Maintenance: Applied required changes to resolve 'omniauth' CVE-2015-9284
While Zammad was not affected it was using GET requests. These are now prohibited because they enable the attack vector (in other scenarios). Since it's not a general 'rails' or 'omnniauth' issue but an issue affecting scenarios where both are combined. It is required to use the 'omniauth-rails_csrf_protection' gem instead of 'omniauth' for those scenarios. More information can be found here: https://github.com/omniauth/omniauth/pull/809 https://github.com/omniauth/omniauth/pull/809#issuecomment-497376674 https://nvd.nist.gov/vuln/detail/CVE-2015-9284 https://github.com/cookpad/omniauth-rails_csrf_protection https://github.com/rubysec/ruby-advisory-db/pull/390#issuecomment-509108186
This commit is contained in:
parent
5e0e6bb8ea
commit
9503ff20ce
6 changed files with 27 additions and 13 deletions
|
@ -102,7 +102,7 @@ pre:bundle-audit:
|
||||||
script:
|
script:
|
||||||
- gem install bundler-audit
|
- gem install bundler-audit
|
||||||
- bundle-audit update
|
- bundle-audit update
|
||||||
- bundle-audit
|
- bundle-audit --ignore CVE-2015-9284
|
||||||
|
|
||||||
pre:github:
|
pre:github:
|
||||||
<<: *pre_stage
|
<<: *pre_stage
|
||||||
|
|
4
Gemfile
4
Gemfile
|
@ -64,7 +64,9 @@ gem 'doorkeeper'
|
||||||
gem 'oauth2'
|
gem 'oauth2'
|
||||||
|
|
||||||
# authentication - third party
|
# authentication - third party
|
||||||
gem 'omniauth'
|
gem 'omniauth-rails_csrf_protection'
|
||||||
|
|
||||||
|
# authentication - third party providers
|
||||||
gem 'omniauth-facebook'
|
gem 'omniauth-facebook'
|
||||||
gem 'omniauth-github'
|
gem 'omniauth-github'
|
||||||
gem 'omniauth-gitlab'
|
gem 'omniauth-gitlab'
|
||||||
|
|
|
@ -340,6 +340,9 @@ GEM
|
||||||
omniauth-oauth2 (1.6.0)
|
omniauth-oauth2 (1.6.0)
|
||||||
oauth2 (~> 1.1)
|
oauth2 (~> 1.1)
|
||||||
omniauth (~> 1.9)
|
omniauth (~> 1.9)
|
||||||
|
omniauth-rails_csrf_protection (0.1.2)
|
||||||
|
actionpack (>= 4.2)
|
||||||
|
omniauth (>= 1.3.1)
|
||||||
omniauth-twitter (1.4.0)
|
omniauth-twitter (1.4.0)
|
||||||
omniauth-oauth (~> 1.1)
|
omniauth-oauth (~> 1.1)
|
||||||
rack
|
rack
|
||||||
|
@ -596,7 +599,6 @@ DEPENDENCIES
|
||||||
mysql2 (= 0.4.10)
|
mysql2 (= 0.4.10)
|
||||||
net-ldap
|
net-ldap
|
||||||
oauth2
|
oauth2
|
||||||
omniauth
|
|
||||||
omniauth-facebook
|
omniauth-facebook
|
||||||
omniauth-github
|
omniauth-github
|
||||||
omniauth-gitlab
|
omniauth-gitlab
|
||||||
|
@ -604,6 +606,7 @@ DEPENDENCIES
|
||||||
omniauth-linkedin-oauth2
|
omniauth-linkedin-oauth2
|
||||||
omniauth-microsoft-office365
|
omniauth-microsoft-office365
|
||||||
omniauth-oauth2
|
omniauth-oauth2
|
||||||
|
omniauth-rails_csrf_protection
|
||||||
omniauth-twitter
|
omniauth-twitter
|
||||||
omniauth-weibo-oauth2
|
omniauth-weibo-oauth2
|
||||||
pg (= 0.21.0)
|
pg (= 0.21.0)
|
||||||
|
|
|
@ -48,21 +48,24 @@
|
||||||
<% end %>
|
<% end %>
|
||||||
</div>
|
</div>
|
||||||
|
|
||||||
<% if !_.isEmpty(@auth_providers): %>
|
</form>
|
||||||
|
<% if !_.isEmpty(@auth_providers): %>
|
||||||
<div class="separator">
|
<div class="separator">
|
||||||
<span class="separator-text"><%- @T('or sign in using') %></span>
|
<span class="separator-text"><%- @T('or sign in using') %></span>
|
||||||
</div>
|
</div>
|
||||||
|
|
||||||
<div class="auth-providers">
|
<div class="auth-providers">
|
||||||
<% for auth_provider in @auth_providers: %>
|
<% for auth_provider in @auth_providers: %>
|
||||||
<a class="auth-provider auth-provider--<%= auth_provider.class %>" href="<%= auth_provider.url %>">
|
<form method="post" action="<%= auth_provider.url %>">
|
||||||
<%- @Icon("#{auth_provider.class}-button", 'provider-icon') %>
|
<input type="hidden" name="authenticity_token" value="<%= Spine.Ajax.defaults.headers['X-CSRF-Token'] %>">
|
||||||
<span class="provider-name"><%- @T(auth_provider.name) %></span>
|
<button type="submit" class="auth-provider auth-provider--<%= auth_provider.class %>">
|
||||||
</a>
|
<%- @Icon("#{auth_provider.class}-button", 'provider-icon') %>
|
||||||
|
<span class="provider-name"><%- @T(auth_provider.name) %></span>
|
||||||
|
</button>
|
||||||
|
</form>
|
||||||
<% end %>
|
<% end %>
|
||||||
</div>
|
</div>
|
||||||
<% end %>
|
<% end %>
|
||||||
</form>
|
|
||||||
</div>
|
</div>
|
||||||
|
|
||||||
<p>
|
<p>
|
||||||
|
|
|
@ -2969,9 +2969,14 @@ ol.tabs li {
|
||||||
flex-wrap: wrap;
|
flex-wrap: wrap;
|
||||||
justify-content: space-between;
|
justify-content: space-between;
|
||||||
margin-bottom: -10px;
|
margin-bottom: -10px;
|
||||||
|
|
||||||
|
> form {
|
||||||
|
width: calc(33.33% - 6px);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
.auth-provider {
|
.auth-provider {
|
||||||
|
width: 100%;
|
||||||
height: 40px;
|
height: 40px;
|
||||||
padding: 0 10px 0 7px;
|
padding: 0 10px 0 7px;
|
||||||
margin-bottom: 10px;
|
margin-bottom: 10px;
|
||||||
|
@ -2981,7 +2986,8 @@ ol.tabs li {
|
||||||
display: flex;
|
display: flex;
|
||||||
align-items: center;
|
align-items: center;
|
||||||
text-decoration: none;
|
text-decoration: none;
|
||||||
width: calc(33.33% - 6px);
|
border: none;
|
||||||
|
text-align: initial;
|
||||||
|
|
||||||
&.auth-provider--wide {
|
&.auth-provider--wide {
|
||||||
padding-right: 25px;
|
padding-right: 25px;
|
||||||
|
|
|
@ -5,7 +5,7 @@ RSpec.describe 'OAuth', type: :request do
|
||||||
describe 'request handling' do
|
describe 'request handling' do
|
||||||
|
|
||||||
it 'does o365 - start' do
|
it 'does o365 - start' do
|
||||||
get '/auth/microsoft_office365'
|
post '/auth/microsoft_office365'
|
||||||
expect(response).to have_http_status(:found)
|
expect(response).to have_http_status(:found)
|
||||||
expect(response.body).to include('https://login.microsoftonline.com/common/oauth2/v2.0/authorize')
|
expect(response.body).to include('https://login.microsoftonline.com/common/oauth2/v2.0/authorize')
|
||||||
expect(response.body).to include('redirect_uri=http%3A%2F%2Fzammad.example.com%2Fauth%2Fmicrosoft_office365%2Fcallback')
|
expect(response.body).to include('redirect_uri=http%3A%2F%2Fzammad.example.com%2Fauth%2Fmicrosoft_office365%2Fcallback')
|
||||||
|
|
Loading…
Reference in a new issue