Github warns security problem about Omniauth gem

Question

I am using gem omniauth and when I push my code to Github, it shows me a security warning because of the gem.

CVE-2015-9284 
high severity
Vulnerable versions: <= 1.9.0
Patched version: No fix
The request phase of the OmniAuth Ruby gem is vulnerable to Cross-Site Request Forgery when used as part of the Ruby on Rails framework, allowing accounts to be connected without user intent, user interaction, or feedback to the user. This permits a secondary account to be able to sign into the web application as the primary account.

However, it seems that I am using the latest version

Is there any possible fix, or should I skip this for now?

Answer 1

This was reported in omniauth/omniauth issue 960 and discussed in PR 809 "Protect request phase against CSRF when Rails is used. "

It includes:

So we have implemented the omniauth-rails_csrf_protection solution, but previously we had our 3rd party OAuth provider log people in after they had verified the registration and redirect them to our /auth/provider endpoint.
This would now require them POSTing to the endpoint with a CSRF token, which is not possible as they are on a separate platform/system.

Should the omniauth readme be updated to mention that anyone using omniauth with rails should also use omniauth-rails_csrf_protection?

See commit 0264706 as an example of using that setting.

gem "omniauth-rails_csrf_protection"

Or... coreinfrastructure/best-practices-badge PR 1298

I hate to bring in a third-party shim to fix a security issue, but upstream omniauth has still not fixed its vulnerability, and it's a CVE report from 4 years ago (2015).

The omniauth folks are still discussing how to fix it, and my patience has been exhausted.

I reviewed the shim code, and I don't see any issues. This is a vulnerability that allows account takeover, so I think ignoring it is extremely unwise. It's not trivial to exploit, but it's real.