omniauth-rails_csrf_protection 1.0.1 → 2.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b7c9f0953f60f411b88e66c914509308274d46c44a5fa42e1531740fc94c0be5
-  data.tar.gz: 1420e37a8f982fded587e1960309871054fc7e4a6ae4e237d5783025983a4c31
+  metadata.gz: 3846d12e29003349aab3262355ab3caa8202537194bf6f46be894f616d17a723
+  data.tar.gz: c6458df501c2ca900d58cd1d5d87c10189e2c27a887f91c4de3c47d1ee7eae6c
 SHA512:
-  metadata.gz: 95efbe6ce15fd93acf8e4953ffbc058e681dda33f0a129a3b0a33c1c9000faf25a4bb789de45cd89603cfa2e5702b15c51db6468bbf616754199cf54e55cf750
-  data.tar.gz: dabea2ed5fddeda77f46fd7cee2a4f1b5f79d8dc042eba02dc64fda6ef304f828cce81d63c42a2592cd059511d080a6dd77db4ceb5de8dc17740e6d58fea04fb
+  metadata.gz: 62351dc511a547b5f9983a3860e32be7e4ab66fd564f1d21533a5f97a60b6f31752823194342e5c37f4149ac93ef7ab99103330f3adef76e11c0dfc09e3cc49e
+  data.tar.gz: c2e6963ce81d58797117f512734eada4a98ec6b9fdeb8d124d239f8159b8341d9dba174e3e9d58b74fd96efd9aeb99ba5143b2c1b63364aaba14263058c68175

data/README.md

@@ -5,10 +5,23 @@ Forgery on the request phase when using OmniAuth gem with a Ruby on Rails
 application) by implementing a CSRF token verifier that directly uses
 `ActionController::RequestForgeryProtection` code from Rails.
 
-[![CircleCI](https://circleci.com/gh/cookpad/omniauth-rails_csrf_protection/tree/main.svg?style=svg)](https://circleci.com/gh/cookpad/omniauth-rails_csrf_protection/tree/main)
-
 [CVE-2015-9284]: https://nvd.nist.gov/vuln/detail/CVE-2015-9284
 
+> [!NOTE]
+> [OmniAuth] has provided a built-in solution to mitigate against
+> [CVE-2015-9284] since [version 2.0.0].
+> You should be able to mitigate against this vulnerability
+> by adding this configuration to your application:
+>
+> ```ruby
+> OmniAuth.config.request_validation_phase = OmniAuth::AuthenticityTokenProtection.new(key: :_csrf_token)
+> ```
+>
+> This gem will continued to be maintained as an alternative to the solution above.
+
+[OmniAuth]: https://github.com/omniauth/omniauth
+[Version 2.0.0]: https://github.com/omniauth/omniauth/releases/tag/v2.0.0
+
 ## Usage
 
 Add this line to your application's Gemfile:

data/lib/omniauth/rails_csrf_protection/token_verifier.rb

@@ -1,6 +1,10 @@
-require "active_support/configurable"
+require "action_pack/version"
 require "action_controller"
 
+unless ActionPack.version >= Gem::Version.new("8.1.a")
+  require "active_support/configurable"
+end
+
 module OmniAuth
   module RailsCsrfProtection
     # Provides a callable method that verifies Cross-Site Request Forgery
@@ -13,21 +17,41 @@ module OmniAuth
     # authenticity token, you can find the source code at
     # https://github.com/rails/rails/blob/v5.2.2/actionpack/lib/action_controller/metal/request_forgery_protection.rb#L217-L240.
     class TokenVerifier
-      include ActiveSupport::Configurable
-      include ActionController::RequestForgeryProtection
+      if ActionPack.version >= Gem::Version.new("8.1.a")
+        # `ActiveSupport::Configurable` is deprecated in Rails 8.1 and will be
+        # removed in Rails 8.2. As `ActionController::RequestForgeryProtection`
+        # directly accesing configurations via `config`, we only need to define
+        # these methods and delegate them to `ActionController::Base.config`.
+        def self.config
+          ActionController::Base.config
+        end
+
+        def config
+          self.class.config
+        end
+      else
+        include ActiveSupport::Configurable
 
