From 6ba1faeb6f33a152060b1fccf248cb7d4528adba Mon Sep 17 00:00:00 2001
From: Jesus Federico <jesus@123it.ca>
Date: Wed, 6 Apr 2022 16:22:03 -0400
Subject: [PATCH] CVE-2015-9284: potential issue with omniauth accepting get
 requests (#3371)

---
 Gemfile                            | 1 +
 Gemfile.lock                       | 4 ++++
 app/views/sessions/new.html.erb    | 2 +-
 app/views/sessions/signin.html.erb | 2 +-
 app/views/shared/_header.html.erb  | 2 +-
 config/initializers/omniauth.rb    | 3 +++
 sample.env                         | 4 ++++
 7 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/Gemfile b/Gemfile
index 6ffb7fc6..e5889dd2 100644
--- a/Gemfile
+++ b/Gemfile
@@ -30,6 +30,7 @@ gem 'omniauth-bn-launcher', '~> 0.1.3'
 gem 'omniauth-bn-office365', '~> 0.1.1'
 gem 'omniauth-google-oauth2', '~> 0.7.0'
 gem 'omniauth_openid_connect', '~> 0.4.0'
+gem 'omniauth-rails_csrf_protection', '~> 0.1.2'
 gem 'omniauth-twitter', '~> 1.4.0'
 gem 'pagy', '~> 3.11.0'
 gem 'pluck_to_hash', '~> 1.0.2'
diff --git a/Gemfile.lock b/Gemfile.lock
index 0ae93cd9..6ef7f95e 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -257,6 +257,9 @@ GEM
     omniauth-oauth2 (1.5.0)
       oauth2 (~> 1.1)
       omniauth (~> 1.2)
+    omniauth-rails_csrf_protection (0.1.2)
+      actionpack (>= 4.2)
+      omniauth (>= 1.3.1)
     omniauth-twitter (1.4.0)
       omniauth-oauth (~> 1.1)
       rack
@@ -491,6 +494,7 @@ DEPENDENCIES
   omniauth-bn-launcher (~> 0.1.3)
   omniauth-bn-office365 (~> 0.1.1)
   omniauth-google-oauth2 (~> 0.7.0)
+  omniauth-rails_csrf_protection (~> 0.1.2)
   omniauth-twitter (~> 1.4.0)
   omniauth_openid_connect (~> 0.4.0)
   pagy (~> 3.11.0)
diff --git a/app/views/sessions/new.html.erb b/app/views/sessions/new.html.erb
index 83d63310..2fd22d2f 100644
--- a/app/views/sessions/new.html.erb
+++ b/app/views/sessions/new.html.erb
@@ -23,7 +23,7 @@
         <div class="card-body background">
           <% unless iconset_providers.length.zero? %>
             <% iconset_providers.each do |provider| %>
-              <%= link_to omniauth_login_url(provider), class: "customBtn-#{provider} oauth-signin" do %>
+              <%= link_to omniauth_login_url(provider), class: "customBtn-#{provider} oauth-signin", method: :post do %>
                 <span class="customBtn-icon">
                   <img class="customBtn-image"></img>
                 </span>
diff --git a/app/views/sessions/signin.html.erb b/app/views/sessions/signin.html.erb
index 364bdbae..f160d86f 100644
--- a/app/views/sessions/signin.html.erb
+++ b/app/views/sessions/signin.html.erb
@@ -23,7 +23,7 @@
         <div class="card-body background">
           <% unless iconset_providers.length.zero? %>
             <% iconset_providers.each do |provider| %>
-              <%= link_to omniauth_login_url(provider), class: "customBtn-#{provider} oauth-signin" do %>
+              <%= link_to omniauth_login_url(provider), class: "customBtn-#{provider} oauth-signin", method: :post do %>
                 <span class="customBtn-icon ">
                   <img class="customBtn-image"></img>
                 </span>
diff --git a/app/views/shared/_header.html.erb b/app/views/shared/_header.html.erb
index 12a23b3b..73d9de9c 100755
--- a/app/views/shared/_header.html.erb
+++ b/app/views/shared/_header.html.erb
@@ -88,7 +88,7 @@
           <% if allow_greenlight_accounts %>
             <%= link_to t("login"), signin_path, :class => "btn btn-outline-primary mx-2 sign-in-button" %>
           <% elsif Rails.configuration.loadbalanced_configuration %>
-            <%= link_to t("login"), omniauth_login_url(:bn_launcher), :class => "btn btn-outline-primary mx-2 sign-in-button" %>
+            <%= link_to t("login"), omniauth_login_url(:bn_launcher), :class => "btn btn-outline-primary mx-2 sign-in-button", method: :post %>
           <% else %>
             <%= link_to t("login"), signin_path, :class => "btn btn-outline-primary mx-2 sign-in-button" %>
           <% end %>
diff --git a/config/initializers/omniauth.rb b/config/initializers/omniauth.rb
index 7e88d380..787191ec 100644
--- a/config/initializers/omniauth.rb
+++ b/config/initializers/omniauth.rb
@@ -87,3 +87,6 @@ end
 OmniAuth.config.on_failure = proc { |env|
   OmniAuth::FailureEndpoint.new(env).redirect_to_failure
 }
+
+# Include get if enabled. This value is by default set to false, which means only post requests are allowed.
+OmniAuth.config.allowed_request_methods = [:post, :get] if Greenlight::Application.parse_bool(ENV['ENABLE_OMNIAUTH_GET'])
diff --git a/sample.env b/sample.env
index 2c10cbcc..e8200fbc 100644
--- a/sample.env
+++ b/sample.env
@@ -360,3 +360,7 @@ DEFAULT_REGISTRATION=open
 # Max avatar image size (bytes)
 # Default: 100000
 MAX_AVATAR_SIZE=100000
+
+# Due CCVE-2015-9284, this setting needs to be enabled for omniauth to respond GET requests.
+#   ENABLE_OMNIAUTH_GET=true|<false>
+ENABLE_OMNIAUTH_GET=false
-- 
GitLab