Use omniauth-rails_csrf_protection gem

It seems like omniauth-rails is not actually the correct gem: omniauth/omniauth-rails#2 (comment) Here's the relevant instructions: https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284
dgmstuart · May 11, 2021 · e0ffa1b · e0ffa1b
1 parent 867f18f
commit e0ffa1b
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 11 deletions.
diff --git a/Gemfile b/Gemfile
@@ -18,7 +18,7 @@ gem 'jbuilder'
 gem 'jquery-rails'
 gem 'memcachier'
 gem 'omniauth-facebook'
-gem 'omniauth-rails', git: 'https://github.com/omniauth/omniauth-rails', branch: 'CVE-2015-9284'
+gem 'omniauth-rails_csrf_protection'
 gem 'pg'
 gem 'pry-rails'
 gem 'puma'

diff --git a/Gemfile.lock b/Gemfile.lock
@@ -1,12 +1,3 @@
-GIT
-  remote: https://github.com/omniauth/omniauth-rails
-  revision: 8ef80e7da0b4b12dd403ba579b0a34dd6efebdae
-  branch: CVE-2015-9284
-  specs:
-    omniauth-rails (1.0.0)
-      omniauth (~> 1.0)
-      rails
-
 GEM
   remote: https://rubygems.org/
   specs:
@@ -192,6 +183,9 @@ GEM
     omniauth-oauth2 (1.5.0)
       oauth2 (~> 1.1)
       omniauth (~> 1.2)
+    omniauth-rails_csrf_protection (0.1.2)
+      actionpack (>= 4.2)
+      omniauth (>= 1.3.1)
     parallel (1.20.1)
     parser (3.0.1.1)
       ast (~> 2.4.1)
@@ -378,7 +372,7 @@ DEPENDENCIES
   memcachier
   oj
   omniauth-facebook
-  omniauth-rails!
+  omniauth-rails_csrf_protection
   pg
   pry-rails
   puma