-
-
-
+
-
-
-
-
diff --git a/app/views/layouts/application.html.erb b/app/views/layouts/application.html.erb
index 960c521..dc1d04c 100755
--- a/app/views/layouts/application.html.erb
+++ b/app/views/layouts/application.html.erb
@@ -2,8 +2,8 @@
RailsGoat
- <%= stylesheet_link_tag "application", media: "all", "data-turbolinks-track" => true %>
- <%= javascript_include_tag "application", "data-turbolinks-track" => true %>
+ <%= stylesheet_link_tag "application", media: "all" %>
+ <%= javascript_include_tag "application" %>
<%#= csrf_meta_tags %>
<%
diff --git a/app/views/paid_time_off/index.html.erb b/app/views/paid_time_off/index.html.erb
index 58b1e35..4cbb604 100644
--- a/app/views/paid_time_off/index.html.erb
+++ b/app/views/paid_time_off/index.html.erb
@@ -121,131 +121,124 @@
<%= javascript_include_tag "moment.min.js" %>
<%= javascript_include_tag "fullcalendar.min.js" %>
-
-$(document).ready(function() {
- $('#calendar').fullCalendar({
- events: <%= get_pto_schedule_schedule_index_path(:format => "json").inspect.html_safe %>,
+
diff --git a/app/views/performance/index.html.erb b/app/views/performance/index.html.erb
index 780b891..7eea4f0 100644
--- a/app/views/performance/index.html.erb
+++ b/app/views/performance/index.html.erb
@@ -48,79 +48,77 @@
-
+
\ No newline at end of file
+
diff --git a/bin/bundle b/bin/bundle
new file mode 100755
index 0000000..f19acf5
--- /dev/null
+++ b/bin/bundle
@@ -0,0 +1,3 @@
+#!/usr/bin/env ruby
+ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../Gemfile', __dir__)
+load Gem.bin_path('bundler', 'bundle')
diff --git a/bin/rails b/bin/rails
new file mode 100755
index 0000000..6fb4e40
--- /dev/null
+++ b/bin/rails
@@ -0,0 +1,4 @@
+#!/usr/bin/env ruby
+APP_PATH = File.expand_path('../config/application', __dir__)
+require_relative "../config/boot"
+require "rails/commands"
diff --git a/bin/rake b/bin/rake
new file mode 100755
index 0000000..4fbf10b
--- /dev/null
+++ b/bin/rake
@@ -0,0 +1,4 @@
+#!/usr/bin/env ruby
+require_relative "../config/boot"
+require "rake"
+Rake.application.run
diff --git a/bin/setup b/bin/setup
new file mode 100755
index 0000000..8bfa480
--- /dev/null
+++ b/bin/setup
@@ -0,0 +1,36 @@
+#!/usr/bin/env ruby
+require "fileutils"
+
+# path to your application root.
+APP_ROOT = File.expand_path('..', __dir__)
+
+def system!(*args)
+ system(*args) || abort("\n== Command #{args} failed ==")
+end
+
+FileUtils.chdir APP_ROOT do
+ # This script is a way to set up or update your development environment automatically.
+ # This script is idempotent, so that you can run it at any time and get an expectable outcome.
+ # Add necessary setup steps to this file.
+
+ puts '== Installing dependencies =='
+ system! 'gem install bundler --conservative'
+ system('bundle check') || system!('bundle install')
+
+ # Install JavaScript dependencies
+ # system! 'bin/yarn'
+
+ # puts "\n== Copying sample files =="
+ # unless File.exist?('config/database.yml')
+ # FileUtils.cp 'config/database.yml.sample', 'config/database.yml'
+ # end
+
+ puts "\n== Preparing database =="
+ system! 'bin/rails db:reset'
+
+ puts "\n== Removing old logs and tempfiles =="
+ system! 'bin/rails log:clear tmp:clear'
+
+ puts "\n== Restarting application server =="
+ system! 'bin/rails restart'
+end
diff --git a/bin/update b/bin/update
new file mode 100755
index 0000000..58bfaed
--- /dev/null
+++ b/bin/update
@@ -0,0 +1,31 @@
+#!/usr/bin/env ruby
+require 'fileutils'
+include FileUtils
+
+# path to your application root.
+APP_ROOT = File.expand_path('..', __dir__)
+
+def system!(*args)
+ system(*args) || abort("\n== Command #{args} failed ==")
+end
+
+chdir APP_ROOT do
+ # This script is a way to update your development environment automatically.
+ # Add necessary update steps to this file.
+
+ puts '== Installing dependencies =='
+ system! 'gem install bundler --conservative'
+ system('bundle check') || system!('bundle install')
+
+ # Install JavaScript dependencies if using Yarn
+ # system('bin/yarn')
+
+ puts "\n== Updating database =="
+ system! 'bin/rails db:migrate'
+
+ puts "\n== Removing old logs and tempfiles =="
+ system! 'bin/rails log:clear tmp:clear'
+
+ puts "\n== Restarting application server =="
+ system! 'bin/rails restart'
+end
diff --git a/bin/yarn b/bin/yarn
new file mode 100755
index 0000000..9fab2c3
--- /dev/null
+++ b/bin/yarn
@@ -0,0 +1,17 @@
+#!/usr/bin/env ruby
+APP_ROOT = File.expand_path('..', __dir__)
+Dir.chdir(APP_ROOT) do
+ yarn = ENV["PATH"].split(File::PATH_SEPARATOR).
+ select { |dir| File.expand_path(dir) != __dir__ }.
+ product(["yarn", "yarn.cmd", "yarn.ps1"]).
+ map { |dir, file| File.expand_path(file, dir) }.
+ find { |file| File.executable?(file) }
+
+ if yarn
+ exec yarn, *ARGV
+ else
+ $stderr.puts "Yarn executable was not detected in the system."
+ $stderr.puts "Download Yarn at https://yarnpkg.com/en/docs/install"
+ exit 1
+ end
+end
diff --git a/config.ru b/config.ru
index d10ffdd..4a3c09a 100755
--- a/config.ru
+++ b/config.ru
@@ -1,5 +1,6 @@
-# frozen_string_literal: true
# This file is used by Rack-based servers to start the application.
-require ::File.expand_path("../config/environment", __FILE__)
+require_relative "config/environment"
+
run Rails.application
+Rails.application.load_server
diff --git a/config/application.rb b/config/application.rb
index b27f634..d6135d6 100755
--- a/config/application.rb
+++ b/config/application.rb
@@ -1,59 +1,31 @@
-# frozen_string_literal: true
-require File.expand_path("../boot", __FILE__)
+require_relative "boot"
require "rails/all"
# Require the gems listed in Gemfile, including any gems
# you've limited to :test, :development, or :production.
-Bundler.require(:default, Rails.env)
+Bundler.require(*Rails.groups)
module Railsgoat
class Application < Rails::Application
- # Settings in config/environments/* take precedence over those specified here.
- # Application configuration should go into files in config/initializers
- # -- all .rb files in that directory are automatically loaded.
- # Custom directories with classes and modules you want to be autoloadable.
- # config.autoload_paths += %W(#{config.root}/extras)
+ # Initialize configuration defaults for originally generated Rails version.
+ config.load_defaults 5.2
- # Only load the plugins named here, in the order given (default is alphabetical).
- # :all can be used as a placeholder for all plugins not explicitly named.
- # config.plugins = [ :exception_notification, :ssl_requirement, :all ]
+ # Configuration for the application, engines, and railties goes here.
+ # These settings can be overridden in specific environments using the files
+ # in config/environments, which are processed later.
- # Activate observers that should always be running.
- # config.active_record.observers = :cacher, :garbage_collector, :forum_observer
+ #Â RAILSGOAT SPECIFC CONFIGURATION
+ # Disable changes to actve_record belongs_to which breaks associations in RailsGoat from 5 onwards
+ config.active_record.belongs_to_required_by_default = false
- # Set Time.zone default to the specified zone and make Active Record auto-convert to this zone.
- # Run "rails -D time" for a list of tasks for finding time zone names. Default is UTC.
