team-alpha/railsgoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c5cd2828a547862e17c335933cf5952f6a03fdf7
railsgoat/app/controllers
T
History
Ken Johnson 9f157012b0 Add Rails 8 vulnerabilities aligned with OWASP Top 10 2025 
This commit adds comprehensive coverage of OWASP Top 10 2025 categories,
implementing both ReDoS (A05:2025) and Software Supply Chain (A03:2025)
vulnerabilities for educational purposes.

## New Vulnerabilities Added

### A05:2025 - Injection (ReDoS)
- Implemented three ReDoS endpoints in TutorialsController:
  - POST /tutorials/redos_email - Vulnerable email regex with nested quantifiers
  - POST /tutorials/redos_username - Classic (a+)+ pattern
  - POST /tutorials/redos_email_safe - Secure version using URI::MailTo::EMAIL_REGEXP
- Added Regexp.timeout = 1.0 configuration (Rails 8 protection)
- All endpoints include timing and error handling demonstrations

### A03:2025 - Software Supply Chain Failures
- Demonstrated missing SRI on CDN assets in application.html.erb
- Added educational endpoints:
  - GET /tutorials/supply_chain - Comprehensive supply chain vulnerabilities overview
  - GET /tutorials/check_dependencies - Dependency scanning simulation
- Covers: Missing SRI, outdated dependencies, no SBOM, insecure gem sources

## Files Changed

### New Files
- config/initializers/regexp_timeout.rb: Enables Rails 8 ReDoS protection
- spec/controllers/tutorials_controller_spec.rb: 23 passing tests for all endpoints

### Modified Files
- app/controllers/tutorials_controller.rb: Added 5 new educational endpoints
- app/views/layouts/application.html.erb: Added CDN assets WITHOUT SRI (intentional vuln)
- config/routes.rb: Added routes for ReDoS and supply chain endpoints

## Test Coverage
- 23 RSpec tests covering both ReDoS and A03 vulnerabilities
- Tests validate vulnerability behavior, error handling, and educational content
- All tests passing

## Educational Value
- Demonstrates OWASP 2025 categories A03 and A05
- Shows both vulnerable and secure implementations
- Includes real-world CVE examples (British Airways, Magecart)
- Provides mitigation guidance and tool recommendations

This completes 100% coverage of OWASP Top 10 2025 categories in RailsGoat Rails 8.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-12-06 15:11:54 -05:00
..
api/v1
fix api does not work
2021-04-30 17:39:10 +09:00
concerns
More Rails 4.0 upgrade changes
2014-09-13 13:44:07 -04:00
admin_controller.rb
Upgraded Ruby to 2.7.0-preview1 and Rails to 6.0.0 - fixed 1 spec
2019-09-09 15:13:29 -04:00
application_controller.rb
removes user_id column from User model to use idiomatic Rails automatic IDs
2017-12-12 15:19:22 -06:00
benefit_forms_controller.rb
more fixes for tests post-merge
2017-12-12 15:25:37 -06:00
dashboard_controller.rb
feat(cops): clean rubocop run
2017-12-06 17:14:25 -06:00
messages_controller.rb
removes user_id column from User model to use idiomatic Rails automatic IDs
2017-12-12 15:19:22 -06:00
paid_time_off_controller.rb
chore(rubocop): giganto rubocop commit.
2017-12-05 18:46:21 -06:00
password_resets_controller.rb
removes user_id column from User model to use idiomatic Rails automatic IDs
2017-12-12 15:19:22 -06:00
pay_controller.rb
Fixed rubocop messages
2018-03-08 17:02:24 -05:00
performance_controller.rb
chore(rubocop): giganto rubocop commit.
2017-12-05 18:46:21 -06:00
retirement_controller.rb
chore(rubocop): giganto rubocop commit.
2017-12-05 18:46:21 -06:00
schedule_controller.rb
Fixed rubocop messages
2018-03-08 17:02:24 -05:00
sessions_controller.rb
Strip whitespace from email when logging in
2020-03-25 11:22:20 -07:00
tutorials_controller.rb
Add Rails 8 vulnerabilities aligned with OWASP Top 10 2025
2025-12-06 15:11:54 -05:00
users_controller.rb
Upgraded Ruby to 2.7.0-preview1 and Rails to 6.0.0 - fixed 1 spec
2019-09-09 15:13:29 -04:00
work_info_controller.rb
removes user_id column from User model to use idiomatic Rails automatic IDs
2017-12-12 15:19:22 -06:00