fix CVE-2015-9284 security alert (#975)

* fix security alert Résolution en suivant les points https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284 ajout du test proposé omniauth/omniauth#809 (comment) * ajoute une page pour la connexion github en post
betagouv · Nov 26, 2020 · e919007 · e919007
1 parent 39ca85f
commit e919007
Show file tree

Hide file tree

Showing 6 changed files with 40 additions and 0 deletions.
diff --git a/Gemfile b/Gemfile
@@ -88,6 +88,8 @@ gem "jbuilder", "~> 2.5"
 gem "bootsnap", ">= 1.1.0", require: false
 gem "spreadsheet"
 
+gem "omniauth-rails_csrf_protection", "~> 0.1"
+
 group :development, :test do
   # Call 'byebug' anywhere in the code to stop execution and get a debugger console
   gem "byebug", platforms: [:mri, :mingw, :x64_mingw]

diff --git a/Gemfile.lock b/Gemfile.lock
@@ -307,6 +307,9 @@ GEM
     omniauth-oauth2 (1.6.0)
       oauth2 (~> 1.1)
       omniauth (~> 1.9)
+    omniauth-rails_csrf_protection (0.1.2)
+      actionpack (>= 4.2)
+      omniauth (>= 1.3.1)
     orm_adapter (0.5.0)
     paper_trail (10.3.1)
       activerecord (>= 4.2)
@@ -553,6 +556,7 @@ DEPENDENCIES
   meta_request (~> 0.7)
   montrose (~> 0.11.2)
   omniauth-github (~> 1.4)
+  omniauth-rails_csrf_protection (~> 0.1)
   paper_trail
   parallel_tests
   pg (>= 0.18, < 2.0)

diff --git a/app/controllers/welcome_controller.rb b/app/controllers/welcome_controller.rb
@@ -57,6 +57,8 @@ def set_lieu_variables
     @geo_search = Users::GeoSearch.new(departement: @departement, city_code: @city_code, street_ban_id: @street_ban_id)
   end
 
+  def super_admin; end
+
   private
 
   def search_params

diff --git a/app/views/welcome/super_admin.html.slim b/app/views/welcome/super_admin.html.slim
@@ -0,0 +1,4 @@
+.row.mt-3.justify-content-center
+  .col-md-6
+    div.mb-3
+      = link_to 'connexion super admin via github', super_admin_github_omniauth_authorize_path, method: :post
diff --git a/config/routes.rb b/config/routes.rb
@@ -2,6 +2,8 @@
   ## ADMIN ##
   devise_for :super_admins, controllers: { omniauth_callbacks: "super_admins/omniauth_callbacks" }
 
+  get "connexion_super_admins", to: "welcome#super_admin"
+
   delete "super_admins/sign_out" => "super_admins/sessions#destroy"
 
   namespace :super_admins do

diff --git a/spec/requests/cve_2015_9284_spec.rb b/spec/requests/cve_2015_9284_spec.rb
@@ -0,0 +1,26 @@
+# Make sure that https://nvd.nist.gov/vuln/detail/CVE-2015-9284 is mitigated
+RSpec.describe "CVE-2015-9284", type: :request do
+  describe "GET /auth/:provider" do
+    it do
+      get "/omniauth/github"
+      expect(response).not_to have_http_status(:redirect)
+    end
+  end
+
+  describe "POST /auth/:provider without CSRF token" do
+    before do
+      @allow_forgery_protection = ActionController::Base.allow_forgery_protection
+      ActionController::Base.allow_forgery_protection = true
+    end
+
+    it do
+      expect do
+        post super_admins_agents_path
+      end.to raise_error(ActionController::InvalidAuthenticityToken)
+    end
+
+    after do
+      ActionController::Base.allow_forgery_protection = @allow_forgery_protection
+    end
+  end
+end
-Original file line number
+Diff line change
@@ Expand Up / @@ -57,6 +57,8 @@ def set_lieu_variables @@
         @geo_search = Users::GeoSearch.new(departement: @departement, city_code: @city_code, street_ban_id: @street_ban_id)
       end
+      def super_admin; end
       private
       def search_params
@@ Expand Down @@