omniauth-rails_csrf_protection 0.1.2 → 1.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: f892f67e16cc87463da3671c7109d84cf2c672ab9f48e3f15c0ea26e2d0de891
|
|
4
|
+
data.tar.gz: 972512c31e47d1ca67255adf9e962a1082c3025ae28dbc9f27abdbdc726784c8
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: bd891acf5bbde8455180fe33d076bee9d62413d06c32a610336586346c40ff71a1f30adf5b3cfaf2ad4f768f9f69fbbf27040a0c805bc09462b27e3f7e10115a
|
|
7
|
+
data.tar.gz: e17f26e0b3224a0f5c8660ec7f7d7524690b18df2f1004f9bdc097cdef04026c6d7c4c15433d0d349087333b4a381b79624b65c9361975c1a123ca34313643b2
|
data/.circleci/config.yml
CHANGED
|
@@ -27,6 +27,14 @@ ruby-2-6: &ruby-2-6
|
|
|
27
27
|
docker:
|
|
28
28
|
- image: circleci/ruby:2.6
|
|
29
29
|
|
|
30
|
+
ruby-2-7: &ruby-2-7
|
|
31
|
+
docker:
|
|
32
|
+
- image: circleci/ruby:2.7
|
|
33
|
+
|
|
34
|
+
ruby-3-0: &ruby-3-0
|
|
35
|
+
docker:
|
|
36
|
+
- image: circleci/ruby:3.0
|
|
37
|
+
|
|
30
38
|
rails-4-2: &rails-4-2
|
|
31
39
|
environment:
|
|
32
40
|
RAILS_VERSION: "~> 4.2.0"
|
|
@@ -45,7 +53,11 @@ rails-5-2: &rails-5-2
|
|
|
45
53
|
|
|
46
54
|
rails-6-0: &rails-6-0
|
|
47
55
|
environment:
|
|
48
|
-
RAILS_VERSION: "6.0.0
|
|
56
|
+
RAILS_VERSION: "~> 6.0.0"
|
|
57
|
+
|
|
58
|
+
rails-6-1: &rails-6-1
|
|
59
|
+
environment:
|
|
60
|
+
RAILS_VERSION: "~> 6.1.0"
|
|
49
61
|
|
|
50
62
|
rails-edge: &rails-edge
|
|
51
63
|
environment:
|
|
@@ -85,6 +97,10 @@ jobs:
|
|
|
85
97
|
<<: *ruby-2-5
|
|
86
98
|
<<: *rails-6-0
|
|
87
99
|
<<: *build_steps
|
|
100
|
+
"ruby-2-5-rails-6-1":
|
|
101
|
+
<<: *ruby-2-5
|
|
102
|
+
<<: *rails-6-1
|
|
103
|
+
<<: *build_steps
|
|
88
104
|
"ruby-2-5-rails-edge":
|
|
89
105
|
<<: *ruby-2-5
|
|
90
106
|
<<: *rails-edge
|
|
@@ -106,11 +122,53 @@ jobs:
|
|
|
106
122
|
<<: *ruby-2-6
|
|
107
123
|
<<: *rails-6-0
|
|
108
124
|
<<: *build_steps
|
|
125
|
+
"ruby-2-6-rails-6-1":
|
|
126
|
+
<<: *ruby-2-6
|
|
127
|
+
<<: *rails-6-1
|
|
128
|
+
<<: *build_steps
|
|
109
129
|
"ruby-2-6-rails-edge":
|
|
110
130
|
<<: *ruby-2-6
|
|
111
131
|
<<: *rails-edge
|
|
112
132
|
<<: *build_steps
|
|
113
133
|
|
|
134
|
+
"ruby-2-7-rails-5-0":
|
|
135
|
+
<<: *ruby-2-7
|
|
136
|
+
<<: *rails-5-0
|
|
137
|
+
<<: *build_steps
|
|
138
|
+
"ruby-2-7-rails-5-1":
|
|
139
|
+
<<: *ruby-2-7
|
|
140
|
+
<<: *rails-5-1
|
|
141
|
+
<<: *build_steps
|
|
142
|
+
"ruby-2-7-rails-5-2":
|
|
143
|
+
<<: *ruby-2-7
|
|
144
|
+
<<: *rails-5-2
|
|
145
|
+
<<: *build_steps
|
|
146
|
+
"ruby-2-7-rails-6-0":
|
|
147
|
+
<<: *ruby-2-7
|
|
148
|
+
<<: *rails-6-0
|
|
149
|
+
<<: *build_steps
|
|
150
|
+
"ruby-2-7-rails-6-1":
|
|
151
|
+
<<: *ruby-2-7
|
|
152
|
+
<<: *rails-6-1
|
|
153
|
+
<<: *build_steps
|
|
154
|
+
"ruby-2-7-rails-edge":
|
|
155
|
+
<<: *ruby-2-7
|
|
156
|
+
<<: *rails-edge
|
|
157
|
+
<<: *build_steps
|
|
158
|
+
|
|
159
|
+
"ruby-3-0-rails-6-0":
|
|
160
|
+
<<: *ruby-3-0
|
|
161
|
+
<<: *rails-6-0
|
|
162
|
+
<<: *build_steps
