OmniAuth gem contains dependency vulnerability

Currently, the omniauth-bnet gem depends on OmniAuth v1, which contains a potential CSRF vulnerability by default. Information on the vulnerability can be found in CVE-2015-9284, and more detailed discussion can be found at (Please note that the linked pull request title is misleading: this vulnerability affects any Ruby application utilizing OmniAuth v1 without proper CSRF protection.)

While mitigation strategies are possible from the end developer’s side, an insurmountable issue is that OmniAuth strategies which rely on OmniAuth v2 are fundamentally incompatible with the current omniauth-bnet gem. Therefore, in the interest of user security and minimizing developer hassle, I would suggest that the omniauth-bnet gem be updated to depend on version 2.0 or higher of the OmniAuth gem.

I reported this through the API Discord and also created a pull request to address the issue: Updated OmniAuth dependency to fix a security vulnerability by francis-schiavo · Pull Request #7 · Blizzard/omniauth-bnet · GitHub

While not ideal or official, feel free to use the source while the issue is pending.

Some other possible workarounds for this issue is to create a custom omniauth strategy or try using one of those generic strategy gems and filling out the required URIs.

1 Like

I noticed! Thanks for putting in the work. For now, I don’t need any OmniAuth v2 gems, so I’ll stick with utilizing the omniauth-rails_csrf_protection gem. Hopefully someone will get some time to make the change officially.