team-alpha/railsgoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
railsgoat/spec/controllers/tutorials_controller_spec.rb
T
robbiepaul 298610b5f6
CI / test (3.4.1) (push) Has been cancelled
Details
Initial commit (history cleared)
2026-04-29 11:21:39 +01:00

309 lines
11 KiB
Ruby
Raw Permalink Blame History

# frozen_string_literal: true
require "spec_helper"
RSpec.describe TutorialsController, type: :controller do
describe "ReDoS vulnerabilities (Rails 8)" do
describe "POST #redos_email" do
context "with valid email" do
it "validates email successfully" do
post :redos_email, params: { email: "test@example.com" }
expect(response).to have_http_status(:success)
json_response = JSON.parse(response.body)
expect(json_response["valid"]).to be true
expect(json_response["message"]).to eq("Email validation completed")
end
it "completes validation in reasonable time" do
post :redos_email, params: { email: "test@example.com" }
json_response = JSON.parse(response.body)
expect(json_response["time_elapsed"]).to be < 0.1 # Should be nearly instant
end
end
context "with potentially malicious ReDoS input" do
it "handles potentially malicious input" do
# Input that could cause catastrophic backtracking in less optimized regex engines
# Note: Ruby 3.3's regex engine is well-optimized and may not timeout with this input
malicious_email = "a" * 30 + "@" + "a" * 30
post :redos_email, params: { email: malicious_email }
# Response may be success (if regex completes) or bad_request (if timeout)
# Both are acceptable outcomes demonstrating the vulnerability
expect(response).to have_http_status(:success).or have_http_status(:bad_request)
json_response = JSON.parse(response.body)
# If it times out, check error message
if response.status == 400
expect(json_response["error"]).to eq("Timeout")
expect(json_response["message"]).to include("ReDoS")
end
end
it "demonstrates the vulnerable pattern exists" do
# This test documents that the pattern is theoretically vulnerable
# even if Ruby 3.3's engine handles it efficiently
malicious_email = "test@example.com"
post :redos_email, params: { email: malicious_email }
expect(response).to have_http_status(:success)
json_response = JSON.parse(response.body)
expect(json_response).to have_key("time_elapsed")
end
end
end
describe "POST #redos_username" do
context "with valid username" do
it "validates username matching pattern" do
post :redos_username, params: { username: "aaaa" }
expect(response).to have_http_status(:success)
json_response = JSON.parse(response.body)
expect(json_response["valid"]).to be true
end
end
context "with potentially malicious ReDoS input" do
it "demonstrates the classic ReDoS pattern (a+)+" do
# This is the classic ReDoS pattern: (a+)+
# Ruby 3.3's engine is optimized but the pattern is still considered vulnerable
malicious_username = "a" * 30 + "!"
post :redos_username, params: { username: malicious_username }
# Ruby 3.3 handles this efficiently, but the pattern is still bad practice
expect(response).to have_http_status(:success).or have_http_status(:bad_request)
json_response = JSON.parse(response.body)
# If it times out, verify the timeout message
if response.status == 400
expect(json_response["error"]).to eq("Timeout")
expect(json_response["time_elapsed"]).to be >= 0.9
end
end
it "demonstrates Rails 8 timeout protection exists" do
malicious_username = "a" * 30 + "!"
# With Rails 8's Regexp.timeout, this won't hang indefinitely
# (In older Ruby versions without timeout, this could hang)
expect {
post :redos_username, params: { username: malicious_username }
}.not_to raise_error # Should not hang, should return response
end
end
end
describe "POST #redos_email_safe" do
context "with valid email" do
it "validates email using safe regex" do
post :redos_email_safe, params: { email: "test@example.com" }
expect(response).to have_http_status(:success)
json_response = JSON.parse(response.body)
expect(json_response["valid"]).to be true
expect(json_response["message"]).to include("safe method")
end
end
context "with potentially malicious input" do
it "handles malicious input safely without timeout" do
malicious_email = "a" * 100 + "@" + "a" * 100 + ".com"
post :redos_email_safe, params: { email: malicious_email }
# Should complete quickly without timeout
expect(response).to have_http_status(:success)
json_response = JSON.parse(response.body)
expect(json_response["time_elapsed"]).to be < 0.1 # Fast even with long input
end
end
end
end
describe "Comparison: Vulnerable vs Safe" do
it "demonstrates the difference between vulnerable and safe patterns" do
# Test vulnerable endpoint with potentially malicious input
post :redos_username, params: { username: "aaaa" }
vulnerable_response = JSON.parse(response.body)
# Test safe endpoint with same type of input
post :redos_email_safe, params: { email: "test@example.com" }
safe_response = JSON.parse(response.body)
# Both should complete (Ruby 3.3 is well-optimized)
expect(vulnerable_response).to have_key("time_elapsed")
expect(safe_response).to have_key("time_elapsed")
# Safe endpoint should use Ruby's built-in URI regex
expect(safe_response["message"]).to include("safe method")