|
|
163
|
+
"ruby-3-0-rails-6-1":
|
|
164
|
+
<<: *ruby-3-0
|
|
165
|
+
<<: *rails-6-1
|
|
166
|
+
<<: *build_steps
|
|
167
|
+
"ruby-3-0-rails-edge":
|
|
168
|
+
<<: *ruby-3-0
|
|
169
|
+
<<: *rails-edge
|
|
170
|
+
<<: *build_steps
|
|
171
|
+
|
|
114
172
|
workflows:
|
|
115
173
|
version: 2
|
|
116
174
|
build:
|
|
@@ -123,10 +181,23 @@ workflows:
|
|
|
123
181
|
- "ruby-2-5-rails-5-1"
|
|
124
182
|
- "ruby-2-5-rails-5-2"
|
|
125
183
|
- "ruby-2-5-rails-6-0"
|
|
184
|
+
- "ruby-2-5-rails-6-1"
|
|
126
185
|
- "ruby-2-5-rails-edge"
|
|
127
186
|
|
|
128
187
|
- "ruby-2-6-rails-5-0"
|
|
129
188
|
- "ruby-2-6-rails-5-1"
|
|
130
189
|
- "ruby-2-6-rails-5-2"
|
|
131
190
|
- "ruby-2-6-rails-6-0"
|
|
191
|
+
- "ruby-2-6-rails-6-1"
|
|
132
192
|
- "ruby-2-6-rails-edge"
|
|
193
|
+
|
|
194
|
+
- "ruby-2-7-rails-5-0"
|
|
195
|
+
- "ruby-2-7-rails-5-1"
|
|
196
|
+
- "ruby-2-7-rails-5-2"
|
|
197
|
+
- "ruby-2-7-rails-6-0"
|
|
198
|
+
- "ruby-2-7-rails-6-1"
|
|
199
|
+
- "ruby-2-7-rails-edge"
|
|
200
|
+
|
|
201
|
+
- "ruby-3-0-rails-6-0"
|
|
202
|
+
- "ruby-3-0-rails-6-1"
|
|
203
|
+
- "ruby-3-0-rails-edge"
|
data/README.md
CHANGED
|
@@ -1,12 +1,14 @@
|
|
|
1
1
|
# OmniAuth - Rails CSRF Protection
|
|
2
2
|
|
|
3
|
-
This gem provides a mitigation against CVE-2015-9284 (Cross-Site Request
|
|
4
|
-
Forgery on the request
|
|
5
|
-
application) by implementing a CSRF token verifier that directly
|
|
3
|
+
This gem provides a mitigation against [CVE-2015-9284] (Cross-Site Request
|
|
4
|
+
Forgery on the request phase when using OmniAuth gem with a Ruby on Rails
|
|
5
|
+
application) by implementing a CSRF token verifier that directly uses
|
|
6
6
|
`ActionController::RequestForgeryProtection` code from Rails.
|
|
7
7
|
|
|
8
8
|
[](https://circleci.com/gh/cookpad/omniauth-rails_csrf_protection/tree/master)
|
|
9
9
|
|
|
10
|
+
[CVE-2015-9284]: https://nvd.nist.gov/vuln/detail/CVE-2015-9284
|
|
11
|
+
|
|
10
12
|
## Usage
|
|
11
13
|
|
|
12
14
|
Add this line to your application's Gemfile:
|
|
@@ -18,7 +20,7 @@ gem "omniauth-rails_csrf_protection"
|
|
|
18
20
|
Then run `bundle install` to install this gem.
|
|
19
21
|
|
|
20
22
|
You will then need to verify that all links in your application that would
|
|
21
|
-
initiate OAuth request
|
|
23
|
+
initiate OAuth request phase are being converted to a HTTP POST form that
|
|
22
24
|
contains `authenticity_token` value. This might simply be done by changing all
|
|
23
25
|
`link_to` to `button_to`, or use `link_to ..., method: :post`.
|
|
24
26
|
|
|
@@ -26,10 +28,10 @@ contains `authenticity_token` value. This might simply be done by changing all
|
|
|
26
28
|
|
|
27
29
|
This gem does a few things to your application:
|
|
28
30
|
|
|
29
|
-
* Disable access to the OAuth request
|
|
30
|
-
* Insert a Rails CSRF token verifier at before request
|
|
31
|
+
* Disable access to the OAuth request phase using HTTP GET method.
|
|
32
|
+
* Insert a Rails CSRF token verifier at the before request phase.
|
|
31
33
|
|
|
32
|
-
These actions mitigate you from the attack vector described in CVE-2015-9284.
|
|
34
|
+
These actions mitigate you from the attack vector described in [CVE-2015-9284].
|
|
33
35
|
|
|
34
36
|
## Contributing
|
|
35
37
|
|
|
@@ -4,8 +4,7 @@ module OmniAuth
|
|
|
4
4
|
module RailsCsrfProtection
|
|
5
5
|
class Railtie < Rails::Railtie
|
|
6
6
|
initializer "omniauth-rails_csrf_protection.initialize" do
|
|
7
|
-
OmniAuth.config.
|
|
8
|
-
OmniAuth.config.before_request_phase = TokenVerifier.new
|
|
7
|
+
OmniAuth.config.request_validation_phase = TokenVerifier.new
|
|
9
8
|
end
|
|
10
9
|
end
|
|
11
10
|
end
|
|
@@ -28,7 +28,7 @@ Gem::Specification.new do |spec|
|
|
|
28
28
|
spec.require_paths = ["lib"]
|
|
29
29
|
|
|
30
30
|
spec.add_dependency "actionpack", ">= 4.2"
|
|
31
|
-
spec.add_dependency "omniauth", "
|
|
31
|
+
spec.add_dependency "omniauth", "~> 2.0"
|
|
32
32
|
|
|
33
33
|
spec.add_development_dependency "bundler"
|
|
34
34
|
spec.add_development_dependency "minitest"
|
data/test/application_test.rb
CHANGED
|
@@ -11,14 +11,16 @@ class ApplicationTest < Minitest::Test
|
|
|
11
11
|
|
|
12
12
|
def test_request_phrase_without_token_via_post
|
|
13
13
|
post "/auth/developer"
|
|
14
|
+
follow_redirect!
|
|
14
15
|
|
|
15
|
-
assert last_response.
|
|
16
|
+
assert last_response.not_found?
|
|
16
17
|
end
|
|
17
18
|
|
|
18
19
|
def test_request_phrase_with_bad_token_via_post
|
|
19
20
|
post "/auth/developer", authenticity_token: "BAD_TOKEN"
|
|
21
|
+
follow_redirect!
|
|
20
22
|
|
|
21
|
-
assert last_response.
|
|
23
|
+
assert last_response.not_found?
|
|
22
24
|
end
|
|
23
25
|
|
|
24
26
|
def test_request_phrase_with_correct_token_via_post
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: omniauth-rails_csrf_protection
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 1.0.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Cookpad Inc.
|
|
8
|
-
autorequire:
|
|
8
|
+
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2021-01-14 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: actionpack
|
|
@@ -28,16 +28,16 @@ dependencies:
|
|
|
28
28
|
name: omniauth
|
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
|
30
30
|
requirements:
|
|
31
|
-
- - "
|
|
31
|
+
- - "~>"
|
|
32
32
|
- !ruby/object:Gem::Version
|
|
33
|
-
version:
|
|
33
|
+
version: '2.0'
|
|
34
34
|
type: :runtime
|
|
35
35
|
prerelease: false
|
|
36
36
|
version_requirements: !ruby/object:Gem::Requirement
|
|
37
37
|
requirements:
|
|
38
|
-
- - "
|
|
38
|
+
- - "~>"
|
|
39
39
|
- !ruby/object:Gem::Version
|
|
40
|
-
version:
|
|
40
|
+
version: '2.0'
|
|
41
41
|
- !ruby/object:Gem::Dependency
|
|
42
42
|
name: bundler
|
|
43
43
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -124,7 +124,7 @@ homepage: https://github.com/cookpad/omniauth-rails_csrf_protection
|
|
|
124
124
|
licenses:
|
|
125
125
|
- MIT
|
|
126
126
|
metadata: {}
|
|
127
|
-
post_install_message:
|
|
127
|
+
post_install_message:
|
|
128
128
|
rdoc_options: []
|
|
129
129
|
require_paths:
|
|
130
130
|
- lib
|
|
@@ -139,8 +139,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
139
139
|
- !ruby/object:Gem::Version
|
|
140
140
|
version: '0'
|
|
141
141
|
requirements: []
|
|
142
|
-
rubygems_version: 3.
|
|
143
|
-
signing_key:
|
|
142
|
+
rubygems_version: 3.1.4
|
|
143
|
+
signing_key:
|
|
144
144
|
specification_version: 4
|
|
145
145
|
summary: Provides CSRF protection on OmniAuth request endpoint on Rails application.
|
|
146
146
|
test_files:
|