omniauth-rails_csrf_protection 0.1.2 → 1.0.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (8) hide show
  1. checksums.yaml +4 -4
  2. data/.circleci/config.yml +72 -1
  3. data/README.md +9 -7
  4. data/lib/omniauth/rails_csrf_protection/railtie.rb +1 -2
  5. data/lib/omniauth/rails_csrf_protection/version.rb +1 -1
  6. data/omniauth-rails_csrf_protection.gemspec +1 -1
  7. data/test/application_test.rb +4 -2
  8. metadata +10 -10
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 6ddd12c3aa3f5c4f89fbfeceeef6809aeee75e299cd2671447240368334553d4
4
- data.tar.gz: 27675eb799f7693ae06ed1327efcb50b93f4c9944bc5c2882dff4aa48364fc57
3
+ metadata.gz: f892f67e16cc87463da3671c7109d84cf2c672ab9f48e3f15c0ea26e2d0de891
4
+ data.tar.gz: 972512c31e47d1ca67255adf9e962a1082c3025ae28dbc9f27abdbdc726784c8
5
5
  SHA512:
6
- metadata.gz: 73c42c5bc5763dc015c27685436b1dc01d04f2161b9f9717d223019e2bbb0c2785aeabbf9044369dfeca7d19a1c5251c6f47b11f7b37fb0c15aedb833536d871
7
- data.tar.gz: a92516800f4e6817eb762cf74b64e525813948024ef3362e8b02d4a608fc280f1a3b0cde2c498ec9760ee98b94af8d6c40fa556db6d8e6f1078056f41083a026
6
+ metadata.gz: bd891acf5bbde8455180fe33d076bee9d62413d06c32a610336586346c40ff71a1f30adf5b3cfaf2ad4f768f9f69fbbf27040a0c805bc09462b27e3f7e10115a
7
+ data.tar.gz: e17f26e0b3224a0f5c8660ec7f7d7524690b18df2f1004f9bdc097cdef04026c6d7c4c15433d0d349087333b4a381b79624b65c9361975c1a123ca34313643b2
data/.circleci/config.yml CHANGED
@@ -27,6 +27,14 @@ ruby-2-6: &ruby-2-6
27
27
  docker:
28
28
  - image: circleci/ruby:2.6
29
29
 
30
+ ruby-2-7: &ruby-2-7
31
+ docker:
32
+ - image: circleci/ruby:2.7
33
+
34
+ ruby-3-0: &ruby-3-0
35
+ docker:
36
+ - image: circleci/ruby:3.0
37
+
30
38
  rails-4-2: &rails-4-2
31
39
  environment:
32
40
  RAILS_VERSION: "~> 4.2.0"
@@ -45,7 +53,11 @@ rails-5-2: &rails-5-2
45
53
 
46
54
  rails-6-0: &rails-6-0
47
55
  environment:
48
- RAILS_VERSION: "6.0.0.rc1"
56
+ RAILS_VERSION: "~> 6.0.0"
57
+
58
+ rails-6-1: &rails-6-1
59
+ environment:
60
+ RAILS_VERSION: "~> 6.1.0"
49
61
 
50
62
  rails-edge: &rails-edge
51
63
  environment:
@@ -85,6 +97,10 @@ jobs:
85
97
  <<: *ruby-2-5
86
98
  <<: *rails-6-0
87
99
  <<: *build_steps
100
+ "ruby-2-5-rails-6-1":
101
+ <<: *ruby-2-5
102
+ <<: *rails-6-1
103
+ <<: *build_steps
88
104
  "ruby-2-5-rails-edge":
89
105
  <<: *ruby-2-5
90
106
  <<: *rails-edge
@@ -106,11 +122,53 @@ jobs:
106
122
  <<: *ruby-2-6
107
123
  <<: *rails-6-0
108
124
  <<: *build_steps
125
+ "ruby-2-6-rails-6-1":
126
+ <<: *ruby-2-6
127
+ <<: *rails-6-1
128
+ <<: *build_steps
109
129
  "ruby-2-6-rails-edge":
110
130
  <<: *ruby-2-6
111
131
  <<: *rails-edge
112
132
  <<: *build_steps
113
133
 