- # config.time_zone = 'Central Time (US & Canada)'
+ # Disable CSRF protection for RailsGoat
+ config.action_controller.per_form_csrf_tokens = false
- # The default locale is :en and all translations from config/locales/*.rb,yml are auto loaded.
- # config.i18n.load_path += Dir[Rails.root.join('my', 'locales', '*.{rb,yml}').to_s]
- # config.i18n.default_locale = :de
+ config.action_dispatch.return_only_media_type_on_content_type = false
- # Configure the default encoding used in templates for Ruby 1.9.
- config.encoding = "utf-8"
-
- # Configure sensitive parameters which will be filtered from the log file.
- config.filter_parameters += [:password]
-
- # Enable escaping HTML in JSON.
- #config.active_support.escape_html_entities_in_json = true
-
- # Use SQL instead of Active Record's schema dumper when creating the database.
- # This is necessary if your schema can't be completely dumped by the schema dumper,
- # like if you have constraints or database-specific column types
- # config.active_record.schema_format = :sql
-
- # Enable the asset pipeline
- config.assets.enabled = true
-
- # add app/assets/fonts to the asset path
- config.assets.paths << Rails.root.join("app", "assets", "fonts")
-
- # Version of your assets, change this if you want to expire all your assets
- config.assets.version = "1.0"
-
- I18n.config.enforce_available_locales = false
+ # config.time_zone = "Central Time (US & Canada)"
+ # config.eager_load_paths << Rails.root.join("extras")
end
end
diff --git a/config/boot.rb b/config/boot.rb
index 5e28a74..3cda23b 100755
--- a/config/boot.rb
+++ b/config/boot.rb
@@ -1,5 +1,4 @@
-# frozen_string_literal: true
-# Set up gems listed in the Gemfile.
-ENV["BUNDLE_GEMFILE"] ||= File.expand_path("../../Gemfile", __FILE__)
+ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../Gemfile', __dir__)
-require "bundler/setup" if File.exist?(ENV["BUNDLE_GEMFILE"])
+require "bundler/setup" # Set up gems listed in the Gemfile.
+require "bootsnap/setup" # Speed up boot time by caching expensive operations.
diff --git a/config/cable.yml b/config/cable.yml
new file mode 100644
index 0000000..6879b93
--- /dev/null
+++ b/config/cable.yml
@@ -0,0 +1,10 @@
+development:
+ adapter: async
+
+test:
+ adapter: test
+
+production:
+ adapter: redis
+ url: <%= ENV.fetch("REDIS_URL") { "redis://localhost:6379/1" } %>
+ channel_prefix: railsgoat_production
diff --git a/config/contrast_security.yml b/config/contrast_security.yml
new file mode 100644
index 0000000..e5ad988
--- /dev/null
+++ b/config/contrast_security.yml
@@ -0,0 +1,44 @@
+# +-------------------------------------------------------------------------+
+# This Contrast Security configuration is Auto-generated by rake task.
+# To List all available rake task use 'rake -T'.
+#
+# Please enter valid api information, for the Ruby Agent to be able to
+# connect to Contrast UI. You can validate your config file by running:
+# 'bundle exec rake contrast:config:validate'
+#
+# To find your organization keys please follow this documentation:
+# https://docs.contrastsecurity.com/en/find-the-agent-keys.html
+# +-------------------------------------------------------------------------+
+
+# This contrast_security.yml file is intended to contain sensible defaults
+# for the application and can be overwritten by environment variables.
+
+# Contrast Security agent authentication keys
+# Either set the keys here or use environment variables
+# api:
+# url: https://eval.contrastsecurity.com
+# api_key: contrast_user
+# service_key: demo
+# user_name: demo
+
+# Application configuration including name
+application:
+ name: OWASP RailsGoat
+ code: demo-railsgoat
+
+# Server configuration including name and environment
+server:
+ name: railsgoat-docker
+ environment: development
+
+# Configure agent to log to rails log directory
+agent:
+ logger:
+ path: log/contrast_agent.log
+ level: WARN
+ security_logger:
+ path: log/security.log
+ level: WARN
+
+# For more information visit the full Ruby agent configuration guide:
+# https://docs.contrastsecurity.com/en/ruby-configuration.html
diff --git a/config/environment.rb b/config/environment.rb
index 0effbcf..cac5315 100755
--- a/config/environment.rb
+++ b/config/environment.rb
@@ -1,6 +1,5 @@
-# frozen_string_literal: true
# Load the Rails application.
-require File.expand_path("../application", __FILE__)
+require_relative "application"
# Initialize the Rails application.
-Railsgoat::Application.initialize!
+Rails.application.initialize!
diff --git a/config/environments/development.rb b/config/environments/development.rb
index 5196727..7a9f6c3 100644
--- a/config/environments/development.rb
+++ b/config/environments/development.rb
@@ -1,51 +1,76 @@
-# frozen_string_literal: true
-Railsgoat::Application.configure do
- # Settings specified here will take precedence over those in config/application.rb
+require "active_support/core_ext/integer/time"
- # In the development environment your application's code is reloaded on
- # every request. This slows down response time but is perfect for development
+Rails.application.configure do
+ # Settings specified here will take precedence over those in config/application.rb.
+
+ # In the development environment your application's code is reloaded any time
+ # it changes. This slows down response time but is perfect for development
# since you don't have to restart the web server when you make code changes.
config.cache_classes = false
- # Show full error reports and disable caching
- config.consider_all_requests_local = true
- config.action_controller.perform_caching = false
+ # Do not eager load code on boot.
+ config.eager_load = false
+
+ # Show full error reports.
+ config.consider_all_requests_local = true
+
+ # Enable/disable caching. By default caching is disabled.
+ # Run rails dev:cache to toggle caching.
+ if Rails.root.join('tmp', 'caching-dev.txt').exist?
+ config.action_controller.perform_caching = true
+ config.action_controller.enable_fragment_cache_logging = true
+
+ config.cache_store = :memory_store
+ config.public_file_server.headers = {
+ 'Cache-Control' => "public, max-age=#{2.days.to_i}"
+ }
+ else
+ config.action_controller.perform_caching = false
+
+ config.cache_store = :null_store
+ end
+
+ # Store uploaded files on the local file system (see config/storage.yml for options).
+ config.active_storage.service = :local
- # Don't care if the mailer can't send
+ # Don't care if the mailer can't send.
config.action_mailer.raise_delivery_errors = false
- # Print deprecation notices to the Rails logger
+ config.action_mailer.perform_caching = false
+
+ # Print deprecation notices to the Rails logger.
config.active_support.deprecation = :log
- # Only use best-standards-support built into browsers
- config.action_dispatch.best_standards_support = :builtin
+ # Raise exceptions for disallowed deprecations.
+ config.active_support.disallowed_deprecation = :raise
+
+ # Tell Active Support which deprecation messages to disallow.
+ config.active_support.disallowed_deprecation_warnings = []
- # Tired of caching causing issues
- config.middleware.delete Rack::ETag
+ # Raise an error on page load if there are pending migrations.
+ config.active_record.migration_error = :page_load
- # Do not compress assets
- config.assets.compress = false
+ # Highlight code that triggered database queries in logs.
+ config.active_record.verbose_query_logs = true
- # Expands the lines which load the assets
+ # Debug mode disables concatenation and preprocessing of assets.
+ # This option may cause significant delays in view rendering with a large
+ # number of complex assets.
config.assets.debug = true
- # ActionMailer settings for email support
- config.action_mailer.delivery_method = :smtp
- config.action_mailer.smtp_settings = { address: "127.0.0.1", port: 1025 }
- config.action_mailer.default_url_options = { host: "127.0.0.1:3000" }
-
- # config.middleware.insert_before(
- # Rack::Lock, Rack::LiveReload,
- # :min_delay => 500,
- # :max_delay => 1000,
- # :port => 35727,
- # :host => 'railsgoat.dev',
- # :ignore => [ %r{dont/modify\.html$} ]
- # )
-
- # For Rails 4.0+
- # Do not eager load code on boot. This avoids loading your whole application
- # just for the purpose of running a single test. If you are using a tool that
- # preloads Rails for running tests, you may have to set it to true.
- config.eager_load = false
+ # Suppress logger output for asset requests.
