Ken Johnson
5d698c8003
Updated vulnerability specs to use `skip` instead of `pending` to align with RSpec 3+ semantics where pending means "expected to fail." Background: In RSpec 2, `pending` would skip tests. In RSpec 3+, `pending` marks a test as expected to fail, and if it passes, that's an error. This was causing issues in maintainer mode where passing tests were incorrectly flagged as failures. Changes: - Replaced `pending unless verifying_fixed?` with `skip unless verifying_fixed?` in 11 vulnerability spec files: - broken_auth_spec.rb - command_injection_spec.rb - csrf_spec.rb - insecure_dor_spec.rb - mass_assignment_spec.rb - password_complexity_spec.rb - sensitive_data_exposure.rb - sql_injection_spec.rb - unvalidated_redirects_spec.rb - url_access_spec.rb - xss_spec.rb Impact: - Maintainer mode: Tests are properly skipped (no false failures) - Training mode: Tests run and demonstrate vulnerabilities as before - All tests pass with 0 failures in maintainer mode Reference: https://rspec.info/blog/2014/05/notable-changes-in-rspec-3 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
27 lines
783 B
Ruby
27 lines
783 B
Ruby
# frozen_string_literal: true
|
|
require "spec_helper"
|
|
|
|
feature "password complexity" do
|
|
let(:normal_user) { UserFixture.normal_user }
|
|
|
|
before do
|
|
UserFixture.reset_all_users
|
|
skip unless verifying_fixed?
|
|
end
|
|
|
|
scenario "one\nTutorial: https://github.com/OWASP/railsgoat/wiki/A2-Lack-of-Password-Complexity" do
|
|
new_user_email = normal_user.email + "two"
|
|
|
|
visit "/signup"
|
|
fill_in "email", with: new_user_email
|
|
fill_in "first_name", with: normal_user.first_name
|
|
fill_in "last_name", with: normal_user.last_name + "not"
|
|
fill_in "password", with: "password"
|
|
fill_in "password_confirmation", with: "password"
|
|
click_on "Create Account"
|
|
|
|
expect(User.find_by(email: new_user_email)).to be_nil
|
|
expect(current_path).to eq("/signup")
|
|
end
|
|
end
|