Maintenance: Applied required changes to resolve 'omniauth' CVE-2015-9284

While Zammad was not affected it was using GET requests. These are now prohibited because they enable the attack vector (in other scenarios).
Since it's not a general 'rails' or 'omnniauth' issue but an issue affecting scenarios where both are combined. It is required to use the 'omniauth-rails_csrf_protection' gem instead of 'omniauth' for those scenarios.

More information can be found here:
https://github.com/omniauth/omniauth/pull/809
https://github.com/omniauth/omniauth/pull/809#issuecomment-497376674
https://nvd.nist.gov/vuln/detail/CVE-2015-9284
https://github.com/cookpad/omniauth-rails_csrf_protection
https://github.com/rubysec/ruby-advisory-db/pull/390#issuecomment-509108186
This commit is contained in:
Thorsten Eckel 2019-07-08 17:18:14 +02:00
parent 5e0e6bb8ea
commit 9503ff20ce
6 changed files with 27 additions and 13 deletions

View file

@ -102,7 +102,7 @@ pre:bundle-audit:
script:
- gem install bundler-audit
- bundle-audit update
- bundle-audit
- bundle-audit --ignore CVE-2015-9284
pre:github:
<<: *pre_stage

View file

@ -64,7 +64,9 @@ gem 'doorkeeper'
gem 'oauth2'
# authentication - third party
gem 'omniauth'
gem 'omniauth-rails_csrf_protection'
# authentication - third party providers
gem 'omniauth-facebook'
gem 'omniauth-github'
gem 'omniauth-gitlab'

View file

@ -340,6 +340,9 @@ GEM
omniauth-oauth2 (1.6.0)
oauth2 (~> 1.1)
omniauth (~> 1.9)
omniauth-rails_csrf_protection (0.1.2)
actionpack (>= 4.2)
omniauth (>= 1.3.1)
omniauth-twitter (1.4.0)
omniauth-oauth (~> 1.1)
rack
@ -596,7 +599,6 @@ DEPENDENCIES
mysql2 (= 0.4.10)
net-ldap
oauth2
omniauth
omniauth-facebook
omniauth-github
omniauth-gitlab
@ -604,6 +606,7 @@ DEPENDENCIES
omniauth-linkedin-oauth2
omniauth-microsoft-office365
omniauth-oauth2
omniauth-rails_csrf_protection
omniauth-twitter
omniauth-weibo-oauth2
pg (= 0.21.0)

View file

@ -48,6 +48,7 @@
<% end %>
</div>
</form>
<% if !_.isEmpty(@auth_providers): %>
<div class="separator">
<span class="separator-text"><%- @T('or sign in using') %></span>
@ -55,14 +56,16 @@
<div class="auth-providers">
<% for auth_provider in @auth_providers: %>
<a class="auth-provider auth-provider--<%= auth_provider.class %>" href="<%= auth_provider.url %>">
<form method="post" action="<%= auth_provider.url %>">
<input type="hidden" name="authenticity_token" value="<%= Spine.Ajax.defaults.headers['X-CSRF-Token'] %>">
<button type="submit" class="auth-provider auth-provider--<%= auth_provider.class %>">
<%- @Icon("#{auth_provider.class}-button", 'provider-icon') %>
<span class="provider-name"><%- @T(auth_provider.name) %></span>
</a>
</button>
</form>
<% end %>
</div>
<% end %>
</form>
</div>
<p>

View file

@ -2969,9 +2969,14 @@ ol.tabs li {
flex-wrap: wrap;
justify-content: space-between;
margin-bottom: -10px;
> form {
width: calc(33.33% - 6px);
}
}
.auth-provider {
width: 100%;
height: 40px;
padding: 0 10px 0 7px;
margin-bottom: 10px;
@ -2981,7 +2986,8 @@ ol.tabs li {
display: flex;
align-items: center;
text-decoration: none;
width: calc(33.33% - 6px);
border: none;
text-align: initial;
&.auth-provider--wide {
padding-right: 25px;

View file

@ -5,7 +5,7 @@ RSpec.describe 'OAuth', type: :request do
describe 'request handling' do
it 'does o365 - start' do
get '/auth/microsoft_office365'
post '/auth/microsoft_office365'
expect(response).to have_http_status(:found)
expect(response.body).to include('https://login.microsoftonline.com/common/oauth2/v2.0/authorize')
expect(response.body).to include('redirect_uri=http%3A%2F%2Fzammad.example.com%2Fauth%2Fmicrosoft_office365%2Fcallback')