Protect request phase against CSRF.

[DouweM]

See omniauth/omniauth#809 for background.

There's a lot of duplication between this and Rails's request_forgery_protection.rb, but I don't see a way around that right now as Rails doesn't expose the RequestForgeryProtection functionality in any way that doesn't depend on the controller context.

Implementations of RequestForgeryProtection are included for Rails 3.2, 4.0, 4.1 and 4.2. I've only had time to test with Rails 4.1 yet.

cc @sferik @tenderlove @rafaelfranca @josevalim @carlosantoniodasilva

[sferik]

This looks good. My only remaining concern is the lack of tests. How can we be confident that this actually fixes what it’s supposed to?

[DouweM]

How can we be confident that this actually fixes what it’s supposed to?

We can't, I agree we should have tests. request_forgery_protection_test.rb may come in useful.

I'll see if I can fit it into my schedule today or tomorrow, but unfortunately I have very little time this week.

[sferik]

@DouweM Ping. Any luck writing some tests for this? I was hoping to release it today. I fly to Kiev tomorrow for RubyC, so if it doesn’t happen today, it may have to wait until June 1st or 2nd.

[DouweM]

@sferik Unfortunately not. I've got an exam on Monday, and I don't think my professor will find the fact that I'd rather be working on getting a vulnerability patch out of the door a good enough reason to postpone it. I won't have time to look into tests until June 2nd.

[sferik]

No problem. Good luck on your exam. 🍀

[reedloden]

Any update on this? As far as I know, this is still vulnerable.

[DouweM]

@reedloden No update, I had it on my todo list for a little while last year, but other stuff kept pushing it down, so I ended up removing it and forgetting about it entirely...

[reedloden]

@DouweM, what do you need in order to move this forward?

[sdogruyol]

The original issue (omniauth/omniauth#809) is now assigned as CVE-2015-9284, thanks to @reedloden.

@DouweM do you have any plans of moving this forward? If not I'd be happy to hear about other alternatives.

[DouweM]

@reedloden @sdogruyol I'm afraid I won't be able to move this forward; apologies for dropping the ball on this then and now.

The code in here is now pretty outdated, and we'd probably be better off with a solution that uses Rails's public interface instead of copy-pasting a bunch of Rails internals that may change from version to version, so I've closed this PR in the hope someone will create a new one we can actually move forward with.

[LucasArruda]

@sdogruyol @DouweM I'm happy to help to try fix this. I just don't know how to start but maybe we can work together or offer a clue?

[alexventuraio]

Is there any progress to test this gem to fix the vulnerability? 🤔

[bonsohi]

Same here. Awaiting the fix - sooner than later! 😄

[alexventuraio]

Does anyone have any idea of the progress for this fix?
Or anybody else that had found a way to make it work in a Rails 5/6 app?