fix: Patch CSRF vulnerability with omniauth authorization

sman591 · sman591 · commit 80ec9471dc01 · 2019-06-03T19:45:36.000-04:00
Patches CVE-2015-9284 with https://github.com/cookpad/omniauth-rails_csrf_protection
diff --git a/Gemfile b/Gemfile
@@ -42,6 +42,7 @@ gem 'devise', '~> 4.2'
 gem 'omniauth-mlh', '~> 0.1'
 gem 'doorkeeper', '~> 5.0'
 gem 'devise-doorkeeper'
+gem 'omniauth-rails_csrf_protection'
 
 # User uploads
 gem "aws-sdk-s3", require: false
diff --git a/Gemfile.lock b/Gemfile.lock
@@ -266,6 +266,9 @@ GEM
     omniauth-oauth2 (1.3.1)
       oauth2 (~> 1.0)
       omniauth (~> 1.2)
+    omniauth-rails_csrf_protection (0.1.1)
+      actionpack (>= 4.2)
+      omniauth (>= 1.3.1)
     orm_adapter (0.5.0)
     popper_js (1.14.5)
     power_assert (1.1.4)
@@ -484,6 +487,7 @@ DEPENDENCIES
   mustache (~> 1.0)
   mysql2 (>= 0.4.4, < 0.6.0)
   omniauth-mlh (~> 0.1)
+  omniauth-rails_csrf_protection
   puma (~> 3.11)
   rails (~> 5.2.2)
   rails-controller-testing
diff --git a/app/views/application/_my_mlh_cta.html.haml b/app/views/application/_my_mlh_cta.html.haml
@@ -1,4 +1,4 @@
-%a.button.my-mlh-cta__button{href: user_mlh_omniauth_authorize_path}
+= link_to user_mlh_omniauth_authorize_path, class: 'button my-mlh-cta__button', method: :post do
   %span.my-mlh-cta__text Continue with
   %span.my-mlh-cta__image-wrapper
     = image_tag 'my-mlh.svg', alt: 'My MLH', class: 'my-mlh-cta__image'
diff --git a/vendor/cache/omniauth-rails_csrf_protection-0.1.1.gem b/vendor/cache/omniauth-rails_csrf_protection-0.1.1.gem

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-%a.button.my-mlh-cta__button{href: user_mlh_omniauth_authorize_path}`
	`1`	`+= link_to user_mlh_omniauth_authorize_path, class: 'button my-mlh-cta__button', method: :post do`
`2`	`2`	`%span.my-mlh-cta__text Continue with`
`3`	`3`	`%span.my-mlh-cta__image-wrapper`
`4`	`4`	`= image_tag 'my-mlh.svg', alt: 'My MLH', class: 'my-mlh-cta__image'`