team-alpha/railsgoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
5b6337a86850b576bd5194e857e1058f1411f092
railsgoat/spec/vulnerabilities/xss_spec.rb
T
Ken Johnson 5d698c8003 Fix RSpec 3 compatibility: Replace pending with skip 
Updated vulnerability specs to use `skip` instead of `pending` to align
with RSpec 3+ semantics where pending means "expected to fail."

Background:
In RSpec 2, `pending` would skip tests. In RSpec 3+, `pending` marks
a test as expected to fail, and if it passes, that's an error. This was
causing issues in maintainer mode where passing tests were incorrectly
flagged as failures.

Changes:
- Replaced `pending unless verifying_fixed?` with `skip unless verifying_fixed?`
  in 11 vulnerability spec files:
  - broken_auth_spec.rb
  - command_injection_spec.rb
  - csrf_spec.rb
  - insecure_dor_spec.rb
  - mass_assignment_spec.rb
  - password_complexity_spec.rb
  - sensitive_data_exposure.rb
  - sql_injection_spec.rb
  - unvalidated_redirects_spec.rb
  - url_access_spec.rb
  - xss_spec.rb

Impact:
- Maintainer mode: Tests are properly skipped (no false failures)
- Training mode: Tests run and demonstrate vulnerabilities as before
- All tests pass with 0 failures in maintainer mode

Reference: https://rspec.info/blog/2014/05/notable-changes-in-rspec-3

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-05 20:14:08 -05:00

37 lines
1.1 KiB
Ruby
Raw Blame History

# frozen_string_literal: true
require "spec_helper"
feature "xss" do
let(:normal_user) { UserFixture.normal_user }
before(:each) do
UserFixture.reset_all_users
skip unless verifying_fixed?
end
scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/A3-Cross-Site-Scripting", js: true do
login(normal_user)
visit "/users/#{normal_user.id}/account_settings"
within("#account_edit") do
fill_in "First name", with: "<script>$(function() { $('div input.btn').val('RailsGoat h4x0r3d') } )</script>"
# password gets screwed up if you don't re-submit - need to fix
fill_in "user_password", with: normal_user.clear_password
fill_in "user_password_confirmation", with: normal_user.clear_password
end
click_on "Submit"
sleep(1)
visit "/users/#{normal_user.id}/account_settings"
expect(find("#submit_button").value).not_to include("RailsGoat h4x0r3d")
# might be nice to demonstrate posting cookie contents or somesuch, but
# this at least shows the vulnerability still exists.
end
end
Reference in New Issue View Git Blame Copy Permalink