Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

update to omniauth 2 #201

Merged
merged 8 commits into from
Dec 31, 2024
Merged

update to omniauth 2 #201

merged 8 commits into from
Dec 31, 2024

Conversation

jxjj
Copy link
Contributor

@jxjj jxjj commented Dec 30, 2024

This mitigates CVE-2015-9284 by:

  • updating OmniAuth to version 2
  • only permitting POST requests to /auth/:provider endpoints
  • adding omniauth-rails_csrf_protection
  • migrating to omniauth-shibboleth-redux from toyokazu/omniauth-shibboleth (unmaintained). omniauth-shibboleth-redux is a fork maintained as part of omniauth.

The key change is now the /shortener/signin route renders sessions.new.html.erb, an interstitial page which will autosubmit a form with a CSRF token as a POST request to /auth/:provider.

jxjj added 8 commits December 30, 2024 15:19
@jxjj
update to omniauth 2.0
9af99b5
@jxjj
add interstitial page to autosubmit POST request
4e2a894 
thinking this is the easiest way to avoid changing routes or sign-in links
@jxjj
fix: deploy fail?
71961b1 
trying with removing the `-gnu`. Why did bundler add this?
@jxjj
Revert "fix: deploy fail?"
8573dac 
This reverts commit 71961b1.
@jxjj
maybe bundle update?
1dff7c6 
Deploy is giving some new error:
```
 looks like you're trying to use Nokogiri as a precompiled native gem on a system
       with an unsupported version of glibc.

  /lib64/libc.so.6: version `GLIBC_2.28' not found (required by /swadm/web/z/shared/bundle/ruby/3.2.0/gems/nokogiri-1.18.1-x86_64-linux-gnu/lib/nokogiri/3.2/nokogiri.so) - /swadm/web/z/shared/bundle/ruby/3.2.0/gems/nokogiri-1.18.1-x86_64-linux-gnu/lib/nokogiri/3.2/nokogiri.so

  If that's the case, then please install Nokogiri via the `ruby` platform gem:
      gem install nokogiri --platform=ruby
  or:
      bundle config set force_ruby_platform true

  Please visit https://nokogiri.org/tutorials/installing_nokogiri.html for more help.
```

noticed there's a new `-gnu` on the nokogiri package:
`nokogiri (1.18.1-x86_64-linux-gnu)`. Maybe a bundle update

Maybe this? sparklemotion/nokogiri#3359
@jxjj
revert noko and ffi
1acc7ff
@jxjj
is this better?
f9cb115
@jxjj
oops. revert formatting change.
18c0036
@jxjj jxjj requested a review from cmcfadden December 30, 2024 23:44
@jxjj jxjj self-assigned this Dec 30, 2024
@jxjj jxjj merged commit e56cf61 into develop Dec 31, 2024
2 checks passed
@jxjj jxjj deleted the feature/omniauth-mitigation branch December 31, 2024 15:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cmcfadden cmcfadden cmcfadden approved these changes

Assignees

@jxjj jxjj

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jxjj @cmcfadden