Currently, the omniauth-bnet
gem depends on OmniAuth v1, which contains a potential CSRF vulnerability by default. Information on the vulnerability can be found in CVE-2015-9284
, and more detailed discussion can be found at https://github.com/omniauth/omniauth/pull/809
. (Please note that the linked pