Updated vulnerability specs to use `skip` instead of `pending` to align
with RSpec 3+ semantics where pending means "expected to fail."
Background:
In RSpec 2, `pending` would skip tests. In RSpec 3+, `pending` marks
a test as expected to fail, and if it passes, that's an error. This was
causing issues in maintainer mode where passing tests were incorrectly
flagged as failures.
Changes:
- Replaced `pending unless verifying_fixed?` with `skip unless verifying_fixed?`
in 11 vulnerability spec files:
- broken_auth_spec.rb
- command_injection_spec.rb
- csrf_spec.rb
- insecure_dor_spec.rb
- mass_assignment_spec.rb
- password_complexity_spec.rb
- sensitive_data_exposure.rb
- sql_injection_spec.rb
- unvalidated_redirects_spec.rb
- url_access_spec.rb
- xss_spec.rb
Impact:
- Maintainer mode: Tests are properly skipped (no false failures)
- Training mode: Tests run and demonstrate vulnerabilities as before
- All tests pass with 0 failures in maintainer mode
Reference: https://rspec.info/blog/2014/05/notable-changes-in-rspec-3🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
* use bang version of save methods in the seeds file, so that when you fix validation,
it will at least explode, rather than silently failing to create users
* fix two tests where passwords are hardcoded so that they use stronger passwords,
since password complexity is not the important bit of either of those tests.
Ken Johnson