Hi guys, I just have a question maybe someone here can help me out.

Actually I have a Rails API alongside a ReactJS application, so I do not have rails views with links on it to change them to the POST method.

Gemfile

gem 'omniauth-github', '~> 1.3'
gem 'omniauth-rails_csrf_protection'

routes.rb

Rails.application.routes.draw do
  get '/login', to: redirect('/auth/github')
  get '/auth/:provider/callback', to: 'sessions#create'
  get 'auth/failure', to: redirect('/')

  resource :session, only: [:create]
end

initializers/omniauth.rb

OmniAuth.config.logger = Rails.logger
# Addresses https://nvd.nist.gov/vuln/detail/CVE-2015-9284
OmniAuth.config.allowed_request_methods = [:post]

Rails.application.config.middleware.use OmniAuth::Builder do
  provider :developer unless Rails.env.production?
  provider :github, ENV['GITHUB_CLIENT_ID'], ENV['GITHUB_CLIENT_SECRET']
end

sessions_controller.rb

class SessionsController < ApplicationController
  def create
    user = User.from_omniauth(auth_hash)
    redirect_to '/react_app'
  end

  protected

  def auth_hash
    request.env['omniauth.auth']
  end
end

user.rb

class User < ApplicationRecord
  class << self
    def from_omniauth(auth_data)
      where(auth_data.slice('provider', 'uid')).first || create_from_omniauth(auth_data)
    end

    def create_from_omniauth(auth_data)
      create! do |user|
        user.provider = auth_data['provider']
        user.uid = auth_data['uid']
        user.nickname = auth_data['info']['nickname']
        user.email = auth_data['info']['email']
        user.name = auth_data['info']['name']
        user.avatar = auth_data['info']['image']
        user.provider_token = auth_data['credentials']['token']
      end
    end
  end
end

I have added omniauth-rails_csrf_protection gem and follow most of the instructions here but I still get the warning in my Github repo about the vulnerability issue.

Do you have any suggestion to do so I can get rid of that annoying warning?

Thanks in advance!

but I still get the warning in my Github repo about the vulnerability issue

That's because the database GitHub is using hasn't any info about a version where the vulnerability is fixed – and that's because, as far as I know, no such version has been released.

@dentarg Ok, let's say that the warning it's all about the Github platfor. But do you think that it is ok to keep on working this way on my config? Or do you think I should change something else about the vulnerability?

I look at your code, and I noticed that you still have GET /login which redirects to /auth/github. Is that still work after you change Omniauth endpoint to be POST only?

I think this mitigation requires you to make sure that any endpoint that will initiate the authentication flow (redirect to GitHub, etc) won't respond to GET request. So, you may have to remove your /login convenient route and change the login button on your react app to be a form that POST to GitHub URL instead.

@sikachu Yeah you're right, after changing to Omiauth to only post requests it does not work anymore. So, I'm going to change the react app to perform a POST request to ``.
But what about these two routes which are callback URLs from Github to my Rails app, do I need to change them to post only too?

get '/auth/:provider/callback', to: 'sessions#create'
get 'auth/failure', to: redirect('/')

@alexventuraio nope, those callback URLs are fine to be GET. The CVE was pretty much focusing on the initiation part, to make sure that user won't be logged in without their intent. So, as long as the first part is protected, you should be fine.

I'm going to close this issue since I think you've resolved the issue based on the inactivity of this issue. Please let me know if the issue hasn't been fixed and I should reopen it. Thanks!