+ config.assets.quiet = true
+
+ # Raises error for missing translations.
+ # config.i18n.raise_on_missing_translations = true
+
+ # Annotate rendered view with file names.
+ # config.action_view.annotate_rendered_view_with_filenames = true
+
+ # Use an evented file watcher to asynchronously detect changes in source code,
+ # routes, locales, etc. This feature depends on the listen gem.
+ config.file_watcher = ActiveSupport::EventedFileUpdateChecker
+
+ # Uncomment if you wish to allow Action Cable access from any origin.
+ # config.action_cable.disable_request_forgery_protection = true
end
diff --git a/config/environments/production.rb b/config/environments/production.rb
index d61091e..2336e27 100755
--- a/config/environments/production.rb
+++ b/config/environments/production.rb
@@ -1,109 +1,120 @@
-# frozen_string_literal: true
-Railsgoat::Application.configure do
- # Settings specified here will take precedence over those in config/application.rb
+require "active_support/core_ext/integer/time"
+
+Rails.application.configure do
+ # Settings specified here will take precedence over those in config/application.rb.
# Code is not reloaded between requests.
config.cache_classes = true
+ # Eager load code on boot. This eager loads most of Rails and
+ # your application in memory, allowing both threaded web servers
+ # and those relying on copy on write to perform better.
+ # Rake tasks automatically ignore this option for performance.
+ config.eager_load = true
+
# Full error reports are disabled and caching is turned on.
config.consider_all_requests_local = false
config.action_controller.perform_caching = true
- # Enable Rack::Cache to put a simple HTTP cache in front of your application
- # Add `rack-cache` to your Gemfile before enabling this.
- # For large-scale production use, consider using a caching
- # reverse proxy like nginx, varnish or squid.
- # config.action_dispatch.rack_cache = true
+ # Ensures that a master key has been made available in either ENV["RAILS_MASTER_KEY"]
+ # or in config/master.key. This key is used to decrypt credentials (and other encrypted files).
+ # config.require_master_key = true
- # Disable Rails's static asset server (Apache or nginx will already do this).
- config.public_file_server.enabled = false
+ # Disable serving static files from the `/public` folder by default since
+ # Apache or NGINX already handles this.
+ config.public_file_server.enabled = ENV['RAILS_SERVE_STATIC_FILES'].present?
- # Compress JavaScripts and CSS
- config.assets.compress = true
-
- # Compress JavaScripts and CSS.
- config.assets.js_compressor = :uglifier
+ # Compress CSS using a preprocessor.
# config.assets.css_compressor = :sass
# Do not fallback to assets pipeline if a precompiled asset is missed.
- config.assets.compile = true # default is false
+ config.assets.compile = false
- # Generate digests for assets URLs.
- config.assets.digest = true
+ # Enable serving of images, stylesheets, and JavaScripts from an asset server.
+ # config.asset_host = 'http://assets.example.com'
- # For Rails 4.0+: Version of your assets, change this if you want to expire all your assets.
- config.assets.version = "1.0"
+ # Specifies the header that your server uses for sending files.
+ # config.action_dispatch.x_sendfile_header = 'X-Sendfile' # for Apache
+ # config.action_dispatch.x_sendfile_header = 'X-Accel-Redirect' # for NGINX
- # Defaults to nil and saved in location specified by config.assets.prefix
- # config.assets.manifest = YOUR_PATH
+ # Store uploaded files on the local file system (see config/storage.yml for options).
+ config.active_storage.service = :local
- # Specifies the header that your server uses for sending files.
- # config.action_dispatch.x_sendfile_header = "X-Sendfile" # for apache
- # config.action_dispatch.x_sendfile_header = 'X-Accel-Redirect' # for nginx
+ # Mount Action Cable outside main process or domain.
+ # config.action_cable.mount_path = nil
+ # config.action_cable.url = 'wss://example.com/cable'
+ # config.action_cable.allowed_request_origins = [ 'http://example.com', /http:\/\/example.*/ ]
# Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
# config.force_ssl = true
- # Set to :debug to see everything in the log.
+ # Include generic and useful information about system operation, but avoid logging too much
+ # information to avoid inadvertent exposure of personally identifiable information (PII).
config.log_level = :info
- # Prepend all log lines with the following tags
- # config.log_tags = [ :subdomain, :uuid ]
-
- # Use a different logger for distributed setups
- # config.logger = ActiveSupport::TaggedLogging.new(SyslogLogger.new)
+ # Prepend all log lines with the following tags.
+ config.log_tags = [ :request_id ]
- # Use a different cache store in production
+ # Use a different cache store in production.
# config.cache_store = :mem_cache_store
- # Enable serving of images, stylesheets, and JavaScripts from an asset server
- # config.action_controller.asset_host = "http://assets.example.com"
+ # Use a real queuing backend for Active Job (and separate queues per environment).
+ # config.active_job.queue_adapter = :resque
+ # config.active_job.queue_name_prefix = "railsgoat_production"
- # Precompile additional assets (application.js, application.css, and all non-JS/CSS are already added)
- # config.assets.precompile += %w( search.js )
+ config.action_mailer.perform_caching = false
- # Disable delivery errors, bad email addresses will be ignored
+ # Ignore bad email addresses and do not raise email delivery errors.
+ # Set this to true and configure the email server for immediate delivery to raise delivery errors.
# config.action_mailer.raise_delivery_errors = false
- # Enable threaded mode
- # config.threadsafe!
-
# Enable locale fallbacks for I18n (makes lookups for any locale fall back to
- # the I18n.default_locale when a translation can not be found).
- config.i18n.fallbacks = [I18n.default_locale]
+ # the I18n.default_locale when a translation cannot be found).
+ config.i18n.fallbacks = true
# Send deprecation notices to registered listeners.
config.active_support.deprecation = :notify
- # For Rails 4.0+: Eager load code on boot. This eager loads most of
- # Rails and your application in memory, allowing both thread web
- # servers and those relying on copy on write to perform better.
- # Rake tasks automatically ignore this option for performance.
- config.eager_load = true
-
- # For Rails 4.0+: Use default logging formatter so that PID and timestamp are not suppressed.
- config.log_formatter = ::Logger::Formatter.new
+ # Log disallowed deprecations.
+ config.active_support.disallowed_deprecation = :log
- # For Rails 4.0+: Disable automatic flushing of the log to improve performance.
- # config.autoflush_log = false
+ # Tell Active Support which deprecation messages to disallow.
+ config.active_support.disallowed_deprecation_warnings = []
- # Prepend all log lines with the following tags.
- # config.log_tags = [ :subdomain, :uuid ]
+ # Use default logging formatter so that PID and timestamp are not suppressed.
+ config.log_formatter = ::Logger::Formatter.new
# Use a different logger for distributed setups.
- # config.logger = ActiveSupport::TaggedLogging.new(SyslogLogger.new)
-
- # Use a different cache store in production.
- # config.cache_store = :mem_cache_store
-
- # Enable serving of images, stylesheets, and JavaScripts from an asset server.
- # config.action_controller.asset_host = "http://assets.example.com"
-
- # Precompile additional assets.
- # application.js, application.css, and all non-JS/CSS in app/assets folder are already added.
- # config.assets.precompile += %w( search.js )
-
- # Ignore bad email addresses and do not raise email delivery errors.
- # Set this to true and configure the email server for immediate delivery to raise delivery errors.
- # config.action_mailer.raise_delivery_errors = false
+ # require "syslog/logger"
+ # config.logger = ActiveSupport::TaggedLogging.new(Syslog::Logger.new 'app-name')
+
+ if ENV["RAILS_LOG_TO_STDOUT"].present?
+ logger = ActiveSupport::Logger.new(STDOUT)
+ logger.formatter = config.log_formatter
+ config.logger = ActiveSupport::TaggedLogging.new(logger)
+ end
+
+ # Do not dump schema after migrations.
+ config.active_record.dump_schema_after_migration = false
+
+ # Inserts middleware to perform automatic connection switching.
+ # The `database_selector` hash is used to pass options to the DatabaseSelector
+ # middleware. The `delay` is used to determine how long to wait after a write
+ # to send a subsequent read to the primary.
