CVE-2015-9284 Mitigation spec failing

Question

CVE-2015-9284 Mitigation spec failing

fabioxgn opened this issue 4 years ago · 2 comments

I have this spec in my application, which was added to check for the security flaw mitigation, now, after updating this gem and omniauth to 2.0.1, this spec started to fail with: expected ActionController::InvalidAuthenticityToken but nothing was raised

 describe "POST /auth/:provider without CSRF token" do
      before do
        @allow_forgery_protection = ActionController::Base.allow_forgery_protection
        ActionController::Base.allow_forgery_protection = true
      end

      after do
        ActionController::Base.allow_forgery_protection = @allow_forgery_protection
      end

      it do
        expect do
          post "/auth/google_oauth2"
        end.to raise_error(ActionController::InvalidAuthenticityToken)
      end
    end

I understood in the release notes that the gem still verifies the CSRF token, why is this test failing now?

Answer 1 · 2021-02-03T15:58:07.000Z

I think this is caused by a change in OmniAuth and not here. See omniauth/omniauth#1031

Answer 2 · 2021-02-03T16:16:40.000Z

@mitnal thanks.