From 4fc22dcdc820688c9655416c4f496136a0ce1bc3 Mon Sep 17 00:00:00 2001
From: Alec Wenzowski <alec@button.is>
Date: Thu, 25 Jul 2019 12:46:52 -0700
Subject: [PATCH] fix CVE-2015-9284 per omniauth/omniauth#809

The request phase of the OmniAuth Ruby gem is vulnerable to Cross-Site Request Forgery when used as part of the Ruby on Rails framework, allowing accounts to be connected without user intent, user interaction, or feedback to the user. This permits a secondary account to be able to sign into the web application as the primary account.

same fix as merged in Shopify/omniauth-identity#8
@see https://nvd.nist.gov/vuln/detail/CVE-2015-9284
---
 Gemfile.lock          | 4 ++++
 shipit-engine.gemspec | 1 +
 2 files changed, 5 insertions(+)

diff --git a/Gemfile.lock b/Gemfile.lock
index 83b5f3661..b54ae3b7b 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -15,6 +15,7 @@ PATH
       lodash-rails (~> 4.6.1)
       octokit (~> 4.12.0)
       omniauth-github (~> 1.3.0)
+      omniauth-rails_csrf_protection (~> 0.1.2)
       pubsubstub (~> 0.1.2)
       rails (~> 5.2.1)
       rails-timeago (~> 2.13.0)
@@ -177,6 +178,9 @@ GEM
     omniauth-oauth2 (1.6.0)
       oauth2 (~> 1.1)
       omniauth (~> 1.9)
+    omniauth-rails_csrf_protection (0.1.2)
+      actionpack (>= 4.2)
+      omniauth (>= 1.3.1)
     parallel (1.12.1)
     parser (2.5.0.2)
       ast (~> 2.4.0)
diff --git a/shipit-engine.gemspec b/shipit-engine.gemspec
index f70eb04f1..d401eeb18 100644
--- a/shipit-engine.gemspec
+++ b/shipit-engine.gemspec
@@ -29,6 +29,7 @@ Gem::Specification.new do |s|
   s.add_dependency 'lodash-rails', '~> 4.6.1'
   s.add_dependency 'octokit', '~> 4.12.0'
   s.add_dependency 'omniauth-github', '~> 1.3.0'
+  s.add_dependency 'omniauth-rails_csrf_protection', '~> 0.1.2'
   s.add_dependency 'pubsubstub', '~> 0.1.2'
   s.add_dependency 'rails', '~> 5.2.1'
   s.add_dependency 'rails-timeago', '~> 2.13.0'