omniauth: protect against CSRF (#4102)

Configure OmniAuth pour éviter de potentielles CSRF
2019-07-15 18:16:42 +02:00 · 2019-07-15 18:16:42 +02:00 · 5a70ae7a8f
commit 5a70ae7a8f
parent 329bfd5f4d 76335511c8
4 changed files with 10 additions and 1 deletions
--- a/1
+++ b/1
@ -39,6 +39,7 @@ gem 'lograge'
 gem 'logstash-event'
 gem 'mailjet'
 gem 'omniauth-github'
+gem 'omniauth-rails_csrf_protection', '~> 0.1'
 gem 'openid_connect'
 gem 'openstack'
 gem 'pg'
--- a/Gemfile.lock
+++ b/Gemfile.lock
@ -386,6 +386,9 @@ GEM
    omniauth-oauth2 (1.6.0)
      oauth2 (~> 1.1)
      omniauth (~> 1.9)
+    omniauth-rails_csrf_protection (0.1.2)
+      actionpack (>= 4.2)
+      omniauth (>= 1.3.1)
    open4 (1.3.4)
    openid_connect (1.1.6)
      activemodel
@ -731,6 +734,7 @@ DEPENDENCIES
  mailjet
  mina!
  omniauth-github
+  omniauth-rails_csrf_protection (~> 0.1)
  openid_connect
  openstack
  pg
--- a/app/views/administrations/sessions/new.html.haml
+++ b/app/views/administrations/sessions/new.html.haml
@ -1,6 +1,6 @@
 .super-admin.flex.justify-center
  %div
    %h2 Espace Admin
-    = link_to administration_github_omniauth_authorize_path, class: "button large" do
+    = link_to administration_github_omniauth_authorize_path, method: :post, class: "button large" do
      %span.icon.lock
      Connexion avec GitHub
--- a/config/initializers/omniauth.rb
+++ b/config/initializers/omniauth.rb
@ -0,0 +1,4 @@
+# OmniAuth GET requests may be vulnerable to CSRF.
+# Ensure that OmniAuth only uses POST requests.
+# See https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284
+OmniAuth.config.allowed_request_methods = [:post]