-      # `ActionController::RequestForgeryProtection` contains a few
-      # configurable options. As we want to make sure that our configuration is
-      # the same as what being set in `ActionController::Base`, we should make
-      # all out configuration methods to delegate to `ActionController::Base`.
-      config.each_key do |configuration_name|
-        undef_method configuration_name
-        define_method configuration_name do
-          ActionController::Base.config[configuration_name]
+        # `ActionController::RequestForgeryProtection` contains a few
+        # configurable options. As we want to make sure that our configuration is
+        # the same as what being set in `ActionController::Base`, we should make
+        # all out configuration methods to delegate to `ActionController::Base`.
+        config.each_key do |configuration_name|
+          undef_method configuration_name if defined?(configuration_name)
+          define_method configuration_name do
+            ActionController::Base.config[configuration_name]
+          end
         end
       end
 
+      # Include this module only after we've prepared the configuration
+      include ActionController::RequestForgeryProtection
+
       def call(env)
+        dup._call(env)
+      end
+
+      def _call(env)
         @request = ActionDispatch::Request.new(env.dup)
 
         unless verified_request?

data/lib/omniauth/rails_csrf_protection/version.rb

@@ -1,5 +1,5 @@
 module OmniAuth
   module RailsCsrfProtection
-    VERSION = "1.0.1".freeze
+    VERSION = "2.0.0".freeze
   end
 end

data/test/test_helper.rb

@@ -13,18 +13,29 @@ end
 
 silence_warnings do
   require "bundler/inline"
+  require "logger"
 
   # Define dependencies required by this test app
   gemfile do
     source "https://rubygems.org"
 
-    gem "rails"
+    if ENV["RAILS_VERSION"] == "edge"
+      gem "rails", git: "https://github.com/rails/rails.git", branch: "main"
+    else
+      gem "rails"
+    end
+
+    if RUBY_VERSION >= "3.4"
+      gem "bigdecimal"
+      gem "mutex_m"
+    end
+
     gem "omniauth"
     gem "omniauth-rails_csrf_protection", path: File.expand_path("..", __dir__)
   end
 end
 
-puts "Running test against Rails #{Rails.version}"
+puts "Running test on Ruby #{RUBY_VERSION} against Rails #{Rails.version}"
 
 require "rack/test"
 require "action_controller/railtie"
@@ -34,7 +45,7 @@ require "minitest/autorun"
 class TestApp < Rails::Application
   config.root = __dir__
   config.session_store :cookie_store, key: "cookie_store_key"
-  secrets.secret_key_base = "secret_key_base"
+  config.secret_key_base = "secret_key_base"
   config.eager_load = false
   config.hosts = []
 
@@ -52,6 +63,13 @@ class TestApp < Rails::Application
     provider :developer
   end
 
+  # Silence the deprecation warning in Rails 8.0.x
+  if Rails.version.is_a?(Gem::Version) &&
+      Rails.version >= Gem::Version.new("8.0.x") &&
+      Rails.version < Gem::Version.new("8.1")
+    config.active_support.to_time_preserves_timezone = :zone
+  end
+
   # We need to call initialize! to run all railties
   initialize!
 

metadata

@@ -1,14 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-rails_csrf_protection
 version: !ruby/object:Gem::Version
-  version: 1.0.1
+  version: 2.0.0
 platform: ruby
 authors:
 - Cookpad Inc.
-autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-02-07 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: actionpack
@@ -105,26 +104,18 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
-- ".circleci/config.yml"
-- ".gitignore"
-- ".rubocop.yml"
-- CODE_OF_CONDUCT.md
-- Gemfile
 - LICENSE.txt
 - README.md
-- Rakefile
 - lib/omniauth/rails_csrf_protection.rb
 - lib/omniauth/rails_csrf_protection/railtie.rb
 - lib/omniauth/rails_csrf_protection/token_verifier.rb
 - lib/omniauth/rails_csrf_protection/version.rb
-- omniauth-rails_csrf_protection.gemspec
 - test/application_test.rb
 - test/test_helper.rb
 homepage: https://github.com/cookpad/omniauth-rails_csrf_protection
 licenses:
 - MIT
 metadata: {}
-post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -139,8 +130,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.32
-signing_key:
+rubygems_version: 3.6.9
 specification_version: 4
 summary: Provides CSRF protection on OmniAuth request endpoint on Rails application.
 test_files:

