team-alpha/railsgoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
39bc3ed974e12fee9fa3a424c8f6868a055787ce
railsgoat/spec/vulnerabilities/command_injection_spec.rb
T
Ken Johnson 5d698c8003 Fix RSpec 3 compatibility: Replace pending with skip 
Updated vulnerability specs to use `skip` instead of `pending` to align
with RSpec 3+ semantics where pending means "expected to fail."

Background:
In RSpec 2, `pending` would skip tests. In RSpec 3+, `pending` marks
a test as expected to fail, and if it passes, that's an error. This was
causing issues in maintainer mode where passing tests were incorrectly
flagged as failures.

Changes:
- Replaced `pending unless verifying_fixed?` with `skip unless verifying_fixed?`
  in 11 vulnerability spec files:
  - broken_auth_spec.rb
  - command_injection_spec.rb
  - csrf_spec.rb
  - insecure_dor_spec.rb
  - mass_assignment_spec.rb
  - password_complexity_spec.rb
  - sensitive_data_exposure.rb
  - sql_injection_spec.rb
  - unvalidated_redirects_spec.rb
  - url_access_spec.rb
  - xss_spec.rb

Impact:
- Maintainer mode: Tests are properly skipped (no false failures)
- Training mode: Tests run and demonstrate vulnerabilities as before
- All tests pass with 0 failures in maintainer mode

Reference: https://rspec.info/blog/2014/05/notable-changes-in-rspec-3

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-05 20:14:08 -05:00

33 lines
986 B
Ruby
Raw Blame History

# frozen_string_literal: true
require "spec_helper"
require "tmpdir"
feature "command injection" do
let(:normal_user) { UserFixture.normal_user }
before do
UserFixture.reset_all_users
skip unless verifying_fixed?
end
scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/A1-Command-Injection", js: true do
login(normal_user)
legit_file = File.join(Rails.root, "public", "data", "legit.txt")
File.open(legit_file, "w") { |f| f.puts "totes legit" }
visit "/users/#{normal_user.id}/benefit_forms"
Dir.mktmpdir do |dir|
hackety_file = File.join(dir, "test; cd public && cd data && rm -f * ;")
File.open(hackety_file, "w") { |f| f.print "mwahaha" }
within(".new_benefits") do
attach_file "benefits_upload", hackety_file
find(:xpath, "//input[@id='benefits_backup']", visible: false).set "true"
end
click_on "Start Upload"
end
expect(File.exist?(legit_file)).to be_truthy
end
end
Reference in New Issue View Git Blame Copy Permalink