From 6ba1faeb6f33a152060b1fccf248cb7d4528adba Mon Sep 17 00:00:00 2001 From: Jesus Federico <jesus@123it.ca> Date: Wed, 6 Apr 2022 16:22:03 -0400 Subject: [PATCH] CVE-2015-9284: potential issue with omniauth accepting get requests (#3371) --- Gemfile | 1 + Gemfile.lock | 4 ++++ app/views/sessions/new.html.erb | 2 +- app/views/sessions/signin.html.erb | 2 +- app/views/shared/_header.html.erb | 2 +- config/initializers/omniauth.rb | 3 +++ sample.env | 4 ++++ 7 files changed, 15 insertions(+), 3 deletions(-) diff --git a/Gemfile b/Gemfile index 6ffb7fc6..e5889dd2 100644 --- a/Gemfile +++ b/Gemfile @@ -30,6 +30,7 @@ gem 'omniauth-bn-launcher', '~> 0.1.3' gem 'omniauth-bn-office365', '~> 0.1.1' gem 'omniauth-google-oauth2', '~> 0.7.0' gem 'omniauth_openid_connect', '~> 0.4.0' +gem 'omniauth-rails_csrf_protection', '~> 0.1.2' gem 'omniauth-twitter', '~> 1.4.0' gem 'pagy', '~> 3.11.0' gem 'pluck_to_hash', '~> 1.0.2' diff --git a/Gemfile.lock b/Gemfile.lock index 0ae93cd9..6ef7f95e 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -257,6 +257,9 @@ GEM omniauth-oauth2 (1.5.0) oauth2 (~> 1.1) omniauth (~> 1.2) + omniauth-rails_csrf_protection (0.1.2) + actionpack (>= 4.2) + omniauth (>= 1.3.1) omniauth-twitter (1.4.0) omniauth-oauth (~> 1.1) rack @@ -491,6 +494,7 @@ DEPENDENCIES omniauth-bn-launcher (~> 0.1.3) omniauth-bn-office365 (~> 0.1.1) omniauth-google-oauth2 (~> 0.7.0) + omniauth-rails_csrf_protection (~> 0.1.2) omniauth-twitter (~> 1.4.0) omniauth_openid_connect (~> 0.4.0) pagy (~> 3.11.0) diff --git a/app/views/sessions/new.html.erb b/app/views/sessions/new.html.erb index 83d63310..2fd22d2f 100644 --- a/app/views/sessions/new.html.erb +++ b/app/views/sessions/new.html.erb @@ -23,7 +23,7 @@ <div class="card-body background"> <% unless iconset_providers.length.zero? %> <% iconset_providers.each do |provider| %> - <%= link_to omniauth_login_url(provider), class: "customBtn-#{provider} oauth-signin" do %> + <%= link_to omniauth_login_url(provider), class: "customBtn-#{provider} oauth-signin", method: :post do %> <span class="customBtn-icon"> <img class="customBtn-image"></img> </span> diff --git a/app/views/sessions/signin.html.erb b/app/views/sessions/signin.html.erb index 364bdbae..f160d86f 100644 --- a/app/views/sessions/signin.html.erb +++ b/app/views/sessions/signin.html.erb @@ -23,7 +23,7 @@ <div class="card-body background"> <% unless iconset_providers.length.zero? %> <% iconset_providers.each do |provider| %> - <%= link_to omniauth_login_url(provider), class: "customBtn-#{provider} oauth-signin" do %> + <%= link_to omniauth_login_url(provider), class: "customBtn-#{provider} oauth-signin", method: :post do %> <span class="customBtn-icon "> <img class="customBtn-image"></img> </span> diff --git a/app/views/shared/_header.html.erb b/app/views/shared/_header.html.erb index 12a23b3b..73d9de9c 100755 --- a/app/views/shared/_header.html.erb +++ b/app/views/shared/_header.html.erb @@ -88,7 +88,7 @@ <% if allow_greenlight_accounts %> <%= link_to t("login"), signin_path, :class => "btn btn-outline-primary mx-2 sign-in-button" %> <% elsif Rails.configuration.loadbalanced_configuration %> - <%= link_to t("login"), omniauth_login_url(:bn_launcher), :class => "btn btn-outline-primary mx-2 sign-in-button" %> + <%= link_to t("login"), omniauth_login_url(:bn_launcher), :class => "btn btn-outline-primary mx-2 sign-in-button", method: :post %> <% else %> <%= link_to t("login"), signin_path, :class => "btn btn-outline-primary mx-2 sign-in-button" %> <% end %> diff --git a/config/initializers/omniauth.rb b/config/initializers/omniauth.rb index 7e88d380..787191ec 100644 --- a/config/initializers/omniauth.rb +++ b/config/initializers/omniauth.rb @@ -87,3 +87,6 @@ end OmniAuth.config.on_failure = proc { |env| OmniAuth::FailureEndpoint.new(env).redirect_to_failure } + +# Include get if enabled. This value is by default set to false, which means only post requests are allowed. +OmniAuth.config.allowed_request_methods = [:post, :get] if Greenlight::Application.parse_bool(ENV['ENABLE_OMNIAUTH_GET']) diff --git a/sample.env b/sample.env index 2c10cbcc..e8200fbc 100644 --- a/sample.env +++ b/sample.env @@ -360,3 +360,7 @@ DEFAULT_REGISTRATION=open # Max avatar image size (bytes) # Default: 100000 MAX_AVATAR_SIZE=100000 + +# Due CCVE-2015-9284, this setting needs to be enabled for omniauth to respond GET requests. +# ENABLE_OMNIAUTH_GET=true|<false> +ENABLE_OMNIAUTH_GET=false -- GitLab