OmniAuth vulnerability Rails API 5.2.3
alexventuraio opened this issue · comments
Hi guys, I just have a question maybe someone here can help me out.
Actually I have a Rails API alongside a ReactJS application, so I do not have rails views with links
on it to change them to the POST
method.
Gemfile
gem 'omniauth-github', '~> 1.3'
gem 'omniauth-rails_csrf_protection'
routes.rb
Rails.application.routes.draw do
get '/login', to: redirect('/auth/github')
get '/auth/:provider/callback', to: 'sessions#create'
get 'auth/failure', to: redirect('/')
resource :session, only: [:create]
end
initializers/omniauth.rb
OmniAuth.config.logger = Rails.logger
# Addresses https://nvd.nist.gov/vuln/detail/CVE-2015-9284
OmniAuth.config.allowed_request_methods = [:post]
Rails.application.config.middleware.use OmniAuth::Builder do
provider :developer unless Rails.env.production?
provider :github, ENV['GITHUB_CLIENT_ID'], ENV['GITHUB_CLIENT_SECRET']
end
sessions_controller.rb
class SessionsController < ApplicationController
def create
user = User.from_omniauth(auth_hash)
redirect_to '/react_app'
end
protected
def auth_hash
request.env['omniauth.auth']
end
end
user.rb
class User < ApplicationRecord
class << self
def from_omniauth(auth_data)
where(auth_data.slice('provider', 'uid')).first || create_from_omniauth(auth_data)
end
def create_from_omniauth(auth_data)
create! do |user|
user.provider = auth_data['provider']
user.uid = auth_data['uid']
user.nickname = auth_data['info']['nickname']
user.email = auth_data['info']['email']
user.name = auth_data['info']['name']
user.avatar = auth_data['info']['image']
user.provider_token = auth_data['credentials']['token']
end
end
end
end
I have added omniauth-rails_csrf_protection
gem and follow most of the instructions here but I still get the warning in my Github repo about the vulnerability issue.
Do you have any suggestion to do so I can get rid of that annoying warning?
Thanks in advance!
but I still get the warning in my Github repo about the vulnerability issue
That's because the database GitHub is using hasn't any info about a version where the vulnerability is fixed – and that's because, as far as I know, no such version has been released.
@dentarg Ok, let's say that the warning it's all about the Github platfor. But do you think that it is ok to keep on working this way on my config? Or do you think I should change something else about the vulnerability?
I look at your code, and I noticed that you still have GET /login
which redirects to /auth/github
. Is that still work after you change Omniauth endpoint to be POST only?
I think this mitigation requires you to make sure that any endpoint that will initiate the authentication flow (redirect to GitHub, etc) won't respond to GET request. So, you may have to remove your /login
convenient route and change the login button on your react app to be a form that POST to GitHub URL instead.
@sikachu Yeah you're right, after changing to Omiauth to only post
requests it does not work anymore. So, I'm going to change the react app to perform a POST request to ``.
But what about these two routes which are callback URLs from Github to my Rails app, do I need to change them to post
only too?
get '/auth/:provider/callback', to: 'sessions#create'
get 'auth/failure', to: redirect('/')
@alexventuraio nope, those callback URLs are fine to be GET. The CVE was pretty much focusing on the initiation part, to make sure that user won't be logged in without their intent. So, as long as the first part is protected, you should be fine.
I'm going to close this issue since I think you've resolved the issue based on the inactivity of this issue. Please let me know if the issue hasn't been fixed and I should reopen it. Thanks!