Skip to content
This repository has been archived by the owner on Mar 29, 2022. It is now read-only.

Cve 2015 9284 #351

Merged
merged 15 commits into from
Nov 8, 2019
Merged

Cve 2015 9284 #351

merged 15 commits into from
Nov 8, 2019

Conversation

mkcode
Copy link
Contributor

@mkcode mkcode commented Oct 17, 2019
edited

Original issue is described here: omniauth/omniauth#809
Note about the GitHub security altert: omniauth/omniauth#960

This is the proposed solution: https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284

...which we cannot use. We can't use this because we are redirecting to the authentication path in a before_filter, which triggers when the user is not logged in.

Redirects only work with GET requests and CSRF tokens only work with POST requests, so the fixes cannot apply here. This means we may need to totally redo the way we handle authentication in order to address this.

Alternatively, if we could call the omniauth request phase direct from our controller, we could not expose a GET route to the outside world, but because omniauth is implemented as a separate rack app, we are unable to do this.

We can use the method in the proposed solution on the wiki if we get rid of our redirect before_filter logic and only login in via forms. I'd really like to avoid this.

This issue has been open since 2015, and still not resolved upstream. I'm Ok with not fixing this for the time being.

PR is now ready to be merged. We implemented an html page, which automatically does a post request via JS to /auth/github

@mkcode mkcode changed the base branch from master to scripts-to-rule-them-all October 17, 2019 20:35
@mkcode mkcode changed the base branch from scripts-to-rule-them-all to master November 7, 2019 19:53
@mkcode
Copy link
Contributor Author

mkcode commented Nov 7, 2019
edited

Temporary redirect page which may be momentarily shown:

image

image

@mkcode
sessions#new html page
f0ccfd3 
This page automatically does a POST request with a valid CSRF token to
auth/github. Contains fallback procedure if the JS fails for some reason.
@mkcode
Fixup our regression testing for this vulnerability
910442a
@mkcode
Copy link
Contributor Author

mkcode commented Nov 7, 2019
edited

I would like to test the sessions#new page auto redirect, but because it requires JS execution to run, and the app is not currently setup to run any JS feature tests, I will pass on it.

@mkcode mkcode marked this pull request as ready for review November 7, 2019 21:33
johndbritton
johndbritton approved these changes Nov 7, 2019
View reviewed changes
Copy link
Contributor

@johndbritton johndbritton left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Left a few comments, overall looks good. Nice work.

app/controllers/application_controller.rb Outdated Show resolved Hide resolved
app/controllers/sessions_controller.rb Show resolved Hide resolved
app/views/pages/api_error.html.erb Outdated Show resolved Hide resolved
mkcode and others added 2 commits November 7, 2019 17:44
@mkcode @johndbritton
Remove extra line
9ae4f4c 
Co-Authored-By: John Britton <public@johndbritton.com>
@mkcode @johndbritton
Add info describing CVE in controller
3ae3c32 
Co-Authored-By: John Britton <public@johndbritton.com>
@mkcode mkcode merged commit 65b4802 into master Nov 8, 2019
@mkcode mkcode deleted the CVE-2015-9284 branch November 8, 2019 00:34
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@johndbritton johndbritton johndbritton approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@mkcode @johndbritton