b6c2259b88
removes user_id column from User model to use idiomatic Rails automatic IDs
2017-12-12 15:19:22 -06:00
6e0a0a8312
feat(cops): clean rubocop run
...
1. ignoring one file because it's an intentional vuln
2. made a few small semantic changes, but verified that they're equivalent.
2017-12-06 17:14:25 -06:00
9902345291
chore(rubocop): giganto rubocop commit.
...
muahahahah
2017-12-05 18:46:21 -06:00
8b2f93516d
fix user password field to not accidentally re-encrypt itself on save
...
currently this is flagged manually in one place, but there's no reason not to
let the user model handle it. this way, you can update your user model from a
console or some other area without accidentally changing your password.
2017-09-27 18:57:40 -05:00
20635993c8
Upgraded Ruby to 2.4.2, fixed OpenSSL warnings, and 3 gems
2017-09-25 12:58:06 -04:00
1ead42626e
I have moved the build_benefits_data invocation from the controller to the model using before_create. This has not affected behavior afaict. Tested by running rake db:drop db:setup and RAILSGOAT_MAINTAINER=yes rake (all tests passed).
2017-09-19 11:21:08 -04:00
722a2cebe7
bug(work-info): raise more useful error when work_info.key_management is missing
2017-09-18 16:28:05 -05:00
692fb99e51
upgrade(rails 5): add application record
2017-01-19 13:55:03 -06:00
7f5af27478
removed comments and Fixed Issue #184
2016-04-19 08:43:18 -04:00
ca0526ccc9
Upgraded to Rails 4.0.13; Rebuilt Gemfile.lock file
2015-01-10 09:45:51 -05:00
73e8ab972b
assign_user_id and UserFixture password fixes.
...
When the database is empty, which can happen in the test database and in
the dev database if the seeds.rb aren't applied, the assign_user_id
method would not assign an id and the newer before_filter block to
generate_token would fail.
UserFixture had a password on it that wouldn't pass the new validation
rules once that vulnerability is patched.
2015-01-06 13:21:45 -05:00
80e1ede02b
Added Fred's Strong Parameter work
2014-12-28 17:20:39 -05:00
feb51d077c
Add changes
2014-12-28 17:05:46 -05:00
ea8e9901f4
On branch strong-params
...
Your branch is behind 'origin/strong-params' by 1 commit, and can be fast-forwarded.
I'll pull to catch up after this commit
Change code to whitelist params
Remove attr_accessible lines
Add strong_params to Gemfile, since this branch is still on Rails 3
Mixin to ActiveRecord::Base ActiveModel::ForbiddenAttributesProtection
Use an initializer for the mixin
2014-12-05 15:04:01 -05:00
87fed3a305
Rebuilt Gemfile.lock file; Fixed Time.now issue
2014-10-28 13:45:12 -04:00
1ea0c2ddbb
More Rails 4.0 upgrade changes
...
1. Compared existing branch with empty Rails 4.0 project and
made changes as needed.
2. Fix find/first warning.
3. Fix sqlite timeout issue.
-- config/database.yml
-- spec/vulnerabilities/insecure_dor_spec.rb
2014-09-13 13:44:07 -04:00
7e38ac845f
oops, omitted a couple important features/vulnerabilities
2014-09-11 11:13:15 -04:00
ef2bc20c97
working on the httponly tutorial
2014-09-11 11:01:56 -04:00
7e4fad462b
Convert file indentation to spaces
2014-07-05 20:17:27 -05:00
68e6a01743
Clean up trailing and leading whitespace
2014-07-05 19:15:32 -05:00
ad784fd099
Remove placeholders from non-empty directories
2014-07-03 07:38:12 -05:00
239c96039b
Update benefits.rb accept binary file types.
...
The modification allows binary file types (e.g. MS word docs) to be uploaded without encountering encoding errors
2014-05-22 19:31:33 +01:00
5bb9c75f06
Added fix for Analytics SQLi
2014-04-17 20:05:07 -04:00
3f63480022
Added Analytics function to track user hits by ip address, referrer and user agent
2014-04-17 20:03:50 -04:00
8bc20e8f91
fixing name in messages
2014-04-17 19:56:48 -04:00
7a89ae6f17
added the tutorial for the newest logic flaw
2014-03-16 22:10:19 -04:00
3a5818c493
the basics of a working remember-me-logic-flaw completed :-)
2014-03-15 22:30:31 -04:00
1f922916d2
have the ability now to update a row of direct deposit information as well as leverage the encryption routine to introduce a serious flaw
2014-03-15 21:58:42 -04:00
2c8781ebc1
added a pay controller and model
2014-03-14 20:29:14 -04:00
7823eadf3c
first round of tests look okay, now we can re-use this function :-)
2014-03-14 16:32:44 -04:00
62920b535c
Merge branch 'master' of github.com:OWASP/railsgoat into pr-96
2014-03-14 14:00:56 -04:00
d0e825fc17
making sure this is up to date
2014-03-14 14:00:51 -04:00
48ddc99955
some basic api functionality with a few gotchas
2014-03-12 17:45:08 -04:00
4e6006dcc8
added before_create generate token to user model
2014-03-11 20:29:43 -04:00
e7c30151d4
added token to users model and generate token method to users controller
2014-03-11 20:28:15 -04:00
84fd9503ca
Removed duplicated code from exemplary validations for password
2014-03-06 19:40:33 +01:00
b84c8d4cc7
finished write-up for broken auth
2013-11-14 10:47:27 -05:00
b605a42812
got the code kicked off so we can encrypt SSN(s) in the database
2013-11-13 19:51:42 -05:00
efcb7b8c4b
working on encryption
2013-11-13 18:24:26 -05:00
d9956caec1
removed orig file
2013-11-13 14:18:25 -05:00
665ccb2167
removed orig file and also began encryption related stuff for ssn(s)
2013-11-13 14:01:29 -05:00
14bff998dd
Merge branch 'master' of github.com:OWASP/railsgoat into top-10-2013
2013-11-12 16:07:23 -05:00
86035a1cbd
appears to have solved the issue with our code printing stderrs
2013-10-27 22:38:38 -04:00
11480ac853
tests are working again, I will work on surpressing the errors. Also merged @jasnow work
2013-10-27 21:46:12 -04:00
6d1c0c7869
merging
2013-10-27 20:17:52 -04:00
7c1d52320a
does not fix the error that occurs (as it should, but that we want to obfuscate) when a command is injected into, however, it does pass the build and does not break the entire call
2013-10-23 17:11:28 -05:00
c6e42901c7
fixing a mistake
2013-10-22 10:38:23 -04:00
1817251af5
changes
2013-10-22 10:38:00 -04:00
3820b78066
fixing this function that was not explicitly using the params
2013-10-22 10:16:09 -04:00
b7c3b04c74
this seems to have fixed a nuisance error within our unit-tests. Issue #57
2013-10-22 00:58:48 -04:00
Joseph Mastey