Github warns security problem about Omniauth gem - ruby-on-rails

I am using gem omniauth and when I push my code to Github, it shows me a security warning because of the gem.
CVE-2015-9284
high severity
Vulnerable versions: <= 1.9.0
Patched version: No fix
The request phase of the OmniAuth Ruby gem is vulnerable to Cross-Site Request Forgery when used as part of the Ruby on Rails framework, allowing accounts to be connected without user intent, user interaction, or feedback to the user. This permits a secondary account to be able to sign into the web application as the primary account.
However, it seems that I am using the latest version
Is there any possible fix, or should I skip this for now?

This was reported in omniauth/omniauth issue 960 and discussed in PR 809 "Protect request phase against CSRF when Rails is used. "
It includes:
So we have implemented the omniauth-rails_csrf_protection solution, but previously we had our 3rd party OAuth provider log people in after they had verified the registration and redirect them to our /auth/provider endpoint.
This would now require them POSTing to the endpoint with a CSRF token, which is not possible as they are on a separate platform/system.
Should the omniauth readme be updated to mention that anyone using omniauth with rails should also use omniauth-rails_csrf_protection?
See commit 0264706 as an example of using that setting.
gem "omniauth-rails_csrf_protection"
Or... coreinfrastructure/best-practices-badge PR 1298
I hate to bring in a third-party shim to fix a security issue, but upstream omniauth has still not fixed its vulnerability, and it's a CVE report from 4 years ago (2015).
The omniauth folks are still discussing how to fix it, and my patience has been exhausted.
I reviewed the shim code, and I don't see any issues. This is a vulnerability that allows account takeover, so I think ignoring it is extremely unwise. It's not trivial to exploit, but it's real.

Related

omniauth-twitter gem not redirecting to twitter

Hello i've run into a bit of a problem with the omniauth-twitter gem, i have followed the documentation to a t and when i go to localhost:3000/auth/twitter i get a no matching route error. I've googled this issue for hours to no avail, I've searched stack overflow to no avail, the only lead i managed to get was on issue on github which was answered with a link to a page which no longer exists all other "solutions" involved misconfiguring devise, which im not even using.
I literally only have the bare minimum code from the documentation that should at least redirect me to the twitter login.
Might this have something to do with the 3-legged oauth being enabled in my twitter app in the developer portal?
Has anyone else run into this issue?
I finally found the solution:
The issue originates with the new CSRF protections due to Omniauth vulnerabilities, to use omniauth with rails for twitter you must use the
omniauth-rails_csrf_protection gem by Cookpad

Getting email back from Twitter Oauth with Devise and Rails

I've set up a basic rails application to use twitter oauth gem and devise and have been able to log in a user. However, my problem is I've now got my app white-listed and I would like to get a user's email back in the response. I've followed all necessary steps on the twitter side (setting necessary permissions, URLS, and reset keys) and have tried passing both
include_email=true
and
include_email=email
as a params when I initiate the oauth sequence. I feel like I've read and re-read the docs and tried few edge cases I thought might work based off of very little I've found on-line.
Any help with this? Something I'm missing if you've done this before?
I solved my problem. The omniauth gem was not the latest version which would include email. In my gem file I needed to declare '~> 1.2.1' where I had version 1.2.0 - - the new version includes the following changes you can read about here: https://github.com/arunagw/omniauth-twitter/pull/96

Restforce Gem, Salesforce API retuning OAuth2::Error Missing_OAuth_Token

I've been attempting to get Ruby on Rails 4.1 to talk to our salesforce instance using the gem omniauth and gem restforce as per this instruction link here.
All seems to be going alright, I got things up and running, with a hyperlink that takes me to a salesforce login and seems to return to the callback correctly. However when it does i get the error:
OAuth2::Error
Missing_OAuth_Token
This leaves me really confused and mystified, my oauth token should surely be supplied by the callback?
I have my client_id and client_secret stored in the app and they appear to load in correctly. Adding my salesforce login and password through omniauth should provide all it needs right? I don't see anywhere else in the omniauth gem docs or restforce gem to stick an oauth token... and even then i'm not sure where i'd get it from.
I'd read that there had recently been some authentication failures with the gem omniauth and there is a current issue request to put out a new version. If I specify my gem to pull directly from the github. I get a similar bit distinct error that I have posted about here.
Could anyone give any advice on:
Where I should expect the missing Auth_Token to come from (I really can't work out if I'm supposed to be providing it in my app or if that's what comes back from salesforce
How would be best to go about debugging this? (i'd thought about using debugger but as it pings to code outside of my rails app i'm unsure how much help this would be.
What the correct way would be to go about setting this up properly!
Any help would be greatly appreciated!
This was actually a bug in the omniauth-salesforce gem - https://github.com/realdoug/omniauth-salesforce/pull/13.
There was a minor change to the way the Salesforce API worked which was resolved in the above pull request. You must have upgraded your gem which solved the problem.

Is there any running example code for Google login with authlogic

PS:- please dont say use this devise, omniauth or any other plugin/gem you know.
I am looking for some example code for google login using authlogic for ruby on rails 3.
Here is what i have tried/checked:-
authlogic-google-account-oauth --- This is sample code for twitter, not google (One of the top rated google result. )
http://www.manu-j.com/blog/add-google-oauth-ruby-on-rails-sites/214/ --> generating keys for google login? There was nothing like this while implementing facebook / twitter or linkedin login. All I need is secret key and application id from the respective sites.
Tons of links on stackoverflow, No-one is giving the solution just recommending other gems/ outdated blog posts like
Ruby on Rails: Best way to add Facebook login, Twitter login, OpenID login, etc
Configuring authlogic-oauth with google and many more.
Anybody knows any running example/ sample code for google login with authlogic in rail 3
EDIT
Have you noticed these warnings, this is from your code. The code you provided is running on my local machine:--
Attempting discovery to verify endpoint
Performing discovery on https://www.google.com/accounts /o8/id?id=AItOawlFBZciVpNUBSlYbz0wHzTgmJWu9PpCvyk
WARNING: making https request to https://www.google.com/accounts/o8/id?id=AItOawlFBZciVpNUBSlYbz0wHzTgmJWu9PpCvyk without verifying server certificate; no CA path was specified.
Using 'check_authentication' with https://www.google.com/accounts/o8/ud
WARNING: making https request to https://www.google.com/accounts/o8/ud without verifying server certificate; no CA path was specified.
You inspired me to hack away at this.
This blog basically worked for me http://blog.sethladd.com/2010/09/ruby-rails-openid-and-google.html
My code is extra ugly though, because it wasn't the first one I tried.
Other resources:
Ruby open_id_authentication with Google OpenID
http://toddsedano.blogspot.com/search?updated-max=2010-05-29T11%3A59%3A00-07%3A00&max-results=7
http://railscasts.com/episodes/170-openid-with-authlogic
Anywho, the rough code that is working for me is here:
https://github.com/softwaregravy/google_authlogic
and here is the running code
It's still very much a prototype. Hope it helps.

GitHub OAuth using Devise + OmniAuth

I've got an application at http://github.com/rails3book/ticketee that contains an OAuth portion provided by Devise. The configuration is at config/initializers/devise.rb. I have got this working with Twitter but always get this "invalid credentials" message back from GitHub.
I cannot see what I am doing differently between Twitter and GitHub. To my knowledge, this should Just Work(tm).
This is actually because GitHub's OAuth2 support doesn't mesh with the current draft of the OAuth2 specification. Basically, they want a parameter called "access_token" but the oauth2 gem's latest version (0.3.0 as of this writing) passes this through as "oauth_token", as the latest version of the draft requires.
This basically works with every other provider except GitHub because they haven't yet updated their support for this alternatively named parameter.
Did you register your application with Github? Do you provide the correct keys? I have a similar authentication here, without Devise, however, configuration (in development.rb) should be nearly the same: http://github.com/markusproske/omniauth_pure
Edit: you need different registrations for development and production due to the callback route.

Resources