data/.circleci/config.yml

@@ -1,241 +0,0 @@
-version: 2.1
-
-build_steps: &build_steps
-  steps:
-    - checkout
-    - run:
-        name: Install dependencies
-        command: bundle update
-    - run:
-        command: |-
-          echo "Ruby version:" $(ruby -v)
-          echo "Rails version: " $(rails -v)
-        name: Show build information
-    - run:
-        name: Run tests
-        command: rake
-
-ruby-2-4: &ruby-2-4
-  docker:
-    - image: circleci/ruby:2.4
-
-ruby-2-5: &ruby-2-5
-  docker:
-    - image: cimg/ruby:2.5
-
-ruby-2-6: &ruby-2-6
-  docker:
-    - image: cimg/ruby:2.6
-
-ruby-2-7: &ruby-2-7
-  docker:
-    - image: cimg/ruby:2.7
-
-ruby-3-0: &ruby-3-0
-  docker:
-    - image: cimg/ruby:3.0
-
-ruby-3-1: &ruby-3-1
-  docker:
-    - image: cimg/ruby:3.1
-
-rails-4-2: &rails-4-2
-  environment:
-      RAILS_VERSION: "~> 4.2.0"
-
-rails-5-0: &rails-5-0
-  environment:
-      RAILS_VERSION: "~> 5.0.0"
-
-rails-5-1: &rails-5-1
-  environment:
-      RAILS_VERSION: "~> 5.1.0"
-
-rails-5-2: &rails-5-2
-  environment:
-      RAILS_VERSION: "~> 5.2.0"
-
-rails-6-0: &rails-6-0
-  environment:
-      RAILS_VERSION: "~> 6.0.0"
-
-rails-6-1: &rails-6-1
-  environment:
-      RAILS_VERSION: "~> 6.1.0"
-
-rails-7-0: &rails-7-0
-  environment:
-      RAILS_VERSION: "~> 7.0.0"
-
-rails-edge: &rails-edge
-  environment:
-      RAILS_BRANCH: "main"
-
-jobs:
-  "ruby-2-4-rails-4-2":
-    <<: *ruby-2-4
-    <<: *rails-4-2
-    <<: *build_steps
-  "ruby-2-4-rails-5-0":
-    <<: *ruby-2-4
-    <<: *rails-5-0
-    <<: *build_steps
-  "ruby-2-4-rails-5-1":
-    <<: *ruby-2-4
-    <<: *rails-5-1
-    <<: *build_steps
-  "ruby-2-4-rails-5-2":
-    <<: *ruby-2-4
-    <<: *rails-5-2
-    <<: *build_steps
-
-  "ruby-2-5-rails-5-0":
-    <<: *ruby-2-5
-    <<: *rails-5-0
-    <<: *build_steps
-  "ruby-2-5-rails-5-1":
-    <<: *ruby-2-5
-    <<: *rails-5-1
-    <<: *build_steps
-  "ruby-2-5-rails-5-2":
-    <<: *ruby-2-5
-    <<: *rails-5-2
-    <<: *build_steps
-  "ruby-2-5-rails-6-0":
-    <<: *ruby-2-5
-    <<: *rails-6-0
-    <<: *build_steps
-  "ruby-2-5-rails-6-1":
-    <<: *ruby-2-5
-    <<: *rails-6-1
-    <<: *build_steps
-  "ruby-2-5-rails-edge":
-    <<: *ruby-2-5
-    <<: *rails-edge
-    <<: *build_steps
-
-  "ruby-2-6-rails-5-0":
-    <<: *ruby-2-6
-    <<: *rails-5-0
-    <<: *build_steps
-  "ruby-2-6-rails-5-1":
-    <<: *ruby-2-6
-    <<: *rails-5-1
-    <<: *build_steps
-  "ruby-2-6-rails-5-2":
-    <<: *ruby-2-6
-    <<: *rails-5-2
-    <<: *build_steps
-  "ruby-2-6-rails-6-0":
-    <<: *ruby-2-6
-    <<: *rails-6-0
-    <<: *build_steps
-  "ruby-2-6-rails-6-1":
-    <<: *ruby-2-6
-    <<: *rails-6-1
-    <<: *build_steps
-  "ruby-2-6-rails-edge":
-    <<: *ruby-2-6
-    <<: *rails-edge
-    <<: *build_steps
-
-  "ruby-2-7-rails-5-0":
-    <<: *ruby-2-7
-    <<: *rails-5-0
-    <<: *build_steps
-  "ruby-2-7-rails-5-1":
-    <<: *ruby-2-7
-    <<: *rails-5-1
-    <<: *build_steps
-  "ruby-2-7-rails-5-2":
-    <<: *ruby-2-7
-    <<: *rails-5-2
-    <<: *build_steps
-  "ruby-2-7-rails-6-0":
-    <<: *ruby-2-7
-    <<: *rails-6-0
-    <<: *build_steps
-  "ruby-2-7-rails-6-1":
-    <<: *ruby-2-7
-    <<: *rails-6-1
-    <<: *build_steps
-  "ruby-2-7-rails-7-0":
-    <<: *ruby-2-7
-    <<: *rails-7-0
-    <<: *build_steps
-  "ruby-2-7-rails-edge":
-    <<: *ruby-2-7
-    <<: *rails-edge
-    <<: *build_steps
-
-  "ruby-3-0-rails-6-0":
-    <<: *ruby-3-0
-    <<: *rails-6-0
-    <<: *build_steps
-  "ruby-3-0-rails-6-1":
-    <<: *ruby-3-0
-    <<: *rails-6-1
-    <<: *build_steps
-  "ruby-3-0-rails-7-0":
-    <<: *ruby-3-0
-    <<: *rails-7-0
-    <<: *build_steps
-  "ruby-3-0-rails-edge":
-    <<: *ruby-3-0
-    <<: *rails-edge
-    <<: *build_steps
-
-  "ruby-3-1-rails-6-0":
-    <<: *ruby-3-1
-    <<: *rails-6-0
-    <<: *build_steps
-  "ruby-3-1-rails-6-1":
-    <<: *ruby-3-1
-    <<: *rails-6-1
-    <<: *build_steps
-  "ruby-3-1-rails-7-0":
-    <<: *ruby-3-1
-    <<: *rails-7-0
-    <<: *build_steps
-  "ruby-3-1-rails-edge":
-    <<: *ruby-3-1
-    <<: *rails-edge
-    <<: *build_steps
-
-workflows:
-  version: 2
-  build:
-    jobs:
-      - "ruby-2-4-rails-4-2"
-      - "ruby-2-4-rails-5-1"
-      - "ruby-2-4-rails-5-2"
-
-      - "ruby-2-5-rails-5-0"
-      - "ruby-2-5-rails-5-1"
-      - "ruby-2-5-rails-5-2"
-      - "ruby-2-5-rails-6-0"
-      - "ruby-2-5-rails-6-1"
-
-      - "ruby-2-6-rails-5-0"
-      - "ruby-2-6-rails-5-1"
-      - "ruby-2-6-rails-5-2"
-      - "ruby-2-6-rails-6-0"
-      - "ruby-2-6-rails-6-1"
-
-      - "ruby-2-7-rails-5-0"
-      - "ruby-2-7-rails-5-1"
-      - "ruby-2-7-rails-5-2"
-      - "ruby-2-7-rails-6-0"
-      - "ruby-2-7-rails-6-1"
-      - "ruby-2-7-rails-7-0"
-      - "ruby-2-7-rails-edge"
-
-      - "ruby-3-0-rails-6-0"
-      - "ruby-3-0-rails-6-1"
-      - "ruby-3-0-rails-7-0"
-      - "ruby-3-0-rails-edge"
-
-      - "ruby-3-1-rails-6-0"
-      - "ruby-3-1-rails-6-1"
-      - "ruby-3-1-rails-7-0"
-      - "ruby-3-1-rails-edge"

data/.gitignore

@@ -1,10 +0,0 @@
-/.bundle/
-/.rubocop-*
-/.yardoc
-/Gemfile.lock
-/_yardoc/
-/coverage/
-/doc/
-/pkg/
-/spec/reports/
-/tmp/

data/.rubocop.yml

@@ -1,9 +0,0 @@
-inherit_from:
-  - https://raw.githubusercontent.com/cookpad/global-style-guides/master/.rubocop.yml
-
-AllCops:
-  TargetRubyVersion: 2.5
-
-# Disable this as this does not apply to rack-test
-Rails/HttpPositionalArguments:
-  Enabled: false

data/CODE_OF_CONDUCT.md

@@ -1,75 +0,0 @@
-# Contributor Covenant Code of Conduct
-
-## Our Pledge
-
-In the interest of fostering an open and welcoming environment, we as
-contributors and maintainers pledge to making participation in our project and
-our community a harassment-free experience for everyone, regardless of age,
-body size, disability, ethnicity, gender identity and expression, level of
-experience, nationality, personal appearance, race, religion, or sexual
-identity and orientation.
-
-## Our Standards
-
-Examples of behavior that contributes to creating a positive environment
-include:
-
-* Using welcoming and inclusive language
-* Being respectful of differing viewpoints and experiences
-* Gracefully accepting constructive criticism
-* Focusing on what is best for the community
-* Showing empathy towards other community members
-
-Examples of unacceptable behavior by participants include:
-
-* The use of sexualized language or imagery and unwelcome sexual attention or
-  advances
-* Trolling, insulting/derogatory comments, and personal or political attacks
-* Public or private harassment
-* Publishing others' private information, such as a physical or electronic
-  address, without explicit permission
-* Other conduct which could reasonably be considered inappropriate in a
-  professional setting
-
-## Our Responsibilities
-
-Project maintainers are responsible for clarifying the standards of acceptable
-behavior and are expected to take appropriate and fair corrective action in
-response to any instances of unacceptable behavior.
-
-Project maintainers have the right and responsibility to remove, edit, or
-reject comments, commits, code, wiki edits, issues, and other contributions
-that are not aligned to this Code of Conduct, or to ban temporarily or
-permanently any contributor for other behaviors that they deem inappropriate,
-threatening, offensive, or harmful.
-
-## Scope
-
-This Code of Conduct applies both within project spaces and in public spaces
-when an individual is representing the project or its community. Examples of
-representing a project or community include using an official project e-mail
-address, posting via an official social media account, or acting as an
-appointed representative at an online or offline event. Representation of a
-project may be further defined and clarified by project maintainers.
-
-## Enforcement
-
-Instances of abusive, harassing, or otherwise unacceptable behavior may be
-reported by contacting the project team at kaihatsu@cookpad.com. All complaints
-will be reviewed and investigated and will result in a response that is deemed
-necessary and appropriate to the circumstances. The project team is obligated
-to maintain confidentiality with regard to the reporter of an incident.
-Further details of specific enforcement policies may be posted separately.
-
-Project maintainers who do not follow or enforce the Code of Conduct in good
-faith may face temporary or permanent repercussions as determined by other
-members of the project's leadership.
-
-## Attribution
-
-This Code of Conduct is adapted from the [Contributor Covenant][homepage],
-version 1.4, available at
-[http://contributor-covenant.org/version/1/4][version]
-
-[homepage]: http://contributor-covenant.org
-[version]: http://contributor-covenant.org/version/1/4/

data/Gemfile

@@ -1,11 +0,0 @@
-source "https://rubygems.org"
-
-# rubocop:disable Bundler/DuplicatedGem
-if ENV["RAILS_VERSION"]
-  gem "rails", ENV["RAILS_VERSION"]
-elsif ENV["RAILS_BRANCH"]
-  gem "rails", git: "https://github.com/rails/rails.git", branch: ENV["RAILS_BRANCH"]
-end
-# rubocop:enable Bundler/DuplicatedGem
-
-gemspec

data/Rakefile

@@ -1,10 +0,0 @@
-require "bundler/gem_tasks"
-require "rake/testtask"
-
-Rake::TestTask.new(:test) do |t|
-  t.libs << "test"
-  t.libs << "lib"
-  t.test_files = FileList["test/**/*_test.rb"]
-end
-
-task default: :test

data/omniauth-rails_csrf_protection.gemspec

@@ -1,37 +0,0 @@
-lib = File.expand_path("lib", __dir__)
-$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
-require "omniauth/rails_csrf_protection/version"
-
-Gem::Specification.new do |spec|
-  spec.name        = "omniauth-rails_csrf_protection"
-  spec.version     = OmniAuth::RailsCsrfProtection::VERSION
-  spec.authors     = ["Cookpad Inc."]
-  spec.email       = ["kaihatsu@cookpad.com"]
-
-  spec.summary     = <<~SUMMARY
-    Provides CSRF protection on OmniAuth request endpoint on Rails application.
-  SUMMARY
-
-  spec.description = <<~DESCRIPTION
-    This gem provides a mitigation against CVE-2015-9284 (Cross-Site Request
-    Forgery on the request phrase when using OmniAuth gem with a Ruby on Rails
-    application) by implementing a CSRF token verifier that directly utilize
-    `ActionController::RequestForgeryProtection` code from Rails.
-  DESCRIPTION
-
-  spec.homepage    = "https://github.com/cookpad/omniauth-rails_csrf_protection"
-  spec.license     = "MIT"
-
-  spec.files       = `git ls-files`.split("\n")
-  spec.test_files  = `git ls-files -- test/*`.split("\n")
-
-  spec.require_paths = ["lib"]
-
-  spec.add_dependency "actionpack", ">= 4.2"
-  spec.add_dependency "omniauth", "~> 2.0"
-
-  spec.add_development_dependency "bundler"
-  spec.add_development_dependency "minitest"
-  spec.add_development_dependency "rails"
-  spec.add_development_dependency "rake"
-end