omniauth-rails_csrf_protection 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: bbf4c1c69045d3b8841a8e002fad5367924f1d3656bb030473da95ec61681878
+  data.tar.gz: 57f056afa7f51d2722129715a074aa19afeac9acd58a340c5c063aff7b8436d7
+SHA512:
+  metadata.gz: c64a7e5a8c3252ceebe112312fa9dfa346c7c337c2ed528f72ab7d140d540333e99c580143bad2044a7fe57697360cf7be6cd36672e97224fa48f21a6d758b6d
+  data.tar.gz: 7fdf180d08eb01a57acbf61f3f2a70754a433eee0fad1c31663f0b9bffa571ef4c45ada64669475ef6391b636437e3ae590e1bc27c785756278e1524f524cbfc

data/.circleci/config.yml

@@ -0,0 +1,87 @@
+version: 2.1
+
+build_steps: &build_steps
+  steps:
+    - checkout
+    - run:
+        name: Install dependencies
+        command: bundle update
+    - run:
+        command: |-
+          echo "Ruby version:" $(ruby -v)
+          echo "Rails version: " $(rails -v)
+        name: Show build information
+    - run:
+        name: Run tests
+        command: rake
+
+ruby-2-5: &ruby-2-5
+  docker:
+    - image: circleci/ruby:2.5
+
+ruby-2-6: &ruby-2-6
+  docker:
+    - image: circleci/ruby:2.6
+
+rails-5-1: &rails-5-1
+  environment:
+      RAILS_VERSION: "~> 5.1.0"
+
+rails-5-2: &rails-5-2
+  environment:
+      RAILS_VERSION: "~> 5.2.0"
+
+rails-6-0: &rails-6-0
+  environment:
+      RAILS_VERSION: "6.0.0.rc1"
+
+rails-edge: &rails-edge
+  environment:
+      RAILS_BRANCH: "master"
+
+jobs:
+  "ruby-2-5-rails-5-1":
+    <<: *ruby-2-5
+    <<: *rails-5-1
+    <<: *build_steps
+  "ruby-2-5-rails-5-2":
+    <<: *ruby-2-5
+    <<: *rails-5-2
+    <<: *build_steps
+  "ruby-2-5-rails-6-0":
+    <<: *ruby-2-5
+    <<: *rails-6-0
+    <<: *build_steps
+  "ruby-2-5-rails-edge":
+    <<: *ruby-2-5
+    <<: *rails-edge
+    <<: *build_steps
+  "ruby-2-6-rails-5-1":
+    <<: *ruby-2-6
+    <<: *rails-5-1
+    <<: *build_steps
+  "ruby-2-6-rails-5-2":
+    <<: *ruby-2-6
+    <<: *rails-5-2
+    <<: *build_steps
+  "ruby-2-6-rails-6-0":
+    <<: *ruby-2-6
+    <<: *rails-6-0
+    <<: *build_steps
+  "ruby-2-6-rails-edge":
+    <<: *ruby-2-6
+    <<: *rails-edge
+    <<: *build_steps
+
+workflows:
+  version: 2
+  build:
+    jobs:
+      - "ruby-2-5-rails-5-1"
+      - "ruby-2-5-rails-5-2"
+      - "ruby-2-5-rails-6-0"
+      - "ruby-2-5-rails-edge"
+      - "ruby-2-6-rails-5-1"
+      - "ruby-2-6-rails-5-2"
+      - "ruby-2-6-rails-6-0"
+      - "ruby-2-6-rails-edge"

data/.gitignore

@@ -0,0 +1,10 @@
+/.bundle/
+/.rubocop-*
+/.yardoc
+/Gemfile.lock
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/

data/.rubocop.yml

@@ -0,0 +1,9 @@
+inherit_from:
+  - https://raw.githubusercontent.com/cookpad/global-style-guides/master/.rubocop.yml
+
+AllCops:
+  TargetRubyVersion: 2.5
+
+# Disable this as this does not apply to rack-test
+Rails/HttpPositionalArguments:
+  Enabled: false

data/CODE_OF_CONDUCT.md

@@ -0,0 +1,75 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+In the interest of fostering an open and welcoming environment, we as
+contributors and maintainers pledge to making participation in our project and
+our community a harassment-free experience for everyone, regardless of age,
+body size, disability, ethnicity, gender identity and expression, level of
+experience, nationality, personal appearance, race, religion, or sexual
+identity and orientation.
+
+## Our Standards
+
+Examples of behavior that contributes to creating a positive environment
+include:
+
+* Using welcoming and inclusive language
+* Being respectful of differing viewpoints and experiences
+* Gracefully accepting constructive criticism
+* Focusing on what is best for the community
+* Showing empathy towards other community members
+
+Examples of unacceptable behavior by participants include:
+
+* The use of sexualized language or imagery and unwelcome sexual attention or
+  advances
+* Trolling, insulting/derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or electronic
+  address, without explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+  professional setting
+
+## Our Responsibilities
+
+Project maintainers are responsible for clarifying the standards of acceptable
+behavior and are expected to take appropriate and fair corrective action in
+response to any instances of unacceptable behavior.
+
+Project maintainers have the right and responsibility to remove, edit, or
+reject comments, commits, code, wiki edits, issues, and other contributions
+that are not aligned to this Code of Conduct, or to ban temporarily or
+permanently any contributor for other behaviors that they deem inappropriate,
+threatening, offensive, or harmful.
+
+## Scope
+
+This Code of Conduct applies both within project spaces and in public spaces
+when an individual is representing the project or its community. Examples of
+representing a project or community include using an official project e-mail
+address, posting via an official social media account, or acting as an
+appointed representative at an online or offline event. Representation of a
+project may be further defined and clarified by project maintainers.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported by contacting the project team at kaihatsu@cookpad.com. All complaints
+will be reviewed and investigated and will result in a response that is deemed
+necessary and appropriate to the circumstances. The project team is obligated
+to maintain confidentiality with regard to the reporter of an incident.
+Further details of specific enforcement policies may be posted separately.
+
+Project maintainers who do not follow or enforce the Code of Conduct in good
+faith may face temporary or permanent repercussions as determined by other
+members of the project's leadership.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage],
+version 1.4, available at
+[http://contributor-covenant.org/version/1/4][version]
+
+[homepage]: http://contributor-covenant.org
+[version]: http://contributor-covenant.org/version/1/4/

data/Gemfile

@@ -0,0 +1,11 @@
+source "https://rubygems.org"
+
+# rubocop:disable Bundler/DuplicatedGem
+if ENV["RAILS_VERSION"]
+  gem "rails", ENV["RAILS_VERSION"]
+elsif ENV["RAILS_BRANCH"]
+  gem "rails", git: "https://github.com/rails/rails.git", branch: ENV["RAILS_BRANCH"]
+end
+# rubocop:enable Bundler/DuplicatedGem
+
+gemspec

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2019 Cookpad Inc.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,48 @@
+# OmniAuth - Rails CSRF Protection
+
+This gem provides a mitigation against CVE-2015-9284 (Cross-Site Request
+Forgery on the request phrase when using OmniAuth gem with a Ruby on Rails
+application) by implementing a CSRF token verifier that directly utilize
+`ActionController::RequestForgeryProtection` code from Rails.
+
+## Usage
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem "omniauth-rails_csrf_protection"
+```
+
+Then run `bundle install` to install this gem.
+
+You will then need to verify that all links in your application that would
+initiate OAuth request phrase are being converted to a HTTP POST form that
+contains `authenticity_token` value. This might simply be done by changing all
+`link_to` to `button_to`, or use `link_to ..., method: :post`.
+
+## Under the Hood
+
+This gem does a few things to your application:
+
+* Disable access to the OAuth request phrase using HTTP GET method.
+* Insert a Rails CSRF token verifier at before request phrase.
+
+These actions mitigate you from the attack vector described in CVE-2015-9284.
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub. This project is
+intended to be a safe, welcoming space for collaboration, and contributors are
+expected to adhere to the
+[Contributor Covenant](http://contributor-covenant.org) code of conduct.
+
+## License
+
+The gem is available as open source under the terms of the
+[MIT License](https://opensource.org/licenses/MIT).
+
+## Code of Conduct
+
+Everyone interacting in the this project’s codebases, issue trackers, chat
+rooms and mailing lists is expected to follow the
+[code of conduct](https://github.com/cookpad/omniauth-rails_csrf_protection/blob/master/CODE_OF_CONDUCT.md).

data/Rakefile

@@ -0,0 +1,10 @@
+require "bundler/gem_tasks"
+require "rake/testtask"
+
+Rake::TestTask.new(:test) do |t|
+  t.libs << "test"
+  t.libs << "lib"
+  t.test_files = FileList["test/**/*_test.rb"]
+end
+
+task default: :test

data/lib/omniauth/rails_csrf_protection.rb

@@ -0,0 +1,2 @@
+require "omniauth/rails_csrf_protection/version"
+require "omniauth/rails_csrf_protection/railtie"

data/lib/omniauth/rails_csrf_protection/railtie.rb

@@ -0,0 +1,12 @@
+require "omniauth/rails_csrf_protection/token_verifier"
+
+module OmniAuth
+  module RailsCsrfProtection
+    class Railtie < Rails::Railtie
+      initializer "omniauth-rails_csrf_protection.initialize" do
+        OmniAuth.config.allowed_request_methods = [:post]
+        OmniAuth.config.before_request_phase = TokenVerifier.new
+      end
+    end
+  end
+end

data/lib/omniauth/rails_csrf_protection/token_verifier.rb

@@ -0,0 +1,44 @@
+require "active_support/configurable"
+require "action_controller"
+
+module OmniAuth
+  module RailsCsrfProtection
+    # Provides a callable method that verifies Cross-Site Request Forgery
+    # protection token. This class includes
+    # `ActionController::RequestForgeryProtection` directly and utilizes
+    # `verified_request?` method to match the way Rails performs token
+    # verification in Rails controllers.
+    #
+    # If you like to learn more about how Rails generate and verify
+    # authenticity token, you can find the source code at
+    # https://github.com/rails/rails/blob/v5.2.2/actionpack/lib/action_controller/metal/request_forgery_protection.rb#L217-L240.
+    class TokenVerifier
+      include ActiveSupport::Configurable
+      include ActionController::RequestForgeryProtection
+
+      # `ActionController::RequestForgeryProtection` contains a few
+      # configurable options. As we want to make sure that our configuration is
+      # the same as what being set in `ActionController::Base`, we should make
+      # all out configuration methods to delegate to `ActionController::Base`.
+      config.each_key do |configuration_name|
+        undef_method configuration_name
+        define_method configuration_name do
+          ActionController::Base.config[configuration_name]
+        end
+      end
+
+      def call(env)
+        @request = ActionDispatch::Request.new(env)
+
+        unless verified_request?
+          raise ActionController::InvalidAuthenticityToken
+        end
+      end
+
+      private
+
+        attr_reader :request
+        delegate :params, :session, to: :request
+    end
+  end
+end

data/lib/omniauth/rails_csrf_protection/version.rb

@@ -0,0 +1,5 @@
+module OmniAuth
+  module RailsCsrfProtection
+    VERSION = "0.1.0".freeze
+  end
+end

data/omniauth-rails_csrf_protection.gemspec

@@ -0,0 +1,37 @@
+lib = File.expand_path("lib", __dir__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require "omniauth/rails_csrf_protection/version"
+
+Gem::Specification.new do |spec|
+  spec.name        = "omniauth-rails_csrf_protection"
+  spec.version     = OmniAuth::RailsCsrfProtection::VERSION
+  spec.authors     = ["Cookpad Inc."]
+  spec.email       = ["kaihatsu@cookpad.com"]
+
+  spec.summary     = <<~SUMMARY
+    Provides CSRF protection on OmniAuth request endpoint on Rails application.
+  SUMMARY
+
+  spec.description = <<~DESCRIPTION
+    This gem provides a mitigation against CVE-2015-9284 (Cross-Site Request
+    Forgery on the request phrase when using OmniAuth gem with a Ruby on Rails
+    application) by implementing a CSRF token verifier that directly utilize
+    `ActionController::RequestForgeryProtection` code from Rails.
+  DESCRIPTION
+
+  spec.homepage    = "https://github.com/cookpad/omniauth-rails_csrf_protection"
+  spec.license     = "MIT"
+
+  spec.files       = `git ls-files`.split("\n")
+  spec.test_files  = `git ls-files -- test/*`.split("\n")
+
+  spec.require_paths = ["lib"]
+
+  spec.add_dependency "actionpack", ">= 5.1.0"
+  spec.add_dependency "omniauth", ">= 1.3.1"
+
+  spec.add_development_dependency "bundler"
+  spec.add_development_dependency "minitest"
+  spec.add_development_dependency "rails"
+  spec.add_development_dependency "rake"
+end

data/test/application_test.rb

@@ -0,0 +1,40 @@
+require "test_helper"
+
+class ApplicationTest < Minitest::Test
+  include Rack::Test::Methods
+
+  def test_request_phrase_not_accessible_via_get
+    get "/auth/developer"
+
+    assert last_response.not_found?
+  end
+
+  def test_request_phrase_without_token_via_post
+    post "/auth/developer"
+
+    assert last_response.unprocessable?
+  end
+
+  def test_request_phrase_with_bad_token_via_post
+    post "/auth/developer", authenticity_token: "BAD_TOKEN"
+
+    assert last_response.unprocessable?
+  end
+
+  def test_request_phrase_with_correct_token_via_post
+    post "/auth/developer", authenticity_token: authenticity_token
+
+    assert last_response.ok?
+  end
+
+  private
+
+    def app
+      Rails.application
+    end
+
+    def authenticity_token
+      get "/token"
+      last_response.body
+    end
+end

data/test/test_helper.rb

@@ -0,0 +1,69 @@
+$LOAD_PATH.unshift File.expand_path("../lib", __dir__)
+
+# Simple Rails application template, based on Rails issue template
+# https://github.com/rails/rails/blob/master/guides/bug_report_templates/action_controller_gem.rb
+
+# Helper method to silence warnings from bundler/inline
+def silence_warnings
+  old_verbose, $VERBOSE = $VERBOSE, nil
+  yield
+ensure
+  $VERBOSE = old_verbose
+end
+
+silence_warnings do
+  require "bundler/inline"
+
+  # Define dependencies required by this test app
+  gemfile do
+    source "https://rubygems.org"
+
+    gem "rails"
+    gem "omniauth"
+    gem "omniauth-rails_csrf_protection", path: File.expand_path("..", __dir__)
+  end
+end
+
+puts "Running test against Rails #{Rails.version}"
+
+require "rack/test"
+require "action_controller/railtie"
+require "minitest/autorun"
+
+# Build a test application which uses OmniAuth
+class TestApp < Rails::Application
+  config.root = __dir__
+  config.session_store :cookie_store, key: "cookie_store_key"
+  secrets.secret_key_base = "secret_key_base"
+  config.eager_load = false
+  config.hosts = []
+
+  # This allow us to send all logs to STDOUT if we run test wth `VERBOSE=1`
+  config.logger = if ENV["VERBOSE"]
+                    Logger.new($stdout)
+                  else
+                    Logger.new("/dev/null")
+                  end
+  Rails.logger = config.logger
+  OmniAuth.config.logger = Rails.logger
+
+  # Setup a simple OmniAuth configuration with only developer provider
+  config.middleware.use OmniAuth::Builder do
+    provider :developer
+  end
+
+  # We need to call initialize! to run all railties
+  initialize!
+
+  # Define our custom routes. This needs to be called after initialize!
+  routes.draw do
+    get "token" => "application#token"
+  end
+end
+
+# A small test controller which we use to retrive the valid authenticity token
+class ApplicationController < ActionController::Base
+  def token
+    render plain: form_authenticity_token
+  end
+end

metadata

@@ -0,0 +1,148 @@
+--- !ruby/object:Gem::Specification
+name: omniauth-rails_csrf_protection
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Cookpad Inc.
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2019-05-30 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: actionpack
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 5.1.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 5.1.0
+- !ruby/object:Gem::Dependency
+  name: omniauth
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.3.1
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.3.1
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: minitest
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: |
+  This gem provides a mitigation against CVE-2015-9284 (Cross-Site Request
+  Forgery on the request phrase when using OmniAuth gem with a Ruby on Rails
+  application) by implementing a CSRF token verifier that directly utilize
+  `ActionController::RequestForgeryProtection` code from Rails.
+email:
+- kaihatsu@cookpad.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".circleci/config.yml"
+- ".gitignore"
+- ".rubocop.yml"
+- CODE_OF_CONDUCT.md
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- lib/omniauth/rails_csrf_protection.rb
+- lib/omniauth/rails_csrf_protection/railtie.rb
+- lib/omniauth/rails_csrf_protection/token_verifier.rb
+- lib/omniauth/rails_csrf_protection/version.rb
+- omniauth-rails_csrf_protection.gemspec
+- test/application_test.rb
+- test/test_helper.rb
+homepage: https://github.com/cookpad/omniauth-rails_csrf_protection
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.0.3
+signing_key: 
+specification_version: 4
+summary: Provides CSRF protection on OmniAuth request endpoint on Rails application.
+test_files:
+- test/application_test.rb
+- test/test_helper.rb