omniauth: protect against CSRF

See https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284
This commit is contained in:
Pierre de La Morinerie 2019-07-15 14:35:24 +00:00
parent 329bfd5f4d
commit 76335511c8
4 changed files with 10 additions and 1 deletions

View file

@ -39,6 +39,7 @@ gem 'lograge'
gem 'logstash-event'
gem 'mailjet'
gem 'omniauth-github'
gem 'omniauth-rails_csrf_protection', '~> 0.1'
gem 'openid_connect'
gem 'openstack'
gem 'pg'

View file

@ -386,6 +386,9 @@ GEM
omniauth-oauth2 (1.6.0)
oauth2 (~> 1.1)
omniauth (~> 1.9)
omniauth-rails_csrf_protection (0.1.2)
actionpack (>= 4.2)
omniauth (>= 1.3.1)
open4 (1.3.4)
openid_connect (1.1.6)
activemodel
@ -731,6 +734,7 @@ DEPENDENCIES
mailjet
mina!
omniauth-github
omniauth-rails_csrf_protection (~> 0.1)
openid_connect
openstack
pg

View file

@ -1,6 +1,6 @@
.super-admin.flex.justify-center
%div
%h2 Espace Admin
= link_to administration_github_omniauth_authorize_path, class: "button large" do
= link_to administration_github_omniauth_authorize_path, method: :post, class: "button large" do
%span.icon.lock
Connexion avec GitHub

View file

@ -0,0 +1,4 @@
# OmniAuth GET requests may be vulnerable to CSRF.
# Ensure that OmniAuth only uses POST requests.
# See https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284
OmniAuth.config.allowed_request_methods = [:post]