team-alpha/railsgoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1,953 Commits 1 Branch 0 Tags
b79bdf1976306002bf5a5a6288ca773ba5c114f7
Commit Graph

61 Commits

Author SHA1 Message Date
Ken Johnson bcf1aabd35 Add redirect for GET requests to /upload endpoint 
Added a redirect handler for users who try to access /upload via GET
request instead of using the form POST. This prevents errors and guides
users to the proper upload form.

Changes:
- Added GET route for /upload that redirects to benefit forms page
- Added redirect_to_benefit_forms action in controller
- Shows info flash message directing users to the upload form

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
 2025-12-11 13:25:50 +00:00
Ken Johnson 9f157012b0 Add Rails 8 vulnerabilities aligned with OWASP Top 10 2025 
This commit adds comprehensive coverage of OWASP Top 10 2025 categories,
implementing both ReDoS (A05:2025) and Software Supply Chain (A03:2025)
vulnerabilities for educational purposes.

## New Vulnerabilities Added

### A05:2025 - Injection (ReDoS)
- Implemented three ReDoS endpoints in TutorialsController:
  - POST /tutorials/redos_email - Vulnerable email regex with nested quantifiers
  - POST /tutorials/redos_username - Classic (a+)+ pattern
  - POST /tutorials/redos_email_safe - Secure version using URI::MailTo::EMAIL_REGEXP
- Added Regexp.timeout = 1.0 configuration (Rails 8 protection)
- All endpoints include timing and error handling demonstrations

### A03:2025 - Software Supply Chain Failures
- Demonstrated missing SRI on CDN assets in application.html.erb
- Added educational endpoints:
  - GET /tutorials/supply_chain - Comprehensive supply chain vulnerabilities overview
  - GET /tutorials/check_dependencies - Dependency scanning simulation
- Covers: Missing SRI, outdated dependencies, no SBOM, insecure gem sources

## Files Changed

### New Files
- config/initializers/regexp_timeout.rb: Enables Rails 8 ReDoS protection
- spec/controllers/tutorials_controller_spec.rb: 23 passing tests for all endpoints

### Modified Files
- app/controllers/tutorials_controller.rb: Added 5 new educational endpoints
- app/views/layouts/application.html.erb: Added CDN assets WITHOUT SRI (intentional vuln)
- config/routes.rb: Added routes for ReDoS and supply chain endpoints

## Test Coverage
- 23 RSpec tests covering both ReDoS and A03 vulnerabilities
- Tests validate vulnerability behavior, error handling, and educational content
- All tests passing

## Educational Value
- Demonstrates OWASP 2025 categories A03 and A05
- Shows both vulnerable and secure implementations
- Includes real-world CVE examples (British Airways, Magecart)
- Provides mitigation guidance and tool recommendations

