dropping omniauth due to CVE-2015-9284

https://github.com/fiedl/your_platform/network/alert/Gemfile.lock/omniauth/open
omniauth/omniauth#960
omniauth/omniauth#809

I've subscribed to these issues to get notified when there is a fixed release.

https://trello.com/c/Qgekdkea/1337

Gemfile.lock

@@ -85,10 +85,6 @@ PATH
       neography
       net-ldap
       nokogiri (>= 1.8.1)
-      omniauth-facebook (~> 3.0.0)
-      omniauth-github
-      omniauth-google-oauth2
-      omniauth-twitter
       phony
       prawn (= 2.0.2)
       public_activity (~> 1.4.1)
@@ -341,7 +337,6 @@ GEM
     json (2.1.0)
     judge (3.0.0)
       rails (>= 5.0)
-    jwt (2.2.1)
     kgio (2.11.0)
     launchy (2.4.3)
       addressable (~> 2.3)
@@ -370,7 +365,6 @@ GEM
     mini_portile2 (2.4.0)
     minitest (5.11.3)
     multi_json (1.13.1)
-    multi_xml (0.6.0)
     multipart-post (2.1.1)
     mustermann (1.0.3)
     mysql2 (0.4.9)
@@ -387,33 +381,6 @@ GEM
     nokogiri (1.10.3)
       mini_portile2 (~> 2.4.0)
     oauth (0.5.4)
-    oauth2 (1.4.1)
-      faraday (>= 0.8, < 0.16.0)
-      jwt (>= 1.0, < 3.0)
-      multi_json (~> 1.3)
-      multi_xml (~> 0.5)
-      rack (>= 1.2, < 3)
-    omniauth (1.9.0)
-      hashie (>= 3.4.6, < 3.7.0)
-      rack (>= 1.6.2, < 3)
-    omniauth-facebook (3.0.0)
-      omniauth-oauth2 (~> 1.2)
-    omniauth-github (1.3.0)
-      omniauth (~> 1.5)
-      omniauth-oauth2 (>= 1.4.0, < 2.0)
-    omniauth-google-oauth2 (0.7.0)
-      jwt (>= 2.0)
-      omniauth (>= 1.1.1)
-      omniauth-oauth2 (>= 1.5)
-    omniauth-oauth (1.1.0)
-      oauth
-      omniauth (~> 1.0)
-    omniauth-oauth2 (1.6.0)
-      oauth2 (~> 1.1)
-      omniauth (~> 1.9)
-    omniauth-twitter (1.4.0)
-      omniauth-oauth (~> 1.1)
-      rack
     orm_adapter (0.5.0)
     os (1.0.1)
     parallel (1.12.0)

app/controllers/sessions_controller.rb

@@ -22,15 +22,17 @@ def new
   #
   def create
     begin
-      if params[:provider].present?
-        auth = request.env['omniauth.auth']
-        user = User.from_omniauth(auth) || raise(ActionController::BadRequest, "Omniauth user not found via email: #{auth.info.email}")
-        account = user.account || raise(ActionController::BadRequest, "User has no account.")
-
-        sign_in_and_redirect account, event: :authentication
-      else
+      # dropped omniauth due to https://github.com/fiedl/your_platform/network/alert/demo_app/my_platform/Gemfile.lock/omniauth/open
+
+      #if params[:provider].present?
+      #  auth = request.env['omniauth.auth']
+      #  user = User.from_omniauth(auth) || raise(ActionController::BadRequest, "Omniauth user not found via email: #{auth.info.email}")
+      #  account = user.account || raise(ActionController::BadRequest, "User has no account.")
+      #
+      #  sign_in_and_redirect account, event: :authentication
+      #else
         super
-      end
+      #end
     rescue => error
       flash[:error] = t("errors.#{error.message}")
     end

config/initializers/omniauth.rb

@@ -1,27 +1,30 @@
-require 'omni_auth_provider'
+#require 'omni_auth_provider'
+#
+#Rails.application.config.middleware.use OmniAuth::Builder do
+#  if OmniAuthProvider.github.available?
+#    provider :github,
+#      OmniAuthProvider.github.app_id,
+#      OmniAuthProvider.github.app_secret,
+#      scope: 'user:email' # https://developer.github.com/v3/oauth/#scopes
+#  end
+#  if OmniAuthProvider.twitter.available?
+#    provider :twitter,
+#      OmniAuthProvider.twitter.app_id,
+#      OmniAuthProvider.twitter.app_secret
+#  end
+#  if OmniAuthProvider.google.available?
+#    provider :google_oauth2,
+#      OmniAuthProvider.google.app_id,
+#      OmniAuthProvider.google.app_secret,
+#      verify_iss: false # https://stackoverflow.com/a/45292982/2066546
+#  end
+#  if OmniAuthProvider.facebook.available?
+#    provider :facebook,
+#      OmniAuthProvider.facebook.app_id,
+#      OmniAuthProvider.facebook.app_secret,
+#      scope: 'email'
+#  end
+#end
 
-Rails.application.config.middleware.use OmniAuth::Builder do
-  if OmniAuthProvider.github.available?
-    provider :github,
-      OmniAuthProvider.github.app_id,
-      OmniAuthProvider.github.app_secret,
-      scope: 'user:email' # https://developer.github.com/v3/oauth/#scopes
-  end
-  if OmniAuthProvider.twitter.available?
-    provider :twitter,
-      OmniAuthProvider.twitter.app_id,
-      OmniAuthProvider.twitter.app_secret
-  end
-  if OmniAuthProvider.google.available?
-    provider :google_oauth2,
-      OmniAuthProvider.google.app_id,
-      OmniAuthProvider.google.app_secret,
-      verify_iss: false # https://stackoverflow.com/a/45292982/2066546
-  end
-  if OmniAuthProvider.facebook.available?
-    provider :facebook,
-      OmniAuthProvider.facebook.app_id,
-      OmniAuthProvider.facebook.app_secret,
-      scope: 'email'
-  end
-end
+# dropped support for omniauth due to
+# https://github.com/fiedl/your_platform/network/alert/demo_app/my_platform/Gemfile.lock/omniauth/open

demo_app/my_platform/Gemfile.lock

@@ -85,10 +85,6 @@ PATH
       neography
       net-ldap
       nokogiri (>= 1.8.1)
-      omniauth-facebook (~> 3.0.0)
-      omniauth-github
-      omniauth-google-oauth2
-      omniauth-twitter
       phony
       prawn (= 2.0.2)
       public_activity (~> 1.4.1)
@@ -341,7 +337,6 @@ GEM
     json (2.1.0)
     judge (3.0.0)
       rails (>= 5.0)
-    jwt (2.2.1)
     kgio (2.11.0)
     launchy (2.4.3)
       addressable (~> 2.3)
@@ -370,7 +365,6 @@ GEM
     mini_portile2 (2.4.0)
     minitest (5.11.3)
     multi_json (1.13.1)
-    multi_xml (0.6.0)
     multipart-post (2.1.1)
     mustermann (1.0.3)
     mysql2 (0.4.9)
@@ -387,33 +381,6 @@ GEM
     nokogiri (1.10.3)
       mini_portile2 (~> 2.4.0)
     oauth (0.5.4)
-    oauth2 (1.4.1)
-      faraday (>= 0.8, < 0.16.0)
-      jwt (>= 1.0, < 3.0)
-      multi_json (~> 1.3)
-      multi_xml (~> 0.5)
-      rack (>= 1.2, < 3)
-    omniauth (1.9.0)
-      hashie (>= 3.4.6, < 3.7.0)
-      rack (>= 1.6.2, < 3)
-    omniauth-facebook (3.0.0)
-      omniauth-oauth2 (~> 1.2)
-    omniauth-github (1.3.0)
-      omniauth (~> 1.5)
-      omniauth-oauth2 (>= 1.4.0, < 2.0)
-    omniauth-google-oauth2 (0.7.0)
-      jwt (>= 2.0)
-      omniauth (>= 1.1.1)
-      omniauth-oauth2 (>= 1.5)
-    omniauth-oauth (1.1.0)
-      oauth
-      omniauth (~> 1.0)
-    omniauth-oauth2 (1.6.0)
-      oauth2 (~> 1.1)
-      omniauth (~> 1.9)
-    omniauth-twitter (1.4.0)
-      omniauth-oauth (~> 1.1)
-      rack
     orm_adapter (0.5.0)
     os (1.0.1)
     parallel (1.12.0)

lib/your_platform/engine.rb

@@ -26,10 +26,10 @@
 
 # Authentification
 require 'devise'
-require 'omniauth-github'
-require 'omniauth-twitter'
-require 'omniauth-google-oauth2'
-require 'omniauth-facebook'
+#require 'omniauth-github'
+#require 'omniauth-twitter'
+#require 'omniauth-google-oauth2'
+#require 'omniauth-facebook'
 require 'devise_masquerade'
 require 'gender_detector'
 require 'devise_token_auth'

your_platform.gemspec

@@ -71,10 +71,15 @@ Gem::Specification.new do |s|
 
   # Authentification
   s.add_dependency 'devise', '>= 3.5.4'                           # MIT License, CVE-2015-8314, https://gemnasium.com/fiedl/your_platform/alerts#advisory_329
-  s.add_dependency 'omniauth-github'
-  s.add_dependency 'omniauth-twitter'
-  s.add_dependency 'omniauth-google-oauth2'
-  s.add_dependency 'omniauth-facebook', '~> 3.0.0'
+  #s.add_dependency 'omniauth-github'
+  #s.add_dependency 'omniauth-twitter'
+  #s.add_dependency 'omniauth-google-oauth2'
+  #s.add_dependency 'omniauth-facebook', '~> 3.0.0'
+  # omniauth dropped due to CVE-2015-9284
+  # https://github.com/fiedl/your_platform/network/alert/demo_app/my_platform/Gemfile.lock/omniauth/open
+  # https://github.com/omniauth/omniauth/issues/960
+  # https://github.com/omniauth/omniauth/pull/809
+
   s.add_dependency 'devise_masquerade', '~> 0.5.3'
   s.add_dependency 'gender_detector'
   s.add_dependency 'devise_token_auth'