XSS and Open Redirect

[alboxie]

Version:
>= 0.1.33

Routes:
/omniauth/failure

Description:

• The omniauth failure endpoint is vulnerable to Reflected XSS through the message parameter.
  Unauthenticated attackers can craft a URL that executes a malicious JavaScript payload in the victim’s browser.
• The same endpoint is also vulnerable to an Open Redirect through the auth_origin_url parameter. Unauthenticated attackers can craft a URL that sends users to a malicious site to phish credentials or launch additional attacks.

URLs to reproduce:

• The following URL should trigger a JS alert with the XSS message.
  https://site/omniauth/failure?message=<script>alert('XSS')</script>&omniauth_window_type=sameWindow&resource_class=User

• The following URL should redirect to google.
  https://site/omniauth/failure?message=failure&omniauth_window_type=sameWindow&resource_class=User&auth_origin_url=http://www.google.com

Reason:
The render_data_or_redirect method and fallback_render methods in app/controllers/devise_token_auth/omniauth_callbacks_controller.rb are using untrusted input to build the redirect and render the error message.

Remediation:

• Redirect to a pre-configured auth_origin_url value and do not trust user input.
• Use templates that sanitize/escape HTML in rendered params by default or utilize https://edgeapi.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html to sanitize the message parameter in place.

[alboxie]

The XSS vulnerability has been assigned CVE-2019-16751

[booleanbetrayal]

Hadn't seen this before today. =[

Have a PR in the mix, but it could probably use specs.

[booleanbetrayal]

Thanks for the visibility on this @alboxie

[booleanbetrayal]

This was pushed to RubyGems as 1.1.3 - https://rubygems.org/gems/devise_token_auth/versions/1.1.3