New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
"Resolving CVE 2015 9284" needs to be adapted for OmniAuth 2 #1031
Comments
Having the same issue. |
@thatguysimon I've configured require 'test_helper'
# Make sure that https://nvd.nist.gov/vuln/detail/CVE-2015-9284 is mitigated
class Omniauth_CVE_2015_9284_Test < ActionDispatch::IntegrationTest
test 'GET /auth/facebook' do
get '/auth/facebook'
assert_response :not_found
end
class PostTest < ActionDispatch::IntegrationTest
setup do
@allow_forgery_protection = ActionController::Base.allow_forgery_protection
ActionController::Base.allow_forgery_protection = true
@omni_auth_test_mode = OmniAuth.config.test_mode
OmniAuth.config.test_mode = false
@omni_auth_on_failure = OmniAuth.config.on_failure
OmniAuth.config.on_failure = proc { raise "test auth failure!" }
end
test 'POST /auth/facebook without CSRF token' do
assert_raises("test auth failure!") do
post '/auth/facebook'
end
end
teardown do
ActionController::Base.allow_forgery_protection = @allow_forgery_protection
OmniAuth.config.test_mode = @omni_auth_test_mode
OmniAuth.config.on_failure = @omni_auth_on_failure
end
end
end |
Thanks, @sedubois ! I added your example to the wiki page on that vulnerability: |
Note: using Omniauth 2.1.0, the updated spec continues to pass even without the |
@MothOnMars I observe the same, the test still passes when removing |
Hi, as I updated omniauth in my project to 2.x, I found same situation and I dug it some degree. Omniauth 2.x implemented their own csrf protection, but Rails do it other way. So you need to implement your own csrf protection code or use omniauth-rails_csrf_protection #1010. I updated rspec snippet I posted before: The describe 'CVE-2015-9284' do
describe 'GET /auth/:provider' do
it do
get '/auth/google_oauth2'
expect(response).not_to have_http_status(:redirect)
end
end
describe 'POST /auth/:provider without CSRF token' do
before do
@allow_forgery_protection = ActionController::Base.allow_forgery_protection
ActionController::Base.allow_forgery_protection = true
end
after do
ActionController::Base.allow_forgery_protection = @allow_forgery_protection
end
context 'with valid authenticity_token' do
it do
get '/'
csrf_token = Nokogiri::HTML(response.body).at('meta[name="csrf-token"]')['content']
post '/auth/google_oauth2', params: { authenticity_token: csrf_token }
expect(response).to redirect_to(%r{https://accounts.google.com/o/oauth2/auth\?.*})
end
end
context 'without valid authenticity_token' do
it do
post '/auth/google_oauth2'
expect(response).to redirect_to(%r{/auth/failure\?.*})
end
end
end
end |
Configuration
omniauth-facebook
3.0.0
Rails 6.1.1
macOS
Expected Behavior
Back when using OmniAuth 1.9.1, I had written CVE-2015-9284 non-regression tests as instructed. One test asserts that
ActionController::InvalidAuthenticityToken
is raised when making a POST request without CSRF token.I expected this test to continue passing after upgrading, or finding instructions in the release notes on how it should be adapted after upgrading to OmniAuth 2.
Actual Behavior
After upgrading to OmniAuth 2.0.1, this test fails as no exception is caught. However the log shows that the exception was indeed raised:
To my understanding, the cause is that OmniAuth now catches the exception and sends it to its
OmniAuth.config.on_failure
. How should the test be adapted? Or is the new recommendation to just delete these tests?Steps to Reproduce
Install omniauth 2.0.1, omniauth-rails_csrf_protection 1.0.0, copy and run the test linked from the Wiki (direct link).
The text was updated successfully, but these errors were encountered: