team-alpha/railsgoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1,898 Commits 1 Branch 0 Tags
d08af9cdbf37a0ebc25d4cf5e688dcf66c0191ce
Commit Graph

61 Commits

Author SHA1 Message Date
Joseph Mastey bb863f5156 appease our new robot overlords. 
(I voted for Krang)
 2017-12-12 21:00:45 -06:00
Joseph Mastey b6c2259b88 removes user_id column from User model to use idiomatic Rails automatic IDs 2017-12-12 15:19:22 -06:00
Joseph Mastey 6e0a0a8312 feat(cops): clean rubocop run 
1. ignoring one file because it's an intentional vuln
2. made a few small semantic changes, but verified that they're equivalent.
 2017-12-06 17:14:25 -06:00
Joseph Mastey 9902345291 chore(rubocop): giganto rubocop commit. 
muahahahah
 2017-12-05 18:46:21 -06:00
Joseph Mastey 8b2f93516d fix user password field to not accidentally re-encrypt itself on save 
currently this is flagged manually in one place, but there's no reason not to
let the user model handle it. this way, you can update your user model from a
console or some other area without accidentally changing your password.
 2017-09-27 18:57:40 -05:00
cktricky 1ead42626e I have moved the build_benefits_data invocation from the controller to the model using before_create. This has not affected behavior afaict. Tested by running rake db:drop db:setup and RAILSGOAT_MAINTAINER=yes rake (all tests passed). 2017-09-19 11:21:08 -04:00
Joseph Mastey 692fb99e51 upgrade(rails 5): add application record 2017-01-19 13:55:03 -06:00
cktricky 7f5af27478 removed comments and Fixed Issue #184 2016-04-19 08:43:18 -04:00
Al Snow ca0526ccc9 Upgraded to Rails 4.0.13; Rebuilt Gemfile.lock file 2015-01-10 09:45:51 -05:00
chrismo 73e8ab972b assign_user_id and UserFixture password fixes. 
When the database is empty, which can happen in the test database and in
the dev database if the seeds.rb aren't applied, the assign_user_id
method would not assign an id and the newer before_filter block to
generate_token would fail.

UserFixture had a password on it that wouldn't pass the new validation
rules once that vulnerability is patched.
 2015-01-06 13:21:45 -05:00
Fred Nixon ea8e9901f4 On branch strong-params 
Your branch is behind 'origin/strong-params' by 1 commit, and can be fast-forwarded.

