From 13b07b88f1aa79c31291473362ac77b31602c374 Mon Sep 17 00:00:00 2001 From: Eugen Rochko Date: Sat, 28 Nov 2020 05:17:53 +0100 Subject: [PATCH] Fix omniauth (SAML/CAS) sign-in routes not having CSRF protection (#15228) --- Gemfile | 1 + Gemfile.lock | 4 ++++ app/views/auth/sessions/new.html.haml | 3 +-- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/Gemfile b/Gemfile index 950bc59bb..63becb7cc 100644 --- a/Gemfile +++ b/Gemfile @@ -44,6 +44,7 @@ gem 'net-ldap', '~> 0.16' gem 'omniauth-cas', '~> 2.0' gem 'omniauth-saml', '~> 1.10' gem 'omniauth', '~> 1.9' +gem 'omniauth-rails_csrf_protection', '~> 0.1' gem 'color_diff', '~> 0.1' gem 'discard', '~> 1.2' diff --git a/Gemfile.lock b/Gemfile.lock index b8134a985..f7192d084 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -375,6 +375,9 @@ GEM addressable (~> 2.3) nokogiri (~> 1.5) omniauth (~> 1.2) + omniauth-rails_csrf_protection (0.1.2) + actionpack (>= 4.2) + omniauth (>= 1.3.1) omniauth-saml (1.10.3) omniauth (~> 1.3, >= 1.3.2) ruby-saml (~> 1.9) @@ -741,6 +744,7 @@ DEPENDENCIES oj (~> 3.10) omniauth (~> 1.9) omniauth-cas (~> 2.0) + omniauth-rails_csrf_protection (~> 0.1) omniauth-saml (~> 1.10) ox (~> 2.13) paperclip (~> 6.0) diff --git a/app/views/auth/sessions/new.html.haml b/app/views/auth/sessions/new.html.haml index ceb169408..9713bdaeb 100644 --- a/app/views/auth/sessions/new.html.haml +++ b/app/views/auth/sessions/new.html.haml @@ -22,7 +22,6 @@ .actions - resource_class.omniauth_providers.each do |provider| - = link_to omniauth_authorize_path(resource_name, provider), class: "button button-#{provider}" do - = t("auth.providers.#{provider}", default: provider.to_s.chomp("_oauth2").capitalize) + = link_to t("auth.providers.#{provider}", default: provider.to_s.chomp("_oauth2").capitalize), omniauth_authorize_path(resource_name, provider), class: "button button-#{provider}", method: :post .form-footer= render 'auth/shared/links'