我正在使用 gem omniauth
,当我将我的代码推送到 Github 时,由于 gem,它会向我显示安全警告。
CVE-2015-9284
high severity
Vulnerable versions: <= 1.9.0
Patched version: No fix
The request phase of the OmniAuth Ruby gem is vulnerable to Cross-Site Request Forgery when used as part of the Ruby on Rails framework, allowing accounts to be connected without user intent, user interaction, or feedback to the user. This permits a secondary account to be able to sign into the web application as the primary account.
不过,我好像用的是latest version
是否有任何可能的修复方法,或者我现在应该跳过这个?
最佳答案
这是在 omniauth/omniauth issue 960 中报告的并在 PR 809 "Protect request phase against CSRF when Rails is used. " 中讨论
So we have implemented the
omniauth-rails_csrf_protection
solution, but previously we had our 3rd party OAuth provider log people in after they had verified the registration and redirect them to our/auth/provider
endpoint.
This would now require them POSTing to the endpoint with a CSRF token, which is not possible as they are on a separate platform/system.Should the omniauth readme be updated to mention that anyone using omniauth with rails should also use
omniauth-rails_csrf_protection
?
参见 commit 0264706作为使用该设置的示例。
gem "omniauth-rails_csrf_protection"
或者... coreinfrastructure/best-practices-badge PR 1298
I hate to bring in a third-party shim to fix a security issue, but upstream omniauth has still not fixed its vulnerability, and it's a CVE report from 4 years ago (2015).
The omniauth folks are still discussing how to fix it, and my patience has been exhausted.
I reviewed the shim code, and I don't see any issues. This is a vulnerability that allows account takeover, so I think ignoring it is extremely unwise. It's not trivial to exploit, but it's real.
关于ruby-on-rails - Github 警告有关 Omniauth gem 的安全问题,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/56712510/