Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Resolve CVE-2015-9284 vulnerability #221

Merged
merged 1 commit into from
Sep 5, 2019
Merged

Resolve CVE-2015-9284 vulnerability #221

merged 1 commit into from
Sep 5, 2019

Conversation

switzersc-usds
Copy link
Contributor

Why

We need to make sure that we're mitigating the Cross Site Scripting
Forgery vulnerability by using a POST method to initiate the Omniauth
flow. For more info:

https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284
omniauth/omniauth#809

What Changed

  • Add a gem that enforces using post only with oauth initiation requests
  • Change out github link to use the post method

Resolve CVE-2015-9284 vulnerability
d7acac8 
We need to make sure that we're mitigating the Cross Site Scripting
Forgery vulnerability by using a POST method to initiate the Omniauth
flow. For more info:

https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284
omniauth/omniauth#809
@switzersc-usds
Copy link
Contributor Author

While this mitigates the risk, it unfortunately doesn't get rid of Github's warning.

@nickrobison-usds
Copy link
Contributor

I was just going to ask!

@nickrobison-usds
Copy link
Contributor

Ok, I was able to dismiss the security warning via the 'fix has already been started' option. Not sure that's the best approach, but should work for now. I agree, we need better automated checking on PRs.

@switzersc-usds switzersc-usds merged commit f755e71 into master Sep 5, 2019
@switzersc-usds switzersc-usds deleted the shelby/github-oauth branch September 5, 2019 14:56
SMLuthi pushed a commit that referenced this pull request Jun 5, 2020
Resolve CVE-2015-9284 vulnerability (#221)
89ed44a 
We need to make sure that we're mitigating the Cross Site Scripting
Forgery vulnerability by using a POST method to initiate the Omniauth
flow. For more info:

https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284
omniauth/omniauth#809
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nickrobison-usds nickrobison-usds nickrobison-usds approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@switzersc-usds @nickrobison-usds