I'll pull to catch up after this commit
Change code to whitelist params
Remove attr_accessible lines
Add strong_params to Gemfile, since this branch is still on Rails 3
Mixin to ActiveRecord::Base ActiveModel::ForbiddenAttributesProtection
Use an initializer for the mixin
 2014-12-05 15:04:01 -05:00
cktricky 7e38ac845f oops, omitted a couple important features/vulnerabilities 2014-09-11 11:13:15 -04:00
cktricky ef2bc20c97 working on the httponly tutorial 2014-09-11 11:01:56 -04:00
James Espinosa 7e4fad462b Convert file indentation to spaces 2014-07-05 20:17:27 -05:00
James Espinosa 68e6a01743 Clean up trailing and leading whitespace 2014-07-05 19:15:32 -05:00
cktricky 2c8781ebc1 added a pay controller and model 2014-03-14 20:29:14 -04:00
cktricky 7823eadf3c first round of tests look okay, now we can re-use this function :-) 2014-03-14 16:32:44 -04:00
cktricky 62920b535c Merge branch 'master' of github.com:OWASP/railsgoat into pr-96 2014-03-14 14:00:56 -04:00
cktricky d0e825fc17 making sure this is up to date 2014-03-14 14:00:51 -04:00
cktricky 48ddc99955 some basic api functionality with a few gotchas 2014-03-12 17:45:08 -04:00
relotnek 4e6006dcc8 added before_create generate token to user model 2014-03-11 20:29:43 -04:00
relotnek e7c30151d4 added token to users model and generate token method to users controller 2014-03-11 20:28:15 -04:00
ecneladis 84fd9503ca Removed duplicated code from exemplary validations for password 2014-03-06 19:40:33 +01:00
cktricky b84c8d4cc7 finished write-up for broken auth 2013-11-14 10:47:27 -05:00
cktricky b605a42812 got the code kicked off so we can encrypt SSN(s) in the database 2013-11-13 19:51:42 -05:00
cktricky a65a20a647 Merge branch 'master' of github.com:OWASP/railsgoat into top-10-2013 2013-10-14 08:29:39 -04:00
Mike McCabe 8c17a3df0e adding messaging function, needs tests... 2013-10-13 21:49:17 -04:00
Mike McCabe dbd0c2548d making full_name method public 2013-10-11 16:03:37 -04:00
cktricky e2c4fb4bd8 change to the user model based on a merge with master. Master is the correct code 2013-10-11 12:04:19 -04:00
cktricky da061c79b6 intended to remove some of the weirdness when updating a users account. A blank password basically ends up causing the previously existing password to be hashed twice. Probably move to has_secure_password at some point although that may end up screwing up the intent of the particular tutorial item 2013-09-30 13:03:03 -04:00
cktricky ef8a9c1a46 merged with master 2013-09-27 21:55:50 -04:00
chrismo e0bca0139e Added command injection Capybara spec. 2013-09-27 14:59:30 -05:00
cktricky c56dbe54a7 no change really 2013-09-11 10:58:46 -04:00
cktricky d5801f0684 Merge branch 'master' of github.com:OWASP/railsgoat into top-10-2013 2013-09-10 13:31:48 -04:00
Michael McCabe 69c180e845 minor changes to spec_helper and user model 2013-09-06 15:54:06 -04:00
cktricky bc74edf28d lastest work towards the secure_compare tutorial 2013-08-18 20:10:36 -04:00
cktricky 3c7a3fc9e4 still working on the timing attack prevention tutorial 2013-08-18 17:39:13 -04:00
cktricky 979b6a229a working on avoiding timing attacks piece 2013-08-17 21:27:33 -04:00
cktricky 65eb2caeaf made a suggestion based on digininjas comment on Rails tutorials blog post. Better to change method name to hash_password than encrypt_password 2013-08-08 16:57:58 -04:00
Ken Johnson e1dfb8309c finished the write-up for crytpo vuln, close issue #5 2013-06-03 18:08:21 -04:00
Ken Johnson 0b09e0d4c1 added the primary insecure crypto storage vuln 2013-06-03 12:52:24 -04:00
Ken Johnson 912c34a26e finished the writeup for password complexity 2013-06-03 01:11:51 -04:00
Ken Johnson 06dce1f8b2 I believe this has resolved the dependent destruction and we can close issue #18 2013-06-02 13:08:56 -04:00
Ken Johnson 0319cc4768 added a few things here. Firstly, I fixed the broken delete function with the admin page. Secondly, whenever you register for this application, we will automatically populate your user data to make the application functional. Seemed like the easiest way to do this 2013-06-01 00:19:07 -04:00
Ken Johnson 4813ba9349 added visualization chart for performance history 2013-05-31 15:20:58 -04:00
Ken Johnson 379c442049 I have added the performance model, controller, route and seed data, now I am working on the actual visual aspects of the page 2013-05-31 14:45:31 -04:00
Ken Johnson 97ca13632d removed mass assignment of user_id in the users model 2013-05-31 11:08:38 -04:00
Ken Johnson 08a8c60276 added route, controller, model, sidebar link, and basic index page for the work info section so that we can render user data 2013-05-31 10:48:20 -04:00
Ken Johnson af763d40bf added the PTO section 2013-05-24 20:54:07 -04:00
Ken Johnson b59c85fade I feel like this is fairly important to make sure we avoid causing headaches, lol 2013-05-24 19:19:37 -04:00