From 76335511c8523142a2f697fd1bedccb9cb4ced08 Mon Sep 17 00:00:00 2001 From: Pierre de La Morinerie Date: Mon, 15 Jul 2019 14:35:24 +0000 Subject: [PATCH] omniauth: protect against CSRF See https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284 --- Gemfile | 1 + Gemfile.lock | 4 ++++ app/views/administrations/sessions/new.html.haml | 2 +- config/initializers/omniauth.rb | 4 ++++ 4 files changed, 10 insertions(+), 1 deletion(-) create mode 100644 config/initializers/omniauth.rb diff --git a/Gemfile b/Gemfile index be3d60fb6..d46ee525c 100644 --- a/Gemfile +++ b/Gemfile @@ -39,6 +39,7 @@ gem 'lograge' gem 'logstash-event' gem 'mailjet' gem 'omniauth-github' +gem 'omniauth-rails_csrf_protection', '~> 0.1' gem 'openid_connect' gem 'openstack' gem 'pg' diff --git a/Gemfile.lock b/Gemfile.lock index 4e80820c2..76d7ca1fc 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -386,6 +386,9 @@ GEM omniauth-oauth2 (1.6.0) oauth2 (~> 1.1) omniauth (~> 1.9) + omniauth-rails_csrf_protection (0.1.2) + actionpack (>= 4.2) + omniauth (>= 1.3.1) open4 (1.3.4) openid_connect (1.1.6) activemodel @@ -731,6 +734,7 @@ DEPENDENCIES mailjet mina! omniauth-github + omniauth-rails_csrf_protection (~> 0.1) openid_connect openstack pg diff --git a/app/views/administrations/sessions/new.html.haml b/app/views/administrations/sessions/new.html.haml index 8ed5fb4d9..3176e8927 100644 --- a/app/views/administrations/sessions/new.html.haml +++ b/app/views/administrations/sessions/new.html.haml @@ -1,6 +1,6 @@ .super-admin.flex.justify-center %div %h2 Espace Admin - = link_to administration_github_omniauth_authorize_path, class: "button large" do + = link_to administration_github_omniauth_authorize_path, method: :post, class: "button large" do %span.icon.lock Connexion avec GitHub diff --git a/config/initializers/omniauth.rb b/config/initializers/omniauth.rb new file mode 100644 index 000000000..1c1946a5c --- /dev/null +++ b/config/initializers/omniauth.rb @@ -0,0 +1,4 @@ +# OmniAuth GET requests may be vulnerable to CSRF. +# Ensure that OmniAuth only uses POST requests. +# See https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284 +OmniAuth.config.allowed_request_methods = [:post]