134
+ "ruby-2-7-rails-5-0":
135
+ <<: *ruby-2-7
136
+ <<: *rails-5-0
137
+ <<: *build_steps
138
+ "ruby-2-7-rails-5-1":
139
+ <<: *ruby-2-7
140
+ <<: *rails-5-1
141
+ <<: *build_steps
142
+ "ruby-2-7-rails-5-2":
143
+ <<: *ruby-2-7
144
+ <<: *rails-5-2
145
+ <<: *build_steps
146
+ "ruby-2-7-rails-6-0":
147
+ <<: *ruby-2-7
148
+ <<: *rails-6-0
149
+ <<: *build_steps
150
+ "ruby-2-7-rails-6-1":
151
+ <<: *ruby-2-7
152
+ <<: *rails-6-1
153
+ <<: *build_steps
154
+ "ruby-2-7-rails-edge":
155
+ <<: *ruby-2-7
156
+ <<: *rails-edge
157
+ <<: *build_steps
158
+
159
+ "ruby-3-0-rails-6-0":
160
+ <<: *ruby-3-0
161
+ <<: *rails-6-0
162
+ <<: *build_steps
163
+ "ruby-3-0-rails-6-1":
164
+ <<: *ruby-3-0
165
+ <<: *rails-6-1
166
+ <<: *build_steps
167
+ "ruby-3-0-rails-edge":
168
+ <<: *ruby-3-0
169
+ <<: *rails-edge
170
+ <<: *build_steps
171
+
114
172
  workflows:
115
173
  version: 2
116
174
  build:
@@ -123,10 +181,23 @@ workflows:
123
181
  - "ruby-2-5-rails-5-1"
124
182
  - "ruby-2-5-rails-5-2"
125
183
  - "ruby-2-5-rails-6-0"
184
+ - "ruby-2-5-rails-6-1"
126
185
  - "ruby-2-5-rails-edge"
127
186
 
128
187
  - "ruby-2-6-rails-5-0"
129
188
  - "ruby-2-6-rails-5-1"
130
189
  - "ruby-2-6-rails-5-2"
131
190
  - "ruby-2-6-rails-6-0"
191
+ - "ruby-2-6-rails-6-1"
132
192
  - "ruby-2-6-rails-edge"
193
+
194
+ - "ruby-2-7-rails-5-0"
195
+ - "ruby-2-7-rails-5-1"
196
+ - "ruby-2-7-rails-5-2"
197
+ - "ruby-2-7-rails-6-0"
198
+ - "ruby-2-7-rails-6-1"
199
+ - "ruby-2-7-rails-edge"
200
+
201
+ - "ruby-3-0-rails-6-0"
202
+ - "ruby-3-0-rails-6-1"
203
+ - "ruby-3-0-rails-edge"
data/README.md CHANGED
@@ -1,12 +1,14 @@
1
1
  # OmniAuth - Rails CSRF Protection
2
2
 
3
- This gem provides a mitigation against CVE-2015-9284 (Cross-Site Request
4
- Forgery on the request phrase when using OmniAuth gem with a Ruby on Rails
5
- application) by implementing a CSRF token verifier that directly utilize
3
+ This gem provides a mitigation against [CVE-2015-9284] (Cross-Site Request
4
+ Forgery on the request phase when using OmniAuth gem with a Ruby on Rails
5
+ application) by implementing a CSRF token verifier that directly uses
6
6
  `ActionController::RequestForgeryProtection` code from Rails.
7
7
 
8
8
  [![CircleCI](https://circleci.com/gh/cookpad/omniauth-rails_csrf_protection/tree/master.svg?style=svg)](https://circleci.com/gh/cookpad/omniauth-rails_csrf_protection/tree/master)
9
9
 
10
+ [CVE-2015-9284]: https://nvd.nist.gov/vuln/detail/CVE-2015-9284
11
+
10
12
  ## Usage
11
13
 
12
14
  Add this line to your application's Gemfile:
@@ -18,7 +20,7 @@ gem "omniauth-rails_csrf_protection"
18
20
  Then run `bundle install` to install this gem.
19
21
 
20
22
  You will then need to verify that all links in your application that would
21
- initiate OAuth request phrase are being converted to a HTTP POST form that
23
+ initiate OAuth request phase are being converted to a HTTP POST form that
22
24
  contains `authenticity_token` value. This might simply be done by changing all
23
25
  `link_to` to `button_to`, or use `link_to ..., method: :post`.
24
26
 
@@ -26,10 +28,10 @@ contains `authenticity_token` value. This might simply be done by changing all
26
28
 
27
29
  This gem does a few things to your application:
28
30
 
29
- * Disable access to the OAuth request phrase using HTTP GET method.
30
- * Insert a Rails CSRF token verifier at before request phrase.
31
+ * Disable access to the OAuth request phase using HTTP GET method.
32
+ * Insert a Rails CSRF token verifier at the before request phase.
31
33
 
32
- These actions mitigate you from the attack vector described in CVE-2015-9284.
34
+ These actions mitigate you from the attack vector described in [CVE-2015-9284].
33
35
 
34
36
  ## Contributing
35
37
 
data/lib/omniauth/rails_csrf_protection/railtie.rb CHANGED
@@ -4,8 +4,7 @@ module OmniAuth
4
4
  module RailsCsrfProtection
5
5
  class Railtie < Rails::Railtie
6
6
  initializer "omniauth-rails_csrf_protection.initialize" do
7
- OmniAuth.config.allowed_request_methods = [:post]
8
- OmniAuth.config.before_request_phase = TokenVerifier.new
7
+ OmniAuth.config.request_validation_phase = TokenVerifier.new
9
8
  end
10
9
  end
11
10
  end
data/lib/omniauth/rails_csrf_protection/version.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  module OmniAuth
2
2
  module RailsCsrfProtection
3
- VERSION = "0.1.2".freeze
3
+ VERSION = "1.0.0".freeze
4
4
  end
5
5
  end
data/omniauth-rails_csrf_protection.gemspec CHANGED
@@ -28,7 +28,7 @@ Gem::Specification.new do |spec|
28
28
  spec.require_paths = ["lib"]
29
29
 
30
30
  spec.add_dependency "actionpack", ">= 4.2"
31
- spec.add_dependency "omniauth", ">= 1.3.1"
31
+ spec.add_dependency "omniauth", "~> 2.0"
32
32
 
33
33
  spec.add_development_dependency "bundler"
34
34
  spec.add_development_dependency "minitest"
data/test/application_test.rb CHANGED
@@ -11,14 +11,16 @@ class ApplicationTest < Minitest::Test
11
11
 
12
12
  def test_request_phrase_without_token_via_post
13
13
  post "/auth/developer"
14
+ follow_redirect!
14
15
 
15
- assert last_response.unprocessable?
16
+ assert last_response.not_found?
16
17
  end
17
18
 
18
19
  def test_request_phrase_with_bad_token_via_post
19
20
  post "/auth/developer", authenticity_token: "BAD_TOKEN"
21
+ follow_redirect!
20
22
 
21
- assert last_response.unprocessable?
23
+ assert last_response.not_found?
22
24
  end
23
25
 
24
26
  def test_request_phrase_with_correct_token_via_post
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: omniauth-rails_csrf_protection
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.1.2
4
+ version: 1.0.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Cookpad Inc.
8
- autorequire:
8
+ autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2019-06-04 00:00:00.000000000 Z
11
+ date: 2021-01-14 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: actionpack
@@ -28,16 +28,16 @@ dependencies:
28
28
  name: omniauth
29
29
  requirement: !ruby/object:Gem::Requirement
30
30
  requirements:
31
- - - ">="
31
+ - - "~>"
32
32
  - !ruby/object:Gem::Version
33
- version: 1.3.1
33
+ version: '2.0'
34
34
  type: :runtime
35
35
  prerelease: false
36
36
  version_requirements: !ruby/object:Gem::Requirement
37
37
  requirements:
38
- - - ">="
38
+ - - "~>"
39
39
  - !ruby/object:Gem::Version
40
- version: 1.3.1
40
+ version: '2.0'
41
41
  - !ruby/object:Gem::Dependency
42
42
  name: bundler
43
43
  requirement: !ruby/object:Gem::Requirement
@@ -124,7 +124,7 @@ homepage: https://github.com/cookpad/omniauth-rails_csrf_protection
124
124
  licenses:
125
125
  - MIT
126
126
  metadata: {}
127
- post_install_message:
127
+ post_install_message:
128
128
  rdoc_options: []
129
129
  require_paths:
130
130
  - lib
@@ -139,8 +139,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
139
139
  - !ruby/object:Gem::Version
140
140
  version: '0'
141
141
  requirements: []
142
- rubygems_version: 3.0.3
143
- signing_key:
142
+ rubygems_version: 3.1.4
143
+ signing_key:
144
144
  specification_version: 4
145
145
  summary: Provides CSRF protection on OmniAuth request endpoint on Rails application.
146
146
  test_files: