From 76335511c8523142a2f697fd1bedccb9cb4ced08 Mon Sep 17 00:00:00 2001
From: Pierre de La Morinerie <kemenaran@gmail.com>
Date: Mon, 15 Jul 2019 14:35:24 +0000
Subject: [PATCH] omniauth: protect against CSRF

See https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284
---
 Gemfile                                          | 1 +
 Gemfile.lock                                     | 4 ++++
 app/views/administrations/sessions/new.html.haml | 2 +-
 config/initializers/omniauth.rb                  | 4 ++++
 4 files changed, 10 insertions(+), 1 deletion(-)
 create mode 100644 config/initializers/omniauth.rb

diff --git a/Gemfile b/Gemfile
index be3d60fb6..d46ee525c 100644
--- a/Gemfile
+++ b/Gemfile
@@ -39,6 +39,7 @@ gem 'lograge'
 gem 'logstash-event'
 gem 'mailjet'
 gem 'omniauth-github'
+gem 'omniauth-rails_csrf_protection', '~> 0.1'
 gem 'openid_connect'
 gem 'openstack'
 gem 'pg'
diff --git a/Gemfile.lock b/Gemfile.lock
index 4e80820c2..76d7ca1fc 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -386,6 +386,9 @@ GEM
     omniauth-oauth2 (1.6.0)
       oauth2 (~> 1.1)
       omniauth (~> 1.9)
+    omniauth-rails_csrf_protection (0.1.2)
+      actionpack (>= 4.2)
+      omniauth (>= 1.3.1)
     open4 (1.3.4)
     openid_connect (1.1.6)
       activemodel
@@ -731,6 +734,7 @@ DEPENDENCIES
   mailjet
   mina!
   omniauth-github
+  omniauth-rails_csrf_protection (~> 0.1)
   openid_connect
   openstack
   pg
diff --git a/app/views/administrations/sessions/new.html.haml b/app/views/administrations/sessions/new.html.haml
index 8ed5fb4d9..3176e8927 100644
--- a/app/views/administrations/sessions/new.html.haml
+++ b/app/views/administrations/sessions/new.html.haml
@@ -1,6 +1,6 @@
 .super-admin.flex.justify-center
   %div
     %h2 Espace Admin
-    = link_to administration_github_omniauth_authorize_path, class: "button large" do
+    = link_to administration_github_omniauth_authorize_path, method: :post, class: "button large" do
       %span.icon.lock
       Connexion avec GitHub
diff --git a/config/initializers/omniauth.rb b/config/initializers/omniauth.rb
new file mode 100644
index 000000000..1c1946a5c
--- /dev/null
+++ b/config/initializers/omniauth.rb
@@ -0,0 +1,4 @@
+# OmniAuth GET requests may be vulnerable to CSRF.
+# Ensure that OmniAuth only uses POST requests.
+# See https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284
+OmniAuth.config.allowed_request_methods = [:post]