This completes 100% coverage of OWASP Top 10 2025 categories in RailsGoat Rails 8.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
 2025-12-06 15:11:54 -05:00
Joseph Mastey c4f0b91534 use more idiomatic syntax for routes 2017-12-12 15:07:42 -06:00
Joseph Mastey 9902345291 chore(rubocop): giganto rubocop commit. 
muahahahah
 2017-12-05 18:46:21 -06:00
Joseph Mastey 97e8b82e0c bug(password): fixes URL for password reset 2017-10-06 19:52:37 -05:00
Claudio Benvenuti 79b306fcae Fix METHOD for forgot_password route 2016-06-01 17:59:48 +02:00
Al Snow 890b77bdaf Upgraded 5 gems by rebuilding Gemfile.lock file 2015-03-28 10:46:52 -04:00
cktricky efe81fb6a6 okay, a lot of changes but this basically gets us out of tutorials being hosted locally 2015-03-25 19:32:12 -04:00
cktricky f8c771a84b Merge branch 'master' of github.com:OWASP/railsgoat into tuts 2015-03-20 18:46:51 -04:00
Al Snow 9e7eb02cde Merge branch 'master' of https://github.com/OWASP/railsgoat 
Conflicts:
	Gemfile.lock
 2015-02-26 09:13:15 -05:00
Mike McCabe 1eee953f62 adding render vuln 2015-02-23 20:36:53 -05:00
cktricky 09ba2b3270 going to dynamically load the tutorial page depending on the route folks decide to take 2015-01-06 19:43:23 -05:00
Al Snow 23513cf8d2 Initial Rails 4.0.x upgrade 2014-09-07 13:00:54 -04:00
cktricky 88ed0e2b50 need to create the bar graph version, write up the remaining parts of the tutorial, and ensure it did not break the DOM vuln 2014-07-29 17:56:33 -05:00
cktricky 8ed2714f3f changed constantize to metaprogramming for the addition of tutorials specific to metaprogramming flaws. In addition, the messages portion of the app needed some generic TLC so I have removed the "new" view in order to bring that functionality into the seed message page/view. 2014-05-20 14:25:45 -04:00
Mike McCabe 6975f94381 adding routes. catching nulls 2014-04-17 20:18:39 -04:00
John Poulin 3f63480022 Added Analytics function to track user hits by ip address, referrer and user agent 2014-04-17 20:03:50 -04:00
cktricky 87f9c825ba a function to decrypt has been added to the mix 2014-03-16 15:26:33 -04:00
cktricky 16eaefefdf view portion of adding a column almost complete, then backend logic 2014-03-15 15:29:45 -04:00
cktricky 7a4efaa950 added the basic components to begin working on the pay index view 2014-03-15 10:28:52 -04:00
cktricky 4b0560a250 whew, now THAT is a huge tutorial explanation for a relatively simple issue! 2014-03-12 18:59:38 -04:00
cktricky 932d2304f9 okay first run at making an API for railsgoat 2014-03-12 12:38:41 -04:00
Mike McCabe abe22b19e9 adding password rest method and changing some logic around 2013-12-11 22:25:02 -05:00
James Espinosa da1845e8f9 Implement working mailer and controller 2013-12-04 00:57:32 -06:00
Mike McCabe c7515af6ab adding basic forgot password controller and views 2013-11-23 16:04:48 -05:00
cktricky f53ab56e92 fixes a bug introduced during the transition from info_disclosure to A6 2013-11-14 11:06:27 -05:00
Mike McCabe af8776a3ea halfway done A7 2013-11-13 18:23:38 -05:00
cktricky 9cbdbf01e5 should fix conflicts 2013-11-13 12:19:33 -05:00
cktricky 8c672fd2fc fixed the route 2013-11-13 12:16:48 -05:00
Mike McCabe f0ca17df79 updating the information for A9 fixes #27 2013-11-13 11:47:29 -05:00
cktricky 6950accce4 a6 exposure, working on the wording for SSNs being stored in the clear 2013-11-12 17:44:27 -05:00
cktricky a65a20a647 Merge branch 'master' of github.com:OWASP/railsgoat into top-10-2013 2013-10-14 08:29:39 -04:00
Mike McCabe 8686f6b9d3 adding messages mvc to allow users to send messages. 2013-10-11 16:03:37 -04:00
cktricky d909f55ab9 initial write-up for gauntlt 2013-08-08 21:25:52 -04:00
Ken Johnson ea2014b637 I have exhausted all thoughts on how to actually get jquery file upload to work, so screw it, I am just going to make something homegrown for tomorrow 2013-07-09 13:53:00 -04:00
Ken Johnson 7b900bda2d fixes issue #24 2013-06-10 16:25:14 -04:00
Ken Johnson e97afb9bb4 added a very dangerous, very serious vulnerability (constantize 2013-06-02 22:42:29 -04:00
Ken Johnson caecb88e30 prepping for constantize 2013-06-02 20:35:01 -04:00
Ken Johnson 570eafa01b this closes issue #9 2013-06-02 20:19:31 -04:00
Ken Johnson 4e445375fa created the info disclosure write-up. Close issue #16 2013-06-02 12:39:04 -04:00
Ken Johnson 379c442049 I have added the performance model, controller, route and seed data, now I am working on the actual visual aspects of the page 2013-05-31 14:45:31 -04:00
Ken Johnson 08a8c60276 added route, controller, model, sidebar link, and basic index page for the work info section so that we can render user data 2013-05-31 10:48:20 -04:00
Ken Johnson a6a38c773e added validation for all schedule fields (presence of) and working on a new way to dynamically update your calendar upon submission of a new calendar event 2013-05-31 00:31:13 -04:00
Ken Johnson caf348f189 made some big changes here. The schedule had a has_one relationship with the PTO model. That is a problem since we only get one result back. meaning, a user cant have multiple scheduled events. This has been fixed with the use of has_many within the PTO model. Now, in relation to the PTO section, the next changes to happen are to be a fully functional create action that allows an event to be schedule, the form and controller has already been created. Umm, also, a calendar has been added and when we get the results back from a call to the create event action we will update that calendar. Think that is about it for now 2013-05-28 12:48:35 -04:00
Ken Johnson af763d40bf added the PTO section 2013-05-24 20:54:07 -04:00
Ken Johnson 96e0095878 moving in the right direction 2013-05-24 19:51:09 -04:00
Ken Johnson b2e2a1b4b0 moved delete button away from submit button (duh), and changed delete a user to a POST request after realizing a spider might wreak havoc on that and delete all users 2013-05-21 00:42:56 -04:00
Ken Johnson bd95958f17 added delete button 2013-05-20 22:21:00 -04:00
Ken Johnson 4337cb9a46 made sure the table refreshes after an update 2013-05-20 17:35:24 -04:00
Ken Johnson 5fd72fcd6f update users info via ajax is working, yay. Next thing is we need to move the datatables into an ajax call and so that we can refresh the table upon any changes occuring 2013-05-20 16:31:59 -04:00