Resolving CVE 2015 9284
These instructions are up-to-date as of August 12th, 2019, and OmniAuth version v1.9.0. They are written to address CVE-2015-9284, and are consolidated from discussions in #809.
A key part of resolving this vulnerability is refusing GET requests to /auth/:provider
endpoints.
If the use of GET requests to /auth/:provider
is essential for your application (for example, if you are ever redirecting to /auth/:provider
as part of an authentication process), then you will need to put together a more involved solution for your specific needs. This may mean redirecting to a standard log-in screen which includes link_to 'Log in', '/auth/:provider', method: :post
or another POST/form-based approach (like button_to
).
- Add Rails' inbuilt CSRF protection to the POST requests by using the
omniauth-rails_csrf_protection
gem:
# Gemfile
gem 'omniauth-rails_csrf_protection'
- Update all links to
/auth/:provider
to use POST requests. For example:
link_to 'Sign in via X', '/auth/:provider', method: :post
# or
button_to 'Sign in via X', '/auth/:provider'
Not doing this will permit GET requests and cause the passthru to third-parties to fail, giving this Devise error message: "Not found. Authentication passthru."
- If you're using
bundler-audit
, you will need to explicitly ignore the CVE:
bundle audit check --ignore CVE-2015-9284
- If you are continuing to use GET requests to access
/auth/:provider
then you will need to explicitly enable it, asomniauth-rails_csrf_protection
modifies the default to be POST-only (but remember that using GET requests for/auth/:provider
is not recommended and you should try to stick to POST requests if at all possible):
# config/initializers/omniauth.rb or similar
OmniAuth.config.allowed_request_methods = [:post, :get]
-
Add CSRF protection to OmniAuth POST requests with the
rack-protection
gem, using an approach similar to that which @abrom has put together: https://gist.github.com/abrom/effe58b27a4f4ac1b97fb85593d7c3be. -
Provided you do not need GET access to
/auth/:provider
, you should ensure only POST requests are allowed:
# config/initializers/omniauth.rb or similar
OmniAuth.config.allowed_request_methods = [:post]
-
Update all links to
/auth/:provider
to use POST requests. You will need to craft forms that POST to/auth/:provider
, and have a hidden field with the value of the session's CSRF token. Therack-protection
source code has a good example: https://github.com/sinatra/sinatra/blob/eee711bce740d38a9a91aa6028688c9a6d74b23b/rack-protection/lib/rack/protection/authenticity_token.rb#L63 -
If you're using
bundler-audit
, you will need to explicitly ignore the CVE:
bundle audit check --ignore CVE-2015-9284
Should you wish to add regression testing to validate that this vulnerability is mitigated then you can consult the following examples:
User Docs
- List of Strategies
- Frequently Asked Questions
- Help Topics
- External Resources
- Upgrading to 1.0
- Upgrading to 2.0
- Auth Hash Schema
Strategy Developers
Project Resources