search

OWASP / railsgoat

A vulnerable version of Rails that follows the OWASP Top 10
railsgoat.cktricky.com
MIT License
858 stars 666 forks source link

Upgrade Rails to 5.2 or 6.0 and Ruby to 2.7.0-preview1 #364

Closed jasnow closed 4 years ago

jasnow commented 5 years ago

Upgrade Rails to 5.2 or 6.0 and Ruby to 2.7.0-preview1

Problem

Using old versions of Ruby-on-Rails and Ruby.

Goal

To upgrade the repo to latest Rails and Ruby versions.

Steps to solve the problem

  1. Upgrade Ruby from 2.6.3 to 2.7.0-preview.
  2. Upgrade Rails to 6.0.0.rc1 (or at least 5.2).
  3. Fix all lose functionality with help.

Status

  1. Copied repo to separate repo.
    1. Made upgrades.
    2. Fixed regressions (loss test spec) maybe.

TODOs

  1. Document loss of one test spec in this issue or separate issue.
  2. Ask for review help with loss test spec.
  3. Merged above upgrades into Railsgoat's master branch.

Help

  1. Any help or comment to this issues are welcome.
jasnow commented 5 years ago

This is the one test spec that stopped working after upgrading:

https://github.com/OWASP/railsgoat/blob/master/spec/vulnerabilities/sql_injection_spec.rb

and the line that I needed to change was:

find(:xpath, "//input[@id='user_id']", visible: false).set "8' OR admin='t') --"

Found this background material for Rails 5.2 SQL Injection Protection:

So I changed the find line to this (@cktricky Right?):

find(:xpath, "//input[@id='user_id']", visible: false).set "8' OR 1 == 1) --"
cktricky commented 4 years ago

Hey @jasnow, that should work!

jasnow commented 4 years ago

Thanks