Ken Johnson
5d698c8003
Updated vulnerability specs to use `skip` instead of `pending` to align with RSpec 3+ semantics where pending means "expected to fail." Background: In RSpec 2, `pending` would skip tests. In RSpec 3+, `pending` marks a test as expected to fail, and if it passes, that's an error. This was causing issues in maintainer mode where passing tests were incorrectly flagged as failures. Changes: - Replaced `pending unless verifying_fixed?` with `skip unless verifying_fixed?` in 11 vulnerability spec files: - broken_auth_spec.rb - command_injection_spec.rb - csrf_spec.rb - insecure_dor_spec.rb - mass_assignment_spec.rb - password_complexity_spec.rb - sensitive_data_exposure.rb - sql_injection_spec.rb - unvalidated_redirects_spec.rb - url_access_spec.rb - xss_spec.rb Impact: - Maintainer mode: Tests are properly skipped (no false failures) - Training mode: Tests run and demonstrate vulnerabilities as before - All tests pass with 0 failures in maintainer mode Reference: https://rspec.info/blog/2014/05/notable-changes-in-rspec-3 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
25 lines
705 B
Ruby
25 lines
705 B
Ruby
# frozen_string_literal: true
|
|
require "spec_helper"
|
|
|
|
feature "sensitive data exposure" do
|
|
let(:normal_user) { UserFixture.normal_user }
|
|
let(:user_ssn) { "999-99-9999" }
|
|
|
|
before do
|
|
UserFixture.reset_all_users
|
|
normal_user.work_info.update(:SSN, user_ssn)
|
|
|
|
skip unless verifying_fixed?
|
|
end
|
|
|
|
# this won't work with javascript_driver, as it'll apply the javascript
|
|
# function to mask this value and the source will be overwritten.
|
|
scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/A6-Sensitive-Data-Exposure-Cleartext-Storage-SSNs" do
|
|
login(normal_user)
|
|
|
|
visit "/users/#{normal_user.id}/work_info"
|
|
|
|
expect(page.source).not_to include(user_ssn)
|
|
end
|
|
end
|