Maintenance: Applied required changes to resolve 'omniauth' CVE-2015-9284

While Zammad was not affected it was using GET requests. These are now prohibited because they enable the attack vector (in other scenarios).
Since it's not a general 'rails' or 'omnniauth' issue but an issue affecting scenarios where both are combined. It is required to use the 'omniauth-rails_csrf_protection' gem instead of 'omniauth' for those scenarios.

More information can be found here:
https://github.com/omniauth/omniauth/pull/809
https://github.com/omniauth/omniauth/pull/809#issuecomment-497376674
https://nvd.nist.gov/vuln/detail/CVE-2015-9284
https://github.com/cookpad/omniauth-rails_csrf_protection
https://github.com/rubysec/ruby-advisory-db/pull/390#issuecomment-509108186
This commit is contained in:
Thorsten Eckel 2019-07-08 17:18:14 +02:00
parent 5e0e6bb8ea
commit 9503ff20ce
6 changed files with 27 additions and 13 deletions

View file

@ -102,7 +102,7 @@ pre:bundle-audit:
script: script:
- gem install bundler-audit - gem install bundler-audit
- bundle-audit update - bundle-audit update
- bundle-audit - bundle-audit --ignore CVE-2015-9284
pre:github: pre:github:
<<: *pre_stage <<: *pre_stage

View file

@ -64,7 +64,9 @@ gem 'doorkeeper'
gem 'oauth2' gem 'oauth2'
# authentication - third party # authentication - third party
gem 'omniauth' gem 'omniauth-rails_csrf_protection'
# authentication - third party providers
gem 'omniauth-facebook' gem 'omniauth-facebook'
gem 'omniauth-github' gem 'omniauth-github'
gem 'omniauth-gitlab' gem 'omniauth-gitlab'

View file

@ -340,6 +340,9 @@ GEM
omniauth-oauth2 (1.6.0) omniauth-oauth2 (1.6.0)
oauth2 (~> 1.1) oauth2 (~> 1.1)
omniauth (~> 1.9) omniauth (~> 1.9)
omniauth-rails_csrf_protection (0.1.2)
actionpack (>= 4.2)
omniauth (>= 1.3.1)
omniauth-twitter (1.4.0) omniauth-twitter (1.4.0)
omniauth-oauth (~> 1.1) omniauth-oauth (~> 1.1)
rack rack
@ -596,7 +599,6 @@ DEPENDENCIES
mysql2 (= 0.4.10) mysql2 (= 0.4.10)
net-ldap net-ldap
oauth2 oauth2
omniauth
omniauth-facebook omniauth-facebook
omniauth-github omniauth-github
omniauth-gitlab omniauth-gitlab
@ -604,6 +606,7 @@ DEPENDENCIES
omniauth-linkedin-oauth2 omniauth-linkedin-oauth2
omniauth-microsoft-office365 omniauth-microsoft-office365
omniauth-oauth2 omniauth-oauth2
omniauth-rails_csrf_protection
omniauth-twitter omniauth-twitter
omniauth-weibo-oauth2 omniauth-weibo-oauth2
pg (= 0.21.0) pg (= 0.21.0)

View file

@ -48,21 +48,24 @@
<% end %> <% end %>
</div> </div>
<% if !_.isEmpty(@auth_providers): %> </form>
<% if !_.isEmpty(@auth_providers): %>
<div class="separator"> <div class="separator">
<span class="separator-text"><%- @T('or sign in using') %></span> <span class="separator-text"><%- @T('or sign in using') %></span>
</div> </div>
<div class="auth-providers"> <div class="auth-providers">
<% for auth_provider in @auth_providers: %> <% for auth_provider in @auth_providers: %>
<a class="auth-provider auth-provider--<%= auth_provider.class %>" href="<%= auth_provider.url %>"> <form method="post" action="<%= auth_provider.url %>">
<%- @Icon("#{auth_provider.class}-button", 'provider-icon') %> <input type="hidden" name="authenticity_token" value="<%= Spine.Ajax.defaults.headers['X-CSRF-Token'] %>">
<span class="provider-name"><%- @T(auth_provider.name) %></span> <button type="submit" class="auth-provider auth-provider--<%= auth_provider.class %>">
</a> <%- @Icon("#{auth_provider.class}-button", 'provider-icon') %>
<span class="provider-name"><%- @T(auth_provider.name) %></span>
</button>
</form>
<% end %> <% end %>
</div> </div>
<% end %> <% end %>
</form>
</div> </div>
<p> <p>

View file

@ -2969,9 +2969,14 @@ ol.tabs li {
flex-wrap: wrap; flex-wrap: wrap;
justify-content: space-between; justify-content: space-between;
margin-bottom: -10px; margin-bottom: -10px;
> form {
width: calc(33.33% - 6px);
}
} }
.auth-provider { .auth-provider {
width: 100%;
height: 40px; height: 40px;
padding: 0 10px 0 7px; padding: 0 10px 0 7px;
margin-bottom: 10px; margin-bottom: 10px;
@ -2981,7 +2986,8 @@ ol.tabs li {
display: flex; display: flex;
align-items: center; align-items: center;
text-decoration: none; text-decoration: none;
width: calc(33.33% - 6px); border: none;
text-align: initial;
&.auth-provider--wide { &.auth-provider--wide {
padding-right: 25px; padding-right: 25px;

View file

@ -5,7 +5,7 @@ RSpec.describe 'OAuth', type: :request do
describe 'request handling' do describe 'request handling' do
it 'does o365 - start' do it 'does o365 - start' do
get '/auth/microsoft_office365' post '/auth/microsoft_office365'
expect(response).to have_http_status(:found) expect(response).to have_http_status(:found)
expect(response.body).to include('https://login.microsoftonline.com/common/oauth2/v2.0/authorize') expect(response.body).to include('https://login.microsoftonline.com/common/oauth2/v2.0/authorize')
expect(response.body).to include('redirect_uri=http%3A%2F%2Fzammad.example.com%2Fauth%2Fmicrosoft_office365%2Fcallback') expect(response.body).to include('redirect_uri=http%3A%2F%2Fzammad.example.com%2Fauth%2Fmicrosoft_office365%2Fcallback')