accidentally changing your password.
 2017-09-27 18:57:40 -05:00
cktricky 1ead42626e I have moved the build_benefits_data invocation from the controller to the model using before_create. This has not affected behavior afaict. Tested by running rake db:drop db:setup and RAILSGOAT_MAINTAINER=yes rake (all tests passed). 2017-09-19 11:21:08 -04:00
Joseph Mastey ca9ddb6a14 bug(rails): fix incompatibility with Rails 5 2017-09-18 20:08:02 -05:00
Joseph Mastey 11ab30eb90 bug(pto): fix issue where not having a PTO record causes the app to barf 
closes #187
 2017-09-18 12:43:47 -05:00
Joseph Mastey d51f48f2d9 Fixes several issues with version migration. 2017-01-29 18:08:44 -06:00
Joseph Mastey c310273606 upgrade(rails 5): change before_filter to before_action 2017-01-19 13:59:14 -06:00
cktricky 7f5af27478 removed comments and Fixed Issue #184 2016-04-19 08:43:18 -04:00
yuji.matsunaga 2919d57945 fixed messages create error 2016-04-07 16:49:22 +09:00
cktricky 55ceb1ad59 removing render vuln since we are no longer vulnerable to it 2016-03-10 09:46:12 -05:00
Henry Jenkins e49dfd5bb4 Added DOS vulnerability 
Added a sleep to the show messages page to show how using slow blocking
methods can allow DOS to occur.
 2016-02-18 22:01:37 -05:00
Al Snow b6d766329c Based on cane gem, removed tab indents and trailing blanks 2015-09-14 10:11:03 -04:00
cktricky cdbf2d7d92 mass assignment vulnerability, how it manifests in Rails 4 2015-08-18 20:23:35 -04:00
cktricky 1e5962a1ca Revert "not sure why this was removed in the first place" 
This reverts commit b89f520a7d.
 2015-07-10 17:52:37 -04:00
cktricky b89f520a7d not sure why this was removed in the first place 2015-07-10 17:38:37 -04:00
cktricky 5945b4956d better spacing while troubleshooting 2015-07-03 11:49:10 -04:00
Al Snow 890b77bdaf Upgraded 5 gems by rebuilding Gemfile.lock file 2015-03-28 10:46:52 -04:00
cktricky efe81fb6a6 okay, a lot of changes but this basically gets us out of tutorials being hosted locally 2015-03-25 19:32:12 -04:00
cktricky f8c771a84b Merge branch 'master' of github.com:OWASP/railsgoat into tuts 2015-03-20 18:46:51 -04:00
Al Snow 9e7eb02cde Merge branch 'master' of https://github.com/OWASP/railsgoat 
Conflicts:
	Gemfile.lock
 2015-02-26 09:13:15 -05:00
Mike McCabe 1eee953f62 adding render vuln 2015-02-23 20:36:53 -05:00
cktricky 09ba2b3270 going to dynamically load the tutorial page depending on the route folks decide to take 2015-01-06 19:43:23 -05:00
Al Snow 80e1ede02b Added Fred's Strong Parameter work 2014-12-28 17:20:39 -05:00
Fred Nixon ea8e9901f4 On branch strong-params 
Your branch is behind 'origin/strong-params' by 1 commit, and can be fast-forwarded.

I'll pull to catch up after this commit
Change code to whitelist params
Remove attr_accessible lines
Add strong_params to Gemfile, since this branch is still on Rails 3
Mixin to ActiveRecord::Base ActiveModel::ForbiddenAttributesProtection
Use an initializer for the mixin
 2014-12-05 15:04:01 -05:00
Al Snow 789ccff349 Upgraded 2 gems by rebuilding Gemfile.lock file; Fixed find/first dep warning #158 2014-10-10 15:38:00 -04:00
Al Snow d6a6864f73 Undid my find/first fix 2014-09-17 14:11:01 -04:00
Al Snow 1ea0c2ddbb More Rails 4.0 upgrade changes 
1. Compared existing branch with empty Rails 4.0 project and
    made changes as needed.
 2. Fix find/first warning.
 3. Fix sqlite timeout issue.
    -- config/database.yml
    -- spec/vulnerabilities/insecure_dor_spec.rb
 2014-09-13 13:44:07 -04:00
Al Snow 23513cf8d2 Initial Rails 4.0.x upgrade 2014-09-07 13:00:54 -04:00
cktricky 88ed0e2b50 need to create the bar graph version, write up the remaining parts of the tutorial, and ensure it did not break the DOM vuln 2014-07-29 17:56:33 -05:00
James Espinosa 561e404e29 Fixes #142 with dynamic ActionMailer url options 2014-07-25 23:04:19 -05:00
cktricky b5c202ef40 Resolves issue #138 2014-07-11 06:38:36 -04:00
James Espinosa 7e4fad462b Convert file indentation to spaces 2014-07-05 20:17:27 -05:00
James Espinosa 68e6a01743 Clean up trailing and leading whitespace 2014-07-05 19:15:32 -05:00
cktricky 8ed2714f3f changed constantize to metaprogramming for the addition of tutorials specific to metaprogramming flaws. In addition, the messages portion of the app needed some generic TLC so I have removed the "new" view in order to bring that functionality into the seed message page/view. 2014-05-20 14:25:45 -04:00
cktricky 77fcf26abd working on a tutorial for the scope injection / sql injection 2014-04-17 20:51:16 -04:00
Mike McCabe 6975f94381 adding routes. catching nulls 2014-04-17 20:18:39 -04:00
John Poulin 4bff205e81 added in johns constantize change as well as some other stuff like CSS fun 2014-04-17 20:10:53 -04:00
John Poulin 5bb9c75f06 Added fix for Analytics SQLi 2014-04-17 20:05:07 -04:00
John Poulin 3f63480022 Added Analytics function to track user hits by ip address, referrer and user agent 2014-04-17 20:03:50 -04:00
John Poulin 5056f77395 Added codefix example for CSS context XSS. 2014-04-17 20:03:17 -04:00
John Poulin e760fc0087 merging 2014-04-17 20:03:14 -04:00
Mike McCabe 9fd91a8224 initial commit of mobile controller 2014-04-17 20:00:30 -04:00
cktricky 87f9c825ba a function to decrypt has been added to the mix 2014-03-16 15:26:33 -04:00
cktricky 3a5818c493 the basics of a working remember-me-logic-flaw completed :-) 2014-03-15 22:30:31 -04:00