+ #
+ # The `database_resolver` class is used by the middleware to determine which
+ # database is appropriate to use based on the time delay.
+ #
+ # The `database_resolver_context` class is used by the middleware to set
+ # timestamps for the last write to the primary. The resolver uses the context
+ # class timestamps to determine how long to wait before reading from the
+ # replica.
+ #
+ # By default Rails will store a last write timestamp in the session. The
+ # DatabaseSelector middleware is designed as such you can define your own
+ # strategy for connection switching and pass that into the middleware through
+ # these configuration options.
+ # config.active_record.database_selector = { delay: 2.seconds }
+ # config.active_record.database_resolver = ActiveRecord::Middleware::DatabaseSelector::Resolver
+ # config.active_record.database_resolver_context = ActiveRecord::Middleware::DatabaseSelector::Resolver::Session
end
diff --git a/config/environments/test.rb b/config/environments/test.rb
index efc1521..17ce39c 100755
--- a/config/environments/test.rb
+++ b/config/environments/test.rb
@@ -1,26 +1,41 @@
-# frozen_string_literal: true
-Railsgoat::Application.configure do
- # Settings specified here will take precedence over those in config/application.rb
-
- # The test environment is used exclusively to run your application's
- # test suite. You never need to work with it otherwise. Remember that
- # your test database is "scratch space" for the test suite and is wiped
- # and recreated between test runs. Don't rely on the data there!
+require "active_support/core_ext/integer/time"
+
+# The test environment is used exclusively to run your application's
+# test suite. You never need to work with it otherwise. Remember that
+# your test database is "scratch space" for the test suite and is wiped
+# and recreated between test runs. Don't rely on the data there!
+
+Rails.application.configure do
+ # Settings specified here will take precedence over those in config/application.rb.
+
config.cache_classes = true
- # Configure static asset server for tests with Cache-Control for performance.
+ # Do not eager load code on boot. This avoids loading your whole application
+ # just for the purpose of running a single test. If you are using a tool that
+ # preloads Rails for running tests, you may have to set it to true.
+ config.eager_load = false
+
+ # Configure public file server for tests with Cache-Control for performance.
config.public_file_server.enabled = true
- config.public_file_server.headers = { "Cache-Control" => "public, max-age=3600" }
+ config.public_file_server.headers = {
+ 'Cache-Control' => "public, max-age=#{1.hour.to_i}"
+ }
# Show full error reports and disable caching.
config.consider_all_requests_local = true
config.action_controller.perform_caching = false
+ config.cache_store = :null_store
# Raise exceptions instead of rendering exception templates.
config.action_dispatch.show_exceptions = false
- # Disable request forgery protection in test environment
- config.action_controller.allow_forgery_protection = true
+ # Disable request forgery protection in test environment.
+ config.action_controller.allow_forgery_protection = false
+
+ # Store uploaded files on the local file system in a temporary directory.
+ config.active_storage.service = :test
+
+ config.action_mailer.perform_caching = false
# Tell Action Mailer not to deliver emails to the real world.
# The :test delivery method accumulates sent emails in the
@@ -30,9 +45,15 @@
# Print deprecation notices to the stderr.
config.active_support.deprecation = :stderr
- # For Rails 4.0+
- # Do not eager load code on boot. This avoids loading your whole application
- # just for the purpose of running a single test. If you are using a tool that
- # preloads Rails for running tests, you may have to set it to true.
- config.eager_load = false
+ # Raise exceptions for disallowed deprecations.
+ config.active_support.disallowed_deprecation = :raise
+
+ # Tell Active Support which deprecation messages to disallow.
+ config.active_support.disallowed_deprecation_warnings = []
+
+ # Raises error for missing translations.
+ # config.i18n.raise_on_missing_translations = true
+
+ # Annotate rendered view with file names.
+ # config.action_view.annotate_rendered_view_with_filenames = true
end
diff --git a/config/initializers/application_controller_renderer.rb b/config/initializers/application_controller_renderer.rb
new file mode 100644
index 0000000..89d2efa
--- /dev/null
+++ b/config/initializers/application_controller_renderer.rb
@@ -0,0 +1,8 @@
+# Be sure to restart your server when you modify this file.
+
+# ActiveSupport::Reloader.to_prepare do
+# ApplicationController.renderer.defaults.merge!(
+# http_host: 'example.org',
+# https: false
+# )
+# end
diff --git a/config/initializers/assets.rb b/config/initializers/assets.rb
index 891ade3..6bd831d 100644
--- a/config/initializers/assets.rb
+++ b/config/initializers/assets.rb
@@ -1,2 +1,14 @@
-# frozen_string_literal: true
-Rails.application.config.assets.precompile += %w( validation.js jquery.dataTables.min.js fullcalendar.min.js moment.min.js )
+# Be sure to restart your server when you modify this file.
+
+# Version of your assets, change this if you want to expire all your assets.
+Rails.application.config.assets.version = '1.0'
+
+# Add additional assets to the asset load path.
+# Rails.application.config.assets.paths << Emoji.images_path
+# Add Yarn node_modules folder to the asset load path.
+Rails.application.config.assets.paths << Rails.root.join("app", "assets", "fonts", "node_modules")
+
+# Precompile additional assets.
+# application.js, application.css, and all non-JS/CSS in the app/assets
+# folder are already added.
+Rails.application.config.assets.precompile += %w( fullcalendar.min.js )
diff --git a/config/initializers/backtrace_silencers.rb b/config/initializers/backtrace_silencers.rb
index d0f0d3b..33699c3 100755
--- a/config/initializers/backtrace_silencers.rb
+++ b/config/initializers/backtrace_silencers.rb
@@ -1,8 +1,8 @@
-# frozen_string_literal: true
# Be sure to restart your server when you modify this file.
# You can add backtrace silencers for libraries that you're using but don't wish to see in your backtraces.
-# Rails.backtrace_cleaner.add_silencer { |line| line =~ /my_noisy_library/ }
+# Rails.backtrace_cleaner.add_silencer { |line| /my_noisy_library/.match?(line) }
-# You can also remove all the silencers if you're trying to debug a problem that might stem from framework code.
-# Rails.backtrace_cleaner.remove_silencers!
+# You can also remove all the silencers if you're trying to debug a problem that might stem from framework code
+# by setting BACKTRACE=1 before calling your invocation, like "BACKTRACE=1 ./bin/rails runner 'MyClass.perform'".
+Rails.backtrace_cleaner.remove_silencers! if ENV["BACKTRACE"]
diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb
new file mode 100644
index 0000000..35d0f26
--- /dev/null
+++ b/config/initializers/content_security_policy.rb
@@ -0,0 +1,30 @@
+# Be sure to restart your server when you modify this file.
+
+# Define an application-wide content security policy
+# For further information see the following documentation
+# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
+
+# Rails.application.config.content_security_policy do |policy|
+# policy.default_src :self, :https
+# policy.font_src :self, :https, :data
+# policy.img_src :self, :https, :data
+# policy.object_src :none
+# policy.script_src :self, :https
+# policy.style_src :self, :https
+# # If you are using webpack-dev-server then specify webpack-dev-server host
+# policy.connect_src :self, :https, "http://localhost:3035", "ws://localhost:3035" if Rails.env.development?
+
+# # Specify URI for violation reports
+# # policy.report_uri "/csp-violation-report-endpoint"
+# end
+
+# If you are using UJS then enable automatic nonce generation
+# Rails.application.config.content_security_policy_nonce_generator = -> request { SecureRandom.base64(16) }
+
+# Set the nonce only to specific directives
+# Rails.application.config.content_security_policy_nonce_directives = %w(script-src)
+
+# Report CSP violations to a specified URI
+# For further information see the following documentation:
+# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only
+# Rails.application.config.content_security_policy_report_only = true
diff --git a/config/initializers/cookies_serializer.rb b/config/initializers/cookies_serializer.rb
new file mode 100644
index 0000000..f51a497
--- /dev/null
+++ b/config/initializers/cookies_serializer.rb
@@ -0,0 +1,5 @@
+# Be sure to restart your server when you modify this file.
