omniauth-rails_csrf_protection 1.0.2 → 2.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/README.md +15 -0
- data/lib/omniauth/rails_csrf_protection/token_verifier.rb +31 -11
- data/lib/omniauth/rails_csrf_protection/version.rb +1 -1
- data/test/test_helper.rb +14 -1
- metadata +3 -6
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 3846d12e29003349aab3262355ab3caa8202537194bf6f46be894f616d17a723
|
|
4
|
+
data.tar.gz: c6458df501c2ca900d58cd1d5d87c10189e2c27a887f91c4de3c47d1ee7eae6c
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 62351dc511a547b5f9983a3860e32be7e4ab66fd564f1d21533a5f97a60b6f31752823194342e5c37f4149ac93ef7ab99103330f3adef76e11c0dfc09e3cc49e
|
|
7
|
+
data.tar.gz: c2e6963ce81d58797117f512734eada4a98ec6b9fdeb8d124d239f8159b8341d9dba174e3e9d58b74fd96efd9aeb99ba5143b2c1b63364aaba14263058c68175
|
data/README.md
CHANGED
|
@@ -7,6 +7,21 @@ application) by implementing a CSRF token verifier that directly uses
|
|
|
7
7
|
|
|
8
8
|
[CVE-2015-9284]: https://nvd.nist.gov/vuln/detail/CVE-2015-9284
|
|
9
9
|
|
|
10
|
+
> [!NOTE]
|
|
11
|
+
> [OmniAuth] has provided a built-in solution to mitigate against
|
|
12
|
+
> [CVE-2015-9284] since [version 2.0.0].
|
|
13
|
+
> You should be able to mitigate against this vulnerability
|
|
14
|
+
> by adding this configuration to your application:
|
|
15
|
+
>
|
|
16
|
+
> ```ruby
|
|
17
|
+
> OmniAuth.config.request_validation_phase = OmniAuth::AuthenticityTokenProtection.new(key: :_csrf_token)
|
|
18
|
+
> ```
|
|
19
|
+
>
|
|
20
|
+
> This gem will continued to be maintained as an alternative to the solution above.
|
|
21
|
+
|
|
22
|
+
[OmniAuth]: https://github.com/omniauth/omniauth
|
|
23
|
+
[Version 2.0.0]: https://github.com/omniauth/omniauth/releases/tag/v2.0.0
|
|
24
|
+
|
|
10
25
|
## Usage
|
|
11
26
|
|
|
12
27
|
Add this line to your application's Gemfile:
|
|
@@ -1,6 +1,10 @@
|
|
|
1
|
-
require "
|
|
1
|
+
require "action_pack/version"
|
|
2
2
|
require "action_controller"
|
|
3
3
|
|
|
4
|
+
unless ActionPack.version >= Gem::Version.new("8.1.a")
|
|
5
|
+
require "active_support/configurable"
|
|
6
|
+
end
|
|
7
|
+
|
|
4
8
|
module OmniAuth
|
|
5
9
|
module RailsCsrfProtection
|
|
6
10
|
# Provides a callable method that verifies Cross-Site Request Forgery
|
|
@@ -13,20 +17,36 @@ module OmniAuth
|
|
|
13
17
|
# authenticity token, you can find the source code at
|
|
14
18
|
# https://github.com/rails/rails/blob/v5.2.2/actionpack/lib/action_controller/metal/request_forgery_protection.rb#L217-L240.
|
|
15
19
|
class TokenVerifier
|
|
16
|
-
|
|
17
|
-
|
|
20
|
+
if ActionPack.version >= Gem::Version.new("8.1.a")
|
|
21
|
+
# `ActiveSupport::Configurable` is deprecated in Rails 8.1 and will be
|
|
22
|
+
# removed in Rails 8.2. As `ActionController::RequestForgeryProtection`
|
|
23
|
+
# directly accesing configurations via `config`, we only need to define
|
|
24
|
+
# these methods and delegate them to `ActionController::Base.config`.
|
|
25
|
+
def self.config
|
|
26
|
+
ActionController::Base.config
|
|
27
|
+
end
|
|
18
28
|
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
|
|
25
|
-
|
|
26
|
-
|
|
29
|
+
def config
|
|
30
|
+
self.class.config
|
|
31
|
+
end
|
|
32
|
+
else
|
|
33
|
+
include ActiveSupport::Configurable
|
|
34
|
+
|
|
35
|
+
# `ActionController::RequestForgeryProtection` contains a few
|
|
36
|
+
# configurable options. As we want to make sure that our configuration is
|
|
37
|
+
# the same as what being set in `ActionController::Base`, we should make
|
|
38
|
+
# all out configuration methods to delegate to `ActionController::Base`.
|
|
39
|
+
config.each_key do |configuration_name|
|
|
40
|
+
undef_method configuration_name if defined?(configuration_name)
|
|
41
|
+
define_method configuration_name do
|
|
42
|
+
ActionController::Base.config[configuration_name]
|
|
43
|
+
end
|
|
27
44
|
end
|
|
28
45
|
end
|
|
29
46
|
|
|
47
|
+
# Include this module only after we've prepared the configuration
|
|
48
|
+
include ActionController::RequestForgeryProtection
|
|
49
|
+
|
|
30
50
|
def call(env)
|
|
31
51
|
dup._call(env)
|
|
32
52
|
end
|
data/test/test_helper.rb
CHANGED
|
@@ -13,6 +13,7 @@ end
|
|
|
13
13
|
|
|
14
14
|
silence_warnings do
|
|
15
15
|
require "bundler/inline"
|
|
16
|
+
require "logger"
|
|
16
17
|
|
|
17
18
|
# Define dependencies required by this test app
|
|
18
19
|
gemfile do
|
|
@@ -24,12 +25,17 @@ silence_warnings do
|
|
|
24
25
|
gem "rails"
|
|
25
26
|
end
|
|
26
27
|
|
|
28
|
+
if RUBY_VERSION >= "3.4"
|
|
29
|
+
gem "bigdecimal"
|
|
30
|
+
gem "mutex_m"
|
|
31
|
+
end
|
|
32
|
+
|
|
27
33
|
gem "omniauth"
|
|
28
34
|
gem "omniauth-rails_csrf_protection", path: File.expand_path("..", __dir__)
|
|
29
35
|
end
|
|
30
36
|
end
|
|
31
37
|
|
|
32
|
-
puts "Running test against Rails #{Rails.version}"
|
|
38
|
+
puts "Running test on Ruby #{RUBY_VERSION} against Rails #{Rails.version}"
|
|
33
39
|
|
|
34
40
|
require "rack/test"
|
|
35
41
|
require "action_controller/railtie"
|
|
@@ -57,6 +63,13 @@ class TestApp < Rails::Application
|
|
|
57
63
|
provider :developer
|
|
58
64
|
end
|
|
59
65
|
|
|
66
|
+
# Silence the deprecation warning in Rails 8.0.x
|
|
67
|
+
if Rails.version.is_a?(Gem::Version) &&
|
|
68
|
+
Rails.version >= Gem::Version.new("8.0.x") &&
|
|
69
|
+
Rails.version < Gem::Version.new("8.1")
|
|
70
|
+
config.active_support.to_time_preserves_timezone = :zone
|
|
71
|
+
end
|
|
72
|
+
|
|
60
73
|
# We need to call initialize! to run all railties
|
|
61
74
|
initialize!
|
|
62
75
|
|
metadata
CHANGED
|
@@ -1,14 +1,13 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: omniauth-rails_csrf_protection
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version:
|
|
4
|
+
version: 2.0.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Cookpad Inc.
|
|
8
|
-
autorequire:
|
|
9
8
|
bindir: bin
|
|
10
9
|
cert_chain: []
|
|
11
|
-
date:
|
|
10
|
+
date: 1980-01-02 00:00:00.000000000 Z
|
|
12
11
|
dependencies:
|
|
13
12
|
- !ruby/object:Gem::Dependency
|
|
14
13
|
name: actionpack
|
|
@@ -117,7 +116,6 @@ homepage: https://github.com/cookpad/omniauth-rails_csrf_protection
|
|
|
117
116
|
licenses:
|
|
118
117
|
- MIT
|
|
119
118
|
metadata: {}
|
|
120
|
-
post_install_message:
|
|
121
119
|
rdoc_options: []
|
|
122
120
|
require_paths:
|
|
123
121
|
- lib
|
|
@@ -132,8 +130,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
132
130
|
- !ruby/object:Gem::Version
|
|
133
131
|
version: '0'
|
|
134
132
|
requirements: []
|
|
135
|
-
rubygems_version: 3.
|
|
136
|
-
signing_key:
|
|
133
|
+
rubygems_version: 3.6.9
|
|
137
134
|
specification_version: 4
|
|
138
135
|
summary: Provides CSRF protection on OmniAuth request endpoint on Rails application.
|
|
139
136
|
test_files:
|