omniauth / omniauth-okta

OAuth2 strategy for Okta
MIT License
41 stars 37 forks source link

CVE-2015-9284 #11

Closed zhengxiangyue closed 2 years ago

zhengxiangyue commented 4 years ago

Hi team. Getting warning from 'bundle audit':

Name: omniauth
Version: 1.9.0
Advisory: CVE-2015-9284
Criticality: High
URL: https://github.com/omniauth/omniauth/pull/809
Title: CSRF vulnerability in OmniAuth's request phase
Solution: remove or disable this gem until a patch is available!

Not sure if you have noticed this vulnerability URL: https://github.com/omniauth/omniauth/pull/809 in omniauth but I barely have no idea what's going on. :). There seems to be a fix/patch which convert get to post

link_to('Sign In with Okta', admin_user_okta_omniauth_authorize_path, class: "btn btn-success btn-block")

to

link_to('Sign In with Okta', admin_user_okta_omniauth_authorize_path, class: "btn btn-success btn-block", method: :post)

along with some other changes.

But apparently this doesn't work for okta. Hope some one could help and explain if this is some thing need to be fixed and how I can fix it. Thanks.

gbxl commented 3 years ago

https://github.com/dandrews/omniauth-okta/pull/16 should address that

amichal commented 3 years ago

See also https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284