+
+# Specify a serializer for the signed and encrypted cookie jars.
+# Valid options are :json, :marshal, and :hybrid.
+Rails.application.config.action_dispatch.cookies_serializer = :hybrid
diff --git a/config/initializers/filter_parameter_logging.rb b/config/initializers/filter_parameter_logging.rb
index b7fe123..4b34a03 100644
--- a/config/initializers/filter_parameter_logging.rb
+++ b/config/initializers/filter_parameter_logging.rb
@@ -1,5 +1,6 @@
-# frozen_string_literal: true
# Be sure to restart your server when you modify this file.
# Configure sensitive parameters which will be filtered from the log file.
-Rails.application.config.filter_parameters += [:password]
+Rails.application.config.filter_parameters += [
+ :passw, :secret, :token, :_key, :crypt, :salt, :certificate, :otp, :ssn
+]
diff --git a/config/initializers/inflections.rb b/config/initializers/inflections.rb
index aa7435f..ac033bf 100755
--- a/config/initializers/inflections.rb
+++ b/config/initializers/inflections.rb
@@ -1,4 +1,3 @@
-# frozen_string_literal: true
# Be sure to restart your server when you modify this file.
# Add new inflection rules using the following format. Inflections
diff --git a/config/initializers/mime_types.rb b/config/initializers/mime_types.rb
index f75864f..dc18996 100755
--- a/config/initializers/mime_types.rb
+++ b/config/initializers/mime_types.rb
@@ -1,6 +1,4 @@
-# frozen_string_literal: true
# Be sure to restart your server when you modify this file.
# Add new mime types for use in respond_to blocks:
# Mime::Type.register "text/richtext", :rtf
-# Mime::Type.register_alias "text/html", :iphone
diff --git a/config/initializers/new_framework_defaults_5_2.rb b/config/initializers/new_framework_defaults_5_2.rb
new file mode 100644
index 0000000..c383d07
--- /dev/null
+++ b/config/initializers/new_framework_defaults_5_2.rb
@@ -0,0 +1,38 @@
+# Be sure to restart your server when you modify this file.
+#
+# This file contains migration options to ease your Rails 5.2 upgrade.
+#
+# Once upgraded flip defaults one by one to migrate to the new default.
+#
+# Read the Guide for Upgrading Ruby on Rails for more info on each option.
+
+# Make Active Record use stable #cache_key alongside new #cache_version method.
+# This is needed for recyclable cache keys.
+# Rails.application.config.active_record.cache_versioning = true
+
+# Use AES-256-GCM authenticated encryption for encrypted cookies.
+# Also, embed cookie expiry in signed or encrypted cookies for increased security.
+#
+# This option is not backwards compatible with earlier Rails versions.
+# It's best enabled when your entire app is migrated and stable on 5.2.
+#
+# Existing cookies will be converted on read then written with the new scheme.
+# Rails.application.config.action_dispatch.use_authenticated_cookie_encryption = true
+
+# Use AES-256-GCM authenticated encryption as default cipher for encrypting messages
+# instead of AES-256-CBC, when use_authenticated_message_encryption is set to true.
+# Rails.application.config.active_support.use_authenticated_message_encryption = true
+
+# Add default protection from forgery to ActionController::Base instead of in
+# ApplicationController.
+# Rails.application.config.action_controller.default_protect_from_forgery = true
+
+# Store boolean values are in sqlite3 databases as 1 and 0 instead of 't' and
+# 'f' after migrating old data.
+# Rails.application.config.active_record.sqlite3.represent_boolean_as_integer = true
+
+# Use SHA-1 instead of MD5 to generate non-sensitive digests, such as the ETag header.
+# Rails.application.config.active_support.use_sha1_digests = true
+
+# Make `form_with` generate id attributes for any generated HTML tags.
+# Rails.application.config.action_view.form_with_generates_ids = true
diff --git a/config/initializers/new_framework_defaults_6_1.rb b/config/initializers/new_framework_defaults_6_1.rb
new file mode 100644
index 0000000..9526b83
--- /dev/null
+++ b/config/initializers/new_framework_defaults_6_1.rb
@@ -0,0 +1,67 @@
+# Be sure to restart your server when you modify this file.
+#
+# This file contains migration options to ease your Rails 6.1 upgrade.
+#
+# Once upgraded flip defaults one by one to migrate to the new default.
+#
+# Read the Guide for Upgrading Ruby on Rails for more info on each option.
+
+# Support for inversing belongs_to -> has_many Active Record associations.
+# Rails.application.config.active_record.has_many_inversing = true
+
+# Track Active Storage variants in the database.
+# Rails.application.config.active_storage.track_variants = true
+
+# Apply random variation to the delay when retrying failed jobs.
+# Rails.application.config.active_job.retry_jitter = 0.15
+
+# Stop executing `after_enqueue`/`after_perform` callbacks if
+# `before_enqueue`/`before_perform` respectively halts with `throw :abort`.
+# Rails.application.config.active_job.skip_after_callbacks_if_terminated = true
+
+# Specify cookies SameSite protection level: either :none, :lax, or :strict.
+#
+# This change is not backwards compatible with earlier Rails versions.
+# It's best enabled when your entire app is migrated and stable on 6.1.
+# Rails.application.config.action_dispatch.cookies_same_site_protection = :lax
+
+# Generate CSRF tokens that are encoded in URL-safe Base64.
+#
+# This change is not backwards compatible with earlier Rails versions.
+# It's best enabled when your entire app is migrated and stable on 6.1.
+# Rails.application.config.action_controller.urlsafe_csrf_tokens = true
+
+# Specify whether `ActiveSupport::TimeZone.utc_to_local` returns a time with an
+# UTC offset or a UTC time.
+# ActiveSupport.utc_to_local_returns_utc_offset_times = true
+
+# Change the default HTTP status code to `308` when redirecting non-GET/HEAD
+# requests to HTTPS in `ActionDispatch::SSL` middleware.
+# Rails.application.config.action_dispatch.ssl_default_redirect_status = 308
+
+# Use new connection handling API. For most applications this won't have any
+# effect. For applications using multiple databases, this new API provides
+# support for granular connection swapping.
+# Rails.application.config.active_record.legacy_connection_handling = false
+
+# Make `form_with` generate non-remote forms by default.
+# Rails.application.config.action_view.form_with_generates_remote_forms = false
+
+# Set the default queue name for the analysis job to the queue adapter default.
+# Rails.application.config.active_storage.queues.analysis = nil
+
+# Set the default queue name for the purge job to the queue adapter default.
+# Rails.application.config.active_storage.queues.purge = nil
+
+# Set the default queue name for the incineration job to the queue adapter default.
+# Rails.application.config.action_mailbox.queues.incineration = nil
+
+# Set the default queue name for the routing job to the queue adapter default.
+# Rails.application.config.action_mailbox.queues.routing = nil
+
+# Set the default queue name for the mail deliver job to the queue adapter default.
+# Rails.application.config.action_mailer.deliver_later_queue_name = nil
+
+# Generate a `Link` header that gives a hint to modern browsers about
+# preloading assets when using `javascript_include_tag` and `stylesheet_link_tag`.
+# Rails.application.config.action_view.preload_links_header = true
diff --git a/config/initializers/permissions_policy.rb b/config/initializers/permissions_policy.rb
new file mode 100644
index 0000000..00f64d7
--- /dev/null
+++ b/config/initializers/permissions_policy.rb
@@ -0,0 +1,11 @@
+# Define an application-wide HTTP permissions policy. For further
+# information see https://developers.google.com/web/updates/2018/06/feature-policy
+#
+# Rails.application.config.permissions_policy do |f|
+# f.camera :none
+# f.gyroscope :none
+# f.microphone :none
+# f.usb :none
+# f.fullscreen :self
+# f.payment :self, "https://secure.example.com"
+# end
diff --git a/config/initializers/wrap_parameters.rb b/config/initializers/wrap_parameters.rb
index 6780279..bbfc396 100755
--- a/config/initializers/wrap_parameters.rb
+++ b/config/initializers/wrap_parameters.rb
@@ -1,15 +1,14 @@
-# frozen_string_literal: true
# Be sure to restart your server when you modify this file.
-#
+
# This file contains settings for ActionController::ParamsWrapper which
# is enabled by default.
# Enable parameter wrapping for JSON. You can disable this by setting :format to an empty array.
ActiveSupport.on_load(:action_controller) do
- wrap_parameters format: [:json] if respond_to?(:wrap_parameters)
+ wrap_parameters format: [:json]
end
-# Disable root element in JSON by default.
