Skip to content
Permalink
Browse files

Maintenance: Applied required changes to resolve 'omniauth' CVE-2015-…

…9284

While Zammad was not affected it was using GET requests. These are now prohibited because they enable the attack vector (in other scenarios).
Since it's not a general 'rails' or 'omnniauth' issue but an issue affecting scenarios where both are combined. It is required to use the 'omniauth-rails_csrf_protection' gem instead of 'omniauth' for those scenarios.

More information can be found here:
omniauth/omniauth#809
omniauth/omniauth#809 (comment)
https://nvd.nist.gov/vuln/detail/CVE-2015-9284
https://github.com/cookpad/omniauth-rails_csrf_protection
rubysec/ruby-advisory-db#390 (comment)
  • Loading branch information...
thorsteneckel committed Jul 8, 2019
1 parent 5e0e6bb commit 9503ff20cefcfc39cb451562d7ec4fd440198564
@@ -102,7 +102,7 @@ pre:bundle-audit:
script:
- gem install bundler-audit
- bundle-audit update
- bundle-audit
- bundle-audit --ignore CVE-2015-9284

pre:github:
<<: *pre_stage
@@ -64,7 +64,9 @@ gem 'doorkeeper'
gem 'oauth2'

# authentication - third party
gem 'omniauth'
gem 'omniauth-rails_csrf_protection'

# authentication - third party providers
gem 'omniauth-facebook'
gem 'omniauth-github'
gem 'omniauth-gitlab'
@@ -340,6 +340,9 @@ GEM
omniauth-oauth2 (1.6.0)
oauth2 (~> 1.1)
omniauth (~> 1.9)
omniauth-rails_csrf_protection (0.1.2)
actionpack (>= 4.2)
omniauth (>= 1.3.1)
omniauth-twitter (1.4.0)
omniauth-oauth (~> 1.1)
rack
@@ -596,14 +599,14 @@ DEPENDENCIES
mysql2 (= 0.4.10)
net-ldap
oauth2
omniauth
omniauth-facebook
omniauth-github
omniauth-gitlab
omniauth-google-oauth2
omniauth-linkedin-oauth2
omniauth-microsoft-office365
omniauth-oauth2
omniauth-rails_csrf_protection
omniauth-twitter
omniauth-weibo-oauth2
pg (= 0.21.0)
@@ -48,21 +48,24 @@
<% end %>
</div>

<% if !_.isEmpty(@auth_providers): %>
</form>
<% if !_.isEmpty(@auth_providers): %>
<div class="separator">
<span class="separator-text"><%- @T('or sign in using') %></span>
</div>

<div class="auth-providers">
<% for auth_provider in @auth_providers: %>
<a class="auth-provider auth-provider--<%= auth_provider.class %>" href="<%= auth_provider.url %>">
<%- @Icon("#{auth_provider.class}-button", 'provider-icon') %>
<span class="provider-name"><%- @T(auth_provider.name) %></span>
</a>
<form method="post" action="<%= auth_provider.url %>">
<input type="hidden" name="authenticity_token" value="<%= Spine.Ajax.defaults.headers['X-CSRF-Token'] %>">
<button type="submit" class="auth-provider auth-provider--<%= auth_provider.class %>">
<%- @Icon("#{auth_provider.class}-button", 'provider-icon') %>
<span class="provider-name"><%- @T(auth_provider.name) %></span>
</button>
</form>
<% end %>
</div>
<% end %>
</form>
<% end %>
</div>

<p>
@@ -85,4 +88,4 @@
<%- @T('Powered by') %>
<a href="https://zammad.org" target="_blank"><%- @Icon('logotype', 'logotype') %></a>
</div>
</div>
</div>
@@ -2969,9 +2969,14 @@ ol.tabs li {
flex-wrap: wrap;
justify-content: space-between;
margin-bottom: -10px;

> form {
width: calc(33.33% - 6px);
}
}

.auth-provider {
width: 100%;
height: 40px;
padding: 0 10px 0 7px;
margin-bottom: 10px;
@@ -2981,7 +2986,8 @@ ol.tabs li {
display: flex;
align-items: center;
text-decoration: none;
width: calc(33.33% - 6px);
border: none;
text-align: initial;

&.auth-provider--wide {
padding-right: 25px;
@@ -5,7 +5,7 @@
describe 'request handling' do

it 'does o365 - start' do
get '/auth/microsoft_office365'
post '/auth/microsoft_office365'
expect(response).to have_http_status(:found)
expect(response.body).to include('https://login.microsoftonline.com/common/oauth2/v2.0/authorize')
expect(response.body).to include('redirect_uri=http%3A%2F%2Fzammad.example.com%2Fauth%2Fmicrosoft_office365%2Fcallback')

0 comments on commit 9503ff2

Please sign in to comment.
You can’t perform that action at this time.