end
it "shows that timeout protection is available" do
# Demonstrates that Regexp.timeout is configured
# This prevents potential hangs even if catastrophic backtracking occurs
expect(Regexp.timeout).to eq(1.0)
end
end
describe "A03:2025 - Software Supply Chain Failures (Rails 8)" do
describe "GET #supply_chain" do
it "returns comprehensive supply chain vulnerability information" do
get :supply_chain
expect(response).to have_http_status(:success)
json_response = JSON.parse(response.body)
expect(json_response).to have_key("vulnerabilities")
expect(json_response).to have_key("demo")
expect(json_response).to have_key("secure_example")
end
it "documents missing SRI vulnerability" do
get :supply_chain
json_response = JSON.parse(response.body)
vulnerabilities = json_response["vulnerabilities"]
sri_vuln = vulnerabilities.find { |v| v["type"] == "Missing Subresource Integrity (SRI)" }
expect(sri_vuln).not_to be_nil
expect(sri_vuln["location"]).to eq("app/views/layouts/application.html.erb")
expect(sri_vuln["description"]).to include("CDN assets loaded without integrity checks")
expect(sri_vuln["impact"]).to include("compromised")
end
it "documents outdated dependencies vulnerability" do
get :supply_chain
json_response = JSON.parse(response.body)
vulnerabilities = json_response["vulnerabilities"]
dep_vuln = vulnerabilities.find { |v| v["type"] == "Outdated Dependencies" }
expect(dep_vuln).not_to be_nil
expect(dep_vuln["mitigation"]).to include("bundle audit")
end
it "documents missing SBOM vulnerability" do
get :supply_chain
json_response = JSON.parse(response.body)
vulnerabilities = json_response["vulnerabilities"]
sbom_vuln = vulnerabilities.find { |v| v["type"] == "No Software Bill of Materials (SBOM)" }
expect(sbom_vuln).not_to be_nil
expect(sbom_vuln["mitigation"]).to include("CycloneDX or SPDX")
end
it "provides secure vs vulnerable examples" do
get :supply_chain
json_response = JSON.parse(response.body)
secure_example = json_response["secure_example"]
expect(secure_example["vulnerable"]).not_to include("integrity=")
expect(secure_example["secure"]).to include("integrity=")
expect(secure_example["secure"]).to include("crossorigin=")
end
it "includes real-world CVE example" do
get :supply_chain
json_response = JSON.parse(response.body)
vulnerabilities = json_response["vulnerabilities"]
sri_vuln = vulnerabilities.find { |v| v["type"] == "Missing Subresource Integrity (SRI)" }
expect(sri_vuln["cve_example"]).to include("British Airways")
expect(sri_vuln["cve_example"]).to include("Magecart")
end
end
describe "GET #check_dependencies" do
it "returns dependency scanning simulation" do
get :check_dependencies
expect(response).to have_http_status(:success)
json_response = JSON.parse(response.body)
expect(json_response["status"]).to eq("scan_complete")
expect(json_response).to have_key("message")
expect(json_response).to have_key("example_vulnerabilities")
expect(json_response).to have_key("recommended_tools")
end
it "provides example vulnerability data" do
get :check_dependencies
json_response = JSON.parse(response.body)
vulnerabilities = json_response["example_vulnerabilities"]
expect(vulnerabilities).to be_an(Array)
expect(vulnerabilities.length).to be >= 2
# Check Rails example
rails_vuln = vulnerabilities.find { |v| v["gem"] == "rails" }
expect(rails_vuln).not_to be_nil
expect(rails_vuln["version"]).to eq("8.0.4")
end
it "recommends security scanning tools" do
get :check_dependencies
json_response = JSON.parse(response.body)
tools = json_response["recommended_tools"]
expect(tools).to be_an(Array)
expect(tools.any? { |t| t.include?("bundle-audit") }).to be true
expect(tools.any? { |t| t.include?("Dependabot") }).to be true
expect(tools.any? { |t| t.include?("Snyk") }).to be true
end
it "includes instructions for manual checking" do
get :check_dependencies
json_response = JSON.parse(response.body)
expect(json_response["note"]).to include("bundle audit")
end
it "handles errors gracefully" do
# Simulate an error by stubbing JSON.parse to raise an error
allow_any_instance_of(TutorialsController).to receive(:render).and_call_original
# The endpoint should handle errors and return 500
# This is more of a structural test to ensure error handling exists
get :check_dependencies
# Should return successful response under normal conditions
expect(response).to have_http_status(:success)
end
end
describe "Integration: Supply Chain Attack Surface" do
it "demonstrates complete attack surface" do
# Check supply chain vulnerabilities
get :supply_chain
supply_response = JSON.parse(response.body)
# Check dependency scanning
get :check_dependencies
dep_response = JSON.parse(response.body)
# Both endpoints should provide complementary information
expect(supply_response["vulnerabilities"].length).to be >= 5
expect(dep_response["recommended_tools"].length).to be >= 4
# Supply chain should reference the tools mentioned in dependency check
expect(supply_response["vulnerabilities"].any? { |v| v["mitigation"]&.include?("bundle audit") }).to be true
end
end
end
end
Reference in New Issue View Git Blame Copy Permalink