-ActiveSupport.on_load(:active_record) do
- self.include_root_in_json = false
-end
+# To enable root element in JSON for ActiveRecord objects.
+# ActiveSupport.on_load(:active_record) do
+# self.include_root_in_json = true
+# end
diff --git a/config/locales/en.yml b/config/locales/en.yml
index 0653957..cf9b342 100755
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@@ -16,8 +16,18 @@
#
# This would use the information in config/locales/es.yml.
#
+# The following keys must be escaped otherwise they will not be retrieved by
+# the default I18n backend:
+#
+# true, false, on, off, yes, no
+#
+# Instead, surround them with single quotes.
+#
+# en:
+# 'true': 'foo'
+#
# To learn more, please read the Rails Internationalization guide
-# available at http://guides.rubyonrails.org/i18n.html.
+# available at https://guides.rubyonrails.org/i18n.html.
en:
hello: "Hello world"
diff --git a/config/puma.rb b/config/puma.rb
new file mode 100644
index 0000000..d9b3e83
--- /dev/null
+++ b/config/puma.rb
@@ -0,0 +1,43 @@
+# Puma can serve each request in a thread from an internal thread pool.
+# The `threads` method setting takes two numbers: a minimum and maximum.
+# Any libraries that use thread pools should be configured to match
+# the maximum value specified for Puma. Default is set to 5 threads for minimum
+# and maximum; this matches the default thread size of Active Record.
+#
+max_threads_count = ENV.fetch("RAILS_MAX_THREADS") { 5 }
+min_threads_count = ENV.fetch("RAILS_MIN_THREADS") { max_threads_count }
+threads min_threads_count, max_threads_count
+
+# Specifies the `worker_timeout` threshold that Puma will use to wait before
+# terminating a worker in development environments.
+#
+worker_timeout 3600 if ENV.fetch("RAILS_ENV", "development") == "development"
+
+# Specifies the `port` that Puma will listen on to receive requests; default is 3000.
+#
+port ENV.fetch("PORT") { 3000 }
+
+# Specifies the `environment` that Puma will run in.
+#
+environment ENV.fetch("RAILS_ENV") { "development" }
+
+# Specifies the `pidfile` that Puma will use.
+pidfile ENV.fetch("PIDFILE") { "tmp/pids/server.pid" }
+
+# Specifies the number of `workers` to boot in clustered mode.
+# Workers are forked web server processes. If using threads and workers together
+# the concurrency of the application would be max `threads` * `workers`.
+# Workers do not work on JRuby or Windows (both of which do not support
+# processes).
+#
+# workers ENV.fetch("WEB_CONCURRENCY") { 2 }
+
+# Use the `preload_app!` method when specifying a `workers` number.
+# This directive tells Puma to first boot the application and load code
+# before forking the application. This takes advantage of Copy On Write
+# process behavior so workers use less memory.
+#
+# preload_app!
+
+# Allow puma to be restarted by `rails restart` command.
+plugin :tmp_restart
diff --git a/config/secrets.yml b/config/secrets.yml
new file mode 100644
index 0000000..4d1e3c3
--- /dev/null
+++ b/config/secrets.yml
@@ -0,0 +1,32 @@
+# Be sure to restart your server when you modify this file.
+
+# Your secret key is used for verifying the integrity of signed cookies.
+# If you change this key, all old signed cookies will become invalid!
+
+# Make sure the secret is at least 30 characters and all random,
+# no regular words or you'll be exposed to dictionary attacks.
+# You can use `rails secret` to generate a secure secret key.
+
+# Make sure the secrets in this file are kept private
+# if you're sharing your code publicly.
+
+# Shared secrets are available across all environments.
+
+# shared:
+# api_key: a1B2c3D4e5F6
+
+# Environmental secrets are only available for that specific environment.
+
+development:
+ secret_key_base: 04c89de21cba0e495aa6dbef4b65fb217438966206fdd7f6f81ce745bc61cc70cb72553a7e3be2c7d8ad550cf664bdfde571ec04e06ce7396750f79e38216e04
+
+test:
+ secret_key_base: da8b0abe0daef4b2b62bf2eb0900cc0241286a4dc92fac4eca1a46eb8156da7cd78bf4155435f23f4e7d477fc6714f4d9b1d449c05f5890bee1ca4f7d0fad069
+
+# Do not keep production secrets in the unencrypted secrets file.
+# Instead, either read values from the environment.
+# Or, use `bin/rails secrets:setup` to configure encrypted secrets
+# and move the `production:` environment over there.
+
+production:
+ secret_key_base: <%= ENV["SECRET_KEY_BASE"] %>
diff --git a/config/spring.rb b/config/spring.rb
new file mode 100644
index 0000000..c9119b4
--- /dev/null
+++ b/config/spring.rb
@@ -0,0 +1,6 @@
+%w(
+ .ruby-version
+ .rbenv-vars
+ tmp/restart.txt
+ tmp/caching-dev.txt
+).each { |path| Spring.watch(path) }
diff --git a/config/storage.yml b/config/storage.yml
new file mode 100644
index 0000000..d32f76e
--- /dev/null
+++ b/config/storage.yml
@@ -0,0 +1,34 @@
+test:
+ service: Disk
+ root: <%= Rails.root.join("tmp/storage") %>
+
+local:
+ service: Disk
+ root: <%= Rails.root.join("storage") %>
+
+# Use rails credentials:edit to set the AWS secrets (as aws:access_key_id|secret_access_key)
+# amazon:
+# service: S3
+# access_key_id: <%= Rails.application.credentials.dig(:aws, :access_key_id) %>
+# secret_access_key: <%= Rails.application.credentials.dig(:aws, :secret_access_key) %>
+# region: us-east-1
+# bucket: your_own_bucket
+
+# Remember not to checkin your GCS keyfile to a repository
+# google:
+# service: GCS
+# project: your_project
+# credentials: <%= Rails.root.join("path/to/gcs.keyfile") %>
+# bucket: your_own_bucket
+
+# Use rails credentials:edit to set the Azure Storage secret (as azure_storage:storage_access_key)
+# microsoft:
+# service: AzureStorage
+# storage_account_name: your_account_name
+# storage_access_key: <%= Rails.application.credentials.dig(:azure_storage, :storage_access_key) %>
+# container: your_container_name
+
+# mirror:
+# service: Mirror
+# primary: local
+# mirrors: [ amazon, google, microsoft ]
diff --git a/db/migrate/20230801225421_add_service_name_to_active_storage_blobs.active_storage.rb b/db/migrate/20230801225421_add_service_name_to_active_storage_blobs.active_storage.rb
new file mode 100644
index 0000000..a15c6ce
--- /dev/null
+++ b/db/migrate/20230801225421_add_service_name_to_active_storage_blobs.active_storage.rb
@@ -0,0 +1,22 @@
+# This migration comes from active_storage (originally 20190112182829)
+class AddServiceNameToActiveStorageBlobs < ActiveRecord::Migration[6.0]
+ def up
+ return unless table_exists?(:active_storage_blobs)
+
+ unless column_exists?(:active_storage_blobs, :service_name)
+ add_column :active_storage_blobs, :service_name, :string
+
+ if configured_service = ActiveStorage::Blob.service.name
+ ActiveStorage::Blob.unscoped.update_all(service_name: configured_service)
+ end
+
+ change_column :active_storage_blobs, :service_name, :string, null: false
+ end
+ end
+
+ def down
+ return unless table_exists?(:active_storage_blobs)
+
+ remove_column :active_storage_blobs, :service_name
+ end
+end
diff --git a/db/migrate/20230801225422_create_active_storage_variant_records.active_storage.rb b/db/migrate/20230801225422_create_active_storage_variant_records.active_storage.rb
new file mode 100644
index 0000000..94ac83a
--- /dev/null
+++ b/db/migrate/20230801225422_create_active_storage_variant_records.active_storage.rb
@@ -0,0 +1,27 @@
+# This migration comes from active_storage (originally 20191206030411)
+class CreateActiveStorageVariantRecords < ActiveRecord::Migration[6.0]
+ def change
+ return unless table_exists?(:active_storage_blobs)
+
+ # Use Active Record's configured type for primary key
+ create_table :active_storage_variant_records, id: primary_key_type, if_not_exists: true do |t|
+ t.belongs_to :blob, null: false, index: false, type: blobs_primary_key_type
+ t.string :variation_digest, null: false
+
+ t.index %i[ blob_id variation_digest ], name: "index_active_storage_variant_records_uniqueness", unique: true
+ t.foreign_key :active_storage_blobs, column: :blob_id
+ end
+ end
+
+ private
+ def primary_key_type
+ config = Rails.configuration.generators
+ config.options[config.orm][:primary_key_type] || :primary_key
+ end
+
+ def blobs_primary_key_type
+ pkey_name = connection.primary_key(:active_storage_blobs)
+ pkey_column = connection.columns(:active_storage_blobs).find { |c| c.name == pkey_name }
+ pkey_column.bigint? ? :bigint : pkey_column.type
+ end
+end
diff --git a/db/schema.rb b/db/schema.rb
index e9d5e1e..7e82135 100755
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -1,17 +1,16 @@
-# frozen_string_literal: true
# This file is auto-generated from the current state of the database. Instead
# of editing this file, please use the migrations feature of Active Record to
# incrementally modify your database, and then regenerate this schema definition.
#
-# Note that this schema.rb definition is the authoritative source for your
-# database schema. If you need to create the application database on another
-# system, you should be using db:schema:load, not running all the migrations
-# from scratch. The latter is a flawed and unsustainable approach (the more migrations
-# you'll amass, the slower it'll run and the greater likelihood for issues).
+# This file is the source Rails uses to define your schema when running `bin/rails
+# db:schema:load`. When creating a new database, `bin/rails db:schema:load` tends to
+# be faster and is potentially less error prone than running all of your
+# migrations from scratch. Old migrations may fail to apply correctly if those
+# migrations use external dependencies or application code.
#
# It's strongly recommended that you check this file into your version control system.
-ActiveRecord::Schema.define(version: 20171007010129) do
+ActiveRecord::Schema.define(version: 2023_08_01_225422) do
create_table "analytics", force: :cascade do |t|
t.string "ip_address"
diff --git a/db/seeds.rb b/db/seeds.rb
index 338f956..24cd8fa 100755
--- a/db/seeds.rb
+++ b/db/seeds.rb
@@ -162,6 +162,14 @@
]
work_info = [
+ {
+ user: "admin@metacorp.com",
+ income: "$200,000",
+ bonuses: "$50,000",
+ years_worked: 9,
+ SSN: "111-11-111",
+ DoB: "02-02-1990"
+ },
{
user: "jack@metacorp.com",
income: "$50,000",
diff --git a/doc/README_FOR_APP b/doc/README_FOR_APP
deleted file mode 100755
index 2c9ee3e..0000000
--- a/doc/README_FOR_APP
+++ /dev/null
@@ -1,2 +0,0 @@
-Use this README file to introduce your application and point to useful places in the API for learning more.
-Run "rails doc:app" to generate API documentation for your models, controllers, helpers, and libraries.
diff --git a/docker-compose.yml b/docker-compose.yml
new file mode 100644
index 0000000..c0927b0
--- /dev/null
+++ b/docker-compose.yml
@@ -0,0 +1,30 @@
+services:
+ railsgoat-dev:
+ image: contrastsecuritydemo/railsgoat:6.1.7
+ build:
+ context: .
+ dockerfile: Dockerfile
+ target: runner
+ container_name: railsgoat-dev
+ ports:
+ - "3000:3000"
+ env_file:
+ - .env
+ volumes:
+ - .:/app
+
+ railsgoat-prod:
+ image: contrastsecuritydemo/railsgoat:6.1.7
+ build:
+ context: .
+ dockerfile: Dockerfile
+ target: runner
+ container_name: railsgoat-prod
+ ports:
+ - 3001:3000
+ env_file:
+ - .env
+ environment:
+ CONTRAST__SERVER__NAME: RailsGoat-Prod-TM
+ CONTRAST__SERVER__ENVIRONMENT: production
+ # TEST: True
diff --git a/docs/CONTRAST.md b/docs/CONTRAST.md
new file mode 100644
index 0000000..bf8ec95
--- /dev/null
+++ b/docs/CONTRAST.md
@@ -0,0 +1,14 @@
+# Contrast specific changes
+Documentation of the changes made to RailsGoat to add Contrast Security to the project.
+
+## Changelog to add Contrast to this project
+* `contrast_security.yaml` configuration file added to the `config/` directory
+* `.env` configuration file added to the root directory
+* `gem 'contrast-agent'` added to the `Gemfile`
+
+## Other changes to RailsGoat (Not required for Contrast)
+* Upgraded to Ruby `3.1.4`
+* Upgraded to Rails `6.1.7`
+* Improved the `Dockerfile` to use a multi-stage build and Alpine Linux
+* Updated the `docker-compose` file to start two services: `dev` and `prod`
+* Fixed issues with loading javascript and rendering graphs on multiple pages
diff --git a/docs/DEPLOY_TO_AZURE.md b/docs/DEPLOY_TO_AZURE.md
new file mode 100644
index 0000000..bae11c1
--- /dev/null
+++ b/docs/DEPLOY_TO_AZURE.md
@@ -0,0 +1,14 @@
+# Running in Azure (Azure App Service):
+
+## Pre-Requisites
+
+1. Place a `contrast_security.yaml` file into the application's root folder.
+1. Install Terraform from here: https://www.terraform.io/downloads.html.
+1. Install PyYAML using `pip install PyYAML`.
+1. Install the Azure cli tools using `brew update && brew install azure-cli`.
+1. Log into Azure to make sure you cache your credentials using `az login`.
+1. Edit the [variables.tf](variables.tf) file (or add a terraform.tfvars) to add your initials, preferred Azure location, app name, server name and environment.
+1. Run `terraform init` to download the required plugins.
+1. Run `terraform plan` and check the output for errors.
+1. Run `terraform apply` to build the infrastructure that you need in Azure, this will output the web address for the application.
+1. Run `terraform destroy` when you would like to stop the app service and release the resources.
diff --git a/docs/UPGRADE_RAILSGOAT.md b/docs/UPGRADE_RAILSGOAT.md
new file mode 100644
index 0000000..ed53a59
--- /dev/null
+++ b/docs/UPGRADE_RAILSGOAT.md
@@ -0,0 +1,94 @@
+# Upgrading Rails and Ruby versions for RailsGoat
+This guide is intended for Contrast maintainers who are upgrading the version of Ruby and/or Rails used by RailsGoat.
+
+## Why Upgrade?
+We will need to keep the version of RailsGoat within the versions supported by Ruby on Rails **and** the Contrast Ruby Agent for this demo app to remain operational. We may also want to take advantage of new features and performance enhancements offered by the latest versions of the Contrast Ruby Agent.
+
+* See the [Ruby Maintenance Branches](https://www.ruby-lang.org/en/downloads/branches/) schedule for specific release dates.
+* See the [Contrast Ruby Agent Supported Technologies](https://docs.contrastsecurity.com/en/ruby-supported-technologies.html) for the currently supported versions of Ruby and Rails.
+
+## How to upgrade RailsGoat
+Upgrading the version of Ruby, Rails or Bundler that this app uses should be done using the provided Dockerfile, as this will provide the most repeatable results.
+
+Follow the [Upgrading Ruby on Rails](https://guides.rubyonrails.org/upgrading_ruby_on_rails.html) guide from the official documentation. Read through this guide first if you are not familiar.
+
+**General tips for a successful upgrade:**
+* Upgrade Ruby and Rails separately, building the Dockerfile and dealing with any issues, bugs, or deprecation warnings as you go.
+* Run the rspec tests in between each build to ensure that no functionality is broken.
+* Ruby can be upgraded one major version at a time (first jump to the last minor version of your current version, test, and then continue the upgrade to the next major version)
+* Don't upgrade Ruby past the [last ruby version supported by your current version of rails](https://www.fastruby.io/blog/ruby/rails/versions/compatibility-table.html).
+* Rails needs to be updated **one minor version at a time** (version format: `major.minor.patch`). This is to make running `rails app:update` command easier, which will attempt to apply the changes required to your codebase.
+* When running `rails app:update`, you will be prompted to overwrite files. Please view the diffs of these changes and test the changes before committing.
+
+### Upgrading Ruby
+First upgrade the Ruby version to your target Ruby version in the Dockerfile, the Gemfile and the .ruby-version files.
+
+Dockerfile:
+```Dockerfile
+...
+# Default Ruby version for this project.
+ARG RUBY_VERSION=3.1.4 <---
+
+# Base Alpine Ruby image for common setup
+FROM ruby:$RUBY_VERSION-alpine as base
+...
+```
+
+Gemfile:
+```Gemfile
+...
+# frozen_string_literal: true
+source "https://rubygems.org"
+
+gem "rails", "5.2.8"
+
+ruby "2.7.7" <---
+...
+```
+
+Now rebuild the container,test the app and make sure the gems are fully up to date:
+```bash
+docker compose up --build
+docker compose exec web sh
+> bundle update
+> bundle install
+```
+
+### Upgrading Rails
+Now that you have upgraded Ruby, you can upgrade Rails. Change the version number for rails in the Gemfile:
+
+```Gemfile
+# frozen_string_literal: true
+source "https://rubygems.org"
+
+gem "rails", "6.1.7" <---
+
+ruby "3.1.4"
+```
+
+Rerun the step above to rebuild the container, attach to it and then update gems again.
+```bash
+docker compose up --build
+docker compose exec web sh
+> bundle update
+> bundle install
+```
+
+You can also use the rails update command to implement any of the changes required by the new version of Rails. This will prompt you to overwrite files, so make sure you view the diffs and test the changes before committing.
+
+```bash
+docker compose exec web sh
+> bin/bash app:update
+```
+
+Now test the app for any errors or deprecation warnings, fix them, run tests, and commit your changes.
+
+#### Upgrade bundler
+It's unlikely, but you may also need to upgrade bundler if you are getting errors. You can do this by running `bundle update --bundler`. The default version of bundler from the ruby container should be preferred.
+
+#### Migrating and seeding the database
+If database migrations were created by the update process, you will need to run them and then seed the database.
+
+```bash
+docker compose exec web bin/rails db:migrate
+```
diff --git a/docs/img/application-details.png b/docs/img/application-details.png
new file mode 100644
index 0000000..9d6a37c
Binary files /dev/null and b/docs/img/application-details.png differ
diff --git a/entrypoint.sh b/entrypoint.sh
index 48410b9..671a8df 100755
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -1,7 +1,35 @@
+#!/bin/sh
+set -e
+echo -e "$0: => Running the docker entrypoint script"
+
+function check_agent_connectivity {
+ echo -e "$0: => Checking Contrast Agent configuration"
+ bundle exec rails contrast:config:validate
+}
+
+if check_agent_connectivity; then
+ echo -e "$0: => Contrast agent connectivity check: SUCCESS"
+ echo -e "$0: => Starting RailsGoat with Contrast..."
+else
+ echo -e "$0: => Contrast agent connectivity check: FAILED"
+ echo -e "It's likely that you haven't set your Contrast Agent authentication keys correctly."
+ echo -e "\nSet the following environment variables by passing them in your docker run command with the -e flag"
+ echo -e "\t -e CONTRAST__API__URL="
+ echo -e "\t -e CONTRAST__API__API_KEY="
+ echo -e "\t -e CONTRAST__API__SERVICE_KEY="
+ echo -e "\t -e CONTRAST__API__USER_NAME="
+ echo -e "\n OR add these values to the .env file and pass this in your docker command."
+ echo -e "\n OR add these values to the contrast_security.yaml file in the config directory."
+ echo -e "\nTo find your organization keys please follow this documentation:"
+ echo -e "https://docs.contrastsecurity.com/en/find-the-agent-keys.html"
+ exit 1
+fi
+
rm -f tmp/pids/server.pid
-if [[ $TEST = true ]]
-then
+if [ $TEST ]; then
+ echo -e "== Running RailsGoat in training mode with Contrast enabled =="
bundle exec rails training
else
- bundle exec rails s -p 3000 -b '0.0.0.0'
-fi
\ No newline at end of file
+ echo -e "== Running RailsGoat with Contrast enabled =="
+ bundle exec rails server -p 3000 -b '0.0.0.0'
+fi
diff --git a/log/.gitkeep b/log/.keep
similarity index 100%
rename from log/.gitkeep
rename to log/.keep
diff --git a/parseyaml.py b/parseyaml.py
deleted file mode 100644
index 2f50efb..0000000
--- a/parseyaml.py
+++ /dev/null
@@ -1,4 +0,0 @@
-import yaml, json
-with open('./contrast_security.yaml') as f:
- config = yaml.load(f)
- print(json.dumps(config['api']))
\ No newline at end of file
diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb
index 3e79dbf..543daaf 100644
--- a/spec/spec_helper.rb
+++ b/spec/spec_helper.rb
@@ -9,7 +9,7 @@
require File.expand_path("../../config/environment", __FILE__)
require "rspec/rails"
require "capybara/rails"
-require "capybara/poltergeist"
+require "capybara/cuprite"
require "database_cleaner"
# Requires supporting ruby files with custom matchers and macros, etc,
@@ -28,7 +28,7 @@
# If you're not using ActiveRecord, or you'd prefer not to run each of your
# examples within a transaction, remove the following line or assign false
# instead of true.
- config.use_transactional_fixtures = false # Capybara Poltergeist driver requires this
+ config.use_transactional_fixtures = false
# If true, the base class of anonymous controllers will be inferred
# automatically. This will be the default behavior in future versions of
@@ -61,6 +61,6 @@
config.infer_spec_type_from_file_location!
end
-Capybara.javascript_driver = :poltergeist
+Capybara.javascript_driver = :cuprite
DatabaseCleaner.strategy = :truncation
diff --git a/spec/support/capybara_shared.rb b/spec/support/capybara_shared.rb
index 7216b16..4b5490e 100644
--- a/spec/support/capybara_shared.rb
+++ b/spec/support/capybara_shared.rb
@@ -46,8 +46,7 @@ def login(user)
end
end
-##Hack to fix PhantomJS errors on Mavericks - https://gist.github.com/ericboehs/7125105
-module Capybara::Poltergeist
+module Capybara::Cuprite
class Client
private
def redirect_stdout
@@ -93,8 +92,14 @@ def ignore?(message)
end
end
-Capybara.register_driver :poltergeist do |app|
- Capybara::Poltergeist::Driver.new(app, phantomjs_logger: WarningSuppressor.new, timeout: 60)
+Capybara.register_driver :cuprite do |app|
+ Capybara::Cuprite::Driver.new(
+ app,
+ js_errors: true,
+ window_size: [1200, 900],
+ browser_options: { 'no-sandbox': nil },
+ timeout: 60
+ )
end
-Capybara.javascript_driver = :poltergeist
+Capybara.javascript_driver = :cuprite
diff --git a/spec/vulnerabilities/sql_injection_spec.rb b/spec/vulnerabilities/sql_injection_spec.rb
index dd22d32..3196975 100644
--- a/spec/vulnerabilities/sql_injection_spec.rb
+++ b/spec/vulnerabilities/sql_injection_spec.rb
@@ -22,7 +22,7 @@
fill_in "user_password_confirmation", with: "hacketyhack"
# this is a hidden field, so cannot use fill_in to access it.
- find(:xpath, "//input[@id='user_id']", visible: false).set "8' OR admin='t') --"
+ find(:xpath, "//input[@id='user_id']", visible: false).set "8' OR 1 == 1) --"
end
click_on "Submit"