team-alpha/railsgoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d920cd14946c4dd8e6cee3ae587a14859eb8c1b0
railsgoat/spec/vulnerabilities/broken_auth_spec.rb
T
Ken Johnson 5d698c8003 Fix RSpec 3 compatibility: Replace pending with skip 
Updated vulnerability specs to use `skip` instead of `pending` to align
with RSpec 3+ semantics where pending means "expected to fail."

Background:
In RSpec 2, `pending` would skip tests. In RSpec 3+, `pending` marks
a test as expected to fail, and if it passes, that's an error. This was
causing issues in maintainer mode where passing tests were incorrectly
flagged as failures.

Changes:
- Replaced `pending unless verifying_fixed?` with `skip unless verifying_fixed?`
  in 11 vulnerability spec files:
  - broken_auth_spec.rb
  - command_injection_spec.rb
  - csrf_spec.rb
  - insecure_dor_spec.rb
  - mass_assignment_spec.rb
  - password_complexity_spec.rb
  - sensitive_data_exposure.rb
  - sql_injection_spec.rb
  - unvalidated_redirects_spec.rb
  - url_access_spec.rb
  - xss_spec.rb

Impact:
- Maintainer mode: Tests are properly skipped (no false failures)
- Training mode: Tests run and demonstrate vulnerabilities as before
- All tests pass with 0 failures in maintainer mode

Reference: https://rspec.info/blog/2014/05/notable-changes-in-rspec-3

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2026-01-05 20:14:08 -05:00

33 lines
962 B
Ruby
Raw Blame History

# frozen_string_literal: true
require "spec_helper"
feature "broken_auth" do
let(:normal_user) { UserFixture.normal_user }
before do
UserFixture.reset_all_users
skip unless verifying_fixed?
end
scenario "one\nTutorial: https://github.com/OWASP/railsgoat/wiki/A2-Credential-Enumeration" do
wrong_email = normal_user.email + "not"
visit "/"
fill_in "email", with: wrong_email
fill_in "password", with: normal_user.clear_password
find("input[type='submit'][value='Login']").click
expect(find("div#flash_notice").text).not_to include(wrong_email)
end
scenario "two\nTutorial: https://github.com/OWASP/railsgoat/wiki/A2-Credential-Enumeration" do
visit "/"
fill_in "email", with: normal_user.email
fill_in "password", with: normal_user.clear_password + "not"
find("input[type='submit'][value='Login']").click
expect(find("div#flash_notice").text).not_to include("Incorrect Password!")
end
end
Reference in New Issue View Git Blame Copy Permalink