CVE-2015-9284 Mitigation spec failing

Question

CVE-2015-9284 Mitigation spec failing

fabioxgn opened this issue 3 years ago · comments

I have this spec in my application, which was added to check for the security flaw mitigation, now, after updating this gem and omniauth to 2.0.1, this spec started to fail with: expected ActionController::InvalidAuthenticityToken but nothing was raised

 describe "POST /auth/:provider without CSRF token" do
      before do
        @allow_forgery_protection = ActionController::Base.allow_forgery_protection
        ActionController::Base.allow_forgery_protection = true
      end

      after do
        ActionController::Base.allow_forgery_protection = @allow_forgery_protection
      end

      it do
        expect do
          post "/auth/google_oauth2"
        end.to raise_error(ActionController::InvalidAuthenticityToken)
      end
    end

I understood in the release notes that the gem still verifies the CSRF token, why is this test failing now?

Sascha Hoellger · Answer 1 · Wed Feb 03 2021 23:58:07 GMT+0800 (China Standard Time)

I think this is caused by a change in OmniAuth and not here. See omniauth/omniauth#1031

Fábio Gomes · Answer 2 · Thu Feb 04 2021 00:16:40 GMT+0800 (China Standard Time)

@mitnal thanks.