Fix omniauth (SAML/CAS) sign-in routes not having CSRF protection (#15228)

3 files changed, 6 insertions, 2 deletions

diff --git a/Gemfile b/Gemfile
index 950bc59bbf0..63becb7cca6 100644
--- a/Gemfile
+++ b/Gemfile
@@ -44,6 +44,7 @@ gem 'net-ldap', '~> 0.16'
 gem 'omniauth-cas', '~> 2.0'
 gem 'omniauth-saml', '~> 1.10'
 gem 'omniauth', '~> 1.9'
+gem 'omniauth-rails_csrf_protection', '~> 0.1'
 
 gem 'color_diff', '~> 0.1'
 gem 'discard', '~> 1.2'
diff --git a/Gemfile.lock b/Gemfile.lock
index b8134a985ed..f7192d08462 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -375,6 +375,9 @@ GEM
       addressable (~> 2.3)
       nokogiri (~> 1.5)
       omniauth (~> 1.2)
+    omniauth-rails_csrf_protection (0.1.2)
+      actionpack (>= 4.2)
+      omniauth (>= 1.3.1)
     omniauth-saml (1.10.3)
       omniauth (~> 1.3, >= 1.3.2)
       ruby-saml (~> 1.9)
@@ -741,6 +744,7 @@ DEPENDENCIES
   oj (~> 3.10)
   omniauth (~> 1.9)
   omniauth-cas (~> 2.0)
+  omniauth-rails_csrf_protection (~> 0.1)
   omniauth-saml (~> 1.10)
   ox (~> 2.13)
   paperclip (~> 6.0)
diff --git a/app/views/auth/sessions/new.html.haml b/app/views/auth/sessions/new.html.haml
index ceb1694084b..9713bdaebfd 100644
--- a/app/views/auth/sessions/new.html.haml
+++ b/app/views/auth/sessions/new.html.haml
@@ -22,7 +22,6 @@
 
     .actions
       - resource_class.omniauth_providers.each do |provider|
-        = link_to omniauth_authorize_path(resource_name, provider), class: "button button-#{provider}" do
-          = t("auth.providers.#{provider}", default: provider.to_s.chomp("_oauth2").capitalize)
+        = link_to t("auth.providers.#{provider}", default: provider.to_s.chomp("_oauth2").capitalize), omniauth_authorize_path(resource_name, provider), class: "button button-#{provider}", method: :post
 
 .form-footer= render 'auth/shared/links'