CVE-2015-9284 mitigation

- Update tests - Update method to post for login
archivesunleashed · May 30, 2019 · 0e7d04854d5efcb947c291eeeb599ed7880b8d44 · 0e7d048
1 parent fd87ec1
commit 0e7d04854d5efcb947c291eeeb599ed7880b8d44
Unified Split

Showing with 9 additions and 4 deletions.

+1 −0 Gemfile

+4 −0 Gemfile.lock

+2 −2 app/views/layouts/_navigation.html.erb

+2 −2 test/controllers/sessions_controller_test.rb
diff --git a/Gemfile b/Gemfile
@@ -77,6 +77,7 @@ gem 'kaminari'
 gem 'logstash-logger'
 gem 'loofah', '>= 2.2.3' # https://nvd.nist.gov/vuln/detail/CVE-2018-16468
 gem 'omniauth-github'
+  
+gem 'omniauth-rails_csrf_protection'
 gem 'omniauth-twitter'
 gem 'os'
 gem 'parallel'

diff --git a/Gemfile.lock b/Gemfile.lock
@@ -184,6 +184,9 @@ GEM
    omniauth-oauth2 (1.5.0)
      oauth2 (~> 1.1)
      omniauth (~> 1.2)
+  
+    omniauth-rails_csrf_protection (0.1.0)
+  
+      actionpack (>= 5.1.0)
+  
+      omniauth (>= 1.3.1)
    omniauth-twitter (1.4.0)
      omniauth-oauth (~> 1.1)
      rack
@@ -338,6 +341,7 @@ DEPENDENCIES
  logstash-logger
  loofah (>= 2.2.3)
  omniauth-github
+  
+  omniauth-rails_csrf_protection
  omniauth-twitter
  os
  parallel

diff --git a/app/views/layouts/_navigation.html.erb b/app/views/layouts/_navigation.html.erb
@@ -18,8 +18,8 @@
      <%= link_to '<i class="fa fa-sign-out fa-2x align-middle" style="color: white;"></i>'.html_safe, logout_path, method: :delete, title: 'Logout' %>
    <% else %>
      <span style="font-size: large; color: white; padding-right: 5px;">Sign in with: </span>
-  
-      <%= link_to '<i class="fa fa-twitter fa-2x align-middle" style="color: white; padding-right: 10px;"></i>'.html_safe, "/auth/twitter", title: 'Login with Twitter' %>
-  
-      <%= link_to '<i class="fa fa-github fa-2x align-middle" style="color: white;"></i>'.html_safe, "/auth/github", title: 'Login with GitHub' %>
+  
+      <%= link_to '<i class="fa fa-twitter fa-2x align-middle" style="color: white; padding-right: 10px;"></i>'.html_safe, "/auth/twitter", title: 'Login with Twitter', method: :post %>
+  
+      <%= link_to '<i class="fa fa-github fa-2x align-middle" style="color: white;"></i>'.html_safe, "/auth/github", title: 'Login with GitHub', method: :post %>
    <% end %>
    <button class="navbar-toggler custom-toggler align-middle" type="button" data-toggle="collapse" data-target="#aboutpage" aria-controls="navbarToggleExternalContent" aria-expanded="false" aria-label="Toggle navigation">
      <span class="navbar-toggler-icon align-middle"></span>

diff --git a/test/controllers/sessions_controller_test.rb b/test/controllers/sessions_controller_test.rb
@@ -15,7 +15,7 @@ class SessionsControllerTest < ActionDispatch::IntegrationTest
    get root_path
    assert_response :success
    assert_select 'span', 'Sign in with:'
-  
-    get '/auth/twitter'
+  
+    post '/auth/twitter'
    twitter_sign_in
    assert_response :redirect
  end
@@ -24,7 +24,7 @@ class SessionsControllerTest < ActionDispatch::IntegrationTest
    get root_path
    assert_response :success
    assert_select 'span', 'Sign in with:'
-  
-    get '/auth/github'
+  
+    post '/auth/github'
    github_sign_in
    assert_response :redirect
  end