bikeindex / bike_index

All the code for Bike Index, because we love you
https://bikeindex.org
GNU Affero General Public License v3.0
274 stars 70 forks source link

BIB-31: Updates omniauth to fix security vulnerabilities #2554

Closed torresga closed 4 months ago

torresga commented 4 months ago

This PR updates omniauth to fix the following security vulnerabilities in the current version:

Name: omniauth
Version: 1.9.1
CVE: CVE-2020-36599
GHSA: GHSA-pm55-qfxr-h247
Criticality: Critical
URL: https://github.com/omniauth/omniauth/commit/43a396f181ef7d0ed2ec8291c939c95e3ed3ff00#diff-575abda9deb9b1a77bf534e898a923029b9a61e991d626db88dc6e8b34260aa2
Title: OmniAuth's `lib/omniauth/failure_endpoint.rb` does not escape `message_key` value
Solution: upgrade to '~> 1.9.2', '>= 2.0.0'

Name: omniauth
Version: 1.9.1
CVE: CVE-2015-9284
GHSA: GHSA-ww4x-rwq6-qpgf
Criticality: High
URL: https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284
Title: CSRF vulnerability in OmniAuth's request phase
Solution: upgrade to '>= 2.0.0'

QA Notes:

  1. Run bin/parallel_rspec to ensure there are no spec failures related to the update.
  2. Install bundler-audit if it's not already installed: gem install bundler-audit.
  3. Run bundler-audit and ensure that omniauth is not included in the list of vulnerabilities.
sethherr commented 4 months ago

Note: Currently Bike Index doesn't have any OAuth integrations (since Twitter broke their API).

Previously there were OAuth integrations and I would like to add OAuth integrations into something that is twitter like - and I think that this update will require some changes to our application code (see Resolving CVE 2015 9284)