Skip to content

Commit b3e17b5

Browse files
committed
mitigate CVE-2015-9284
1 parent 0ee3949 commit b3e17b5

4 files changed

Lines changed: 36 additions & 1 deletion

File tree

Gemfile

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -31,6 +31,7 @@ gem 'mysql2', group: :production
3131
gem 'octokit'
3232
gem 'omniauth'
3333
gem 'omniauth-github'
34+
gem 'omniauth-rails_csrf_protection', '~> 0.1'
3435
gem 'rails-i18n'
3536
gem 'render_csv'
3637
gem 'rest-client'

Gemfile.lock

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -258,6 +258,9 @@ GEM
258258
omniauth-oauth2 (1.7.0)
259259
oauth2 (~> 1.4)
260260
omniauth (~> 1.9)
261+
omniauth-rails_csrf_protection (0.1.2)
262+
actionpack (>= 4.2)
263+
omniauth (>= 1.3.1)
261264
orm_adapter (0.5.0)
262265
parallel (1.20.0)
263266
parser (2.7.2.0)
@@ -464,6 +467,7 @@ DEPENDENCIES
464467
octokit
465468
omniauth
466469
omniauth-github
470+
omniauth-rails_csrf_protection (~> 0.1)
467471
rails (= 5.2.4.4)
468472
rails-controller-testing
469473
rails-i18n

app/views/devise/shared/_links.haml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -15,5 +15,5 @@
1515
%br/
1616
- if devise_mapping.omniauthable?
1717
- resource_class.omniauth_providers.each do |provider|
18-
= link_to t('devise.links.sign_in_with', provider: provider.to_s.titleize), omniauth_authorize_path(resource_name, provider)
18+
= link_to t('devise.links.sign_in_with', provider: provider.to_s.titleize), omniauth_authorize_path(resource_name, provider), method: :post
1919
%br/
Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,30 @@
1+
# frozen_string_literal: true
2+
3+
require 'spec_helper'
4+
5+
# Make sure that https://nvd.nist.gov/vuln/detail/CVE-2015-9284 is mitigated
6+
describe 'CVE-2015-9284', type: :request do
7+
describe 'GET /auth/:provider' do
8+
it do
9+
get '/users/auth/github'
10+
expect(response).not_to have_http_status(:redirect)
11+
end
12+
end
13+
14+
describe 'POST /auth/:provider without CSRF token' do
15+
before do
16+
@allow_forgery_protection = ActionController::Base.allow_forgery_protection
17+
ActionController::Base.allow_forgery_protection = true
18+
end
19+
20+
it do
21+
expect do
22+
post '/users/auth/github'
23+
end.to raise_error(ActionController::InvalidAuthenticityToken)
24+
end
25+
26+
after do
27+
ActionController::Base.allow_forgery_protection = @allow_forgery_protection
28+
end
29+
end
30+
end

0 commit comments

Comments
 (0)