Skip to content

Resolving CVE 2015 9284

Jump to bottom Edit New page
Martha Thompson edited this page Sep 2, 2022 · 16 revisions

These instructions are up-to-date as of August 12th, 2019, and OmniAuth version v1.9.0. They are written to address CVE-2015-9284, and are consolidated from discussions in #809.

Using GET requests

A key part of resolving this vulnerability is refusing GET requests to /auth/:provider endpoints.

If the use of GET requests to /auth/:provider is essential for your application (for example, if you are ever redirecting to /auth/:provider as part of an authentication process), then you will need to put together a more involved solution for your specific needs. This may mean redirecting to a standard log-in screen which includes link_to 'Log in', '/auth/:provider', method: :post or another POST/form-based approach (like button_to).

Mitigating in Rails applications

  1. Add Rails' inbuilt CSRF protection to the POST requests by using the omniauth-rails_csrf_protection gem:
# Gemfile
gem 'omniauth-rails_csrf_protection'
  1. Update all links to /auth/:provider to use POST requests. For example:
link_to 'Sign in via X', '/auth/:provider', method: :post
# or
button_to 'Sign in via X', '/auth/:provider'

Not doing this will permit GET requests and cause the passthru to third-parties to fail, giving this Devise error message: "Not found. Authentication passthru."

  1. If you're using bundler-audit, you will need to explicitly ignore the CVE:
bundle audit check --ignore CVE-2015-9284
  1. If you are continuing to use GET requests to access /auth/:provider then you will need to explicitly enable it, as omniauth-rails_csrf_protection modifies the default to be POST-only (but remember that using GET requests for /auth/:provider is not recommended and you should try to stick to POST requests if at all possible):
# config/initializers/omniauth.rb or similar
OmniAuth.config.allowed_request_methods = [:post, :get]

Mitigating in non-Rails applications

  1. Add CSRF protection to OmniAuth POST requests with the rack-protection gem, using an approach similar to that which @abrom has put together: https://gist.github.com/abrom/effe58b27a4f4ac1b97fb85593d7c3be.

  2. Provided you do not need GET access to /auth/:provider, you should ensure only POST requests are allowed:

# config/initializers/omniauth.rb or similar
OmniAuth.config.allowed_request_methods = [:post]

  1. Update all links to /auth/:provider to use POST requests. You will need to craft forms that POST to /auth/:provider, and have a hidden field with the value of the session's CSRF token. The rack-protection source code has a good example: https://github.com/sinatra/sinatra/blob/eee711bce740d38a9a91aa6028688c9a6d74b23b/rack-protection/lib/rack/protection/authenticity_token.rb#L63

  2. If you're using bundler-audit, you will need to explicitly ignore the CVE:

bundle audit check --ignore CVE-2015-9284

Regression Testing

Should you wish to add regression testing to validate that this vulnerability is mitigated then you can consult the following examples:

Add a custom footer

User Docs

Strategy Developers

Project Resources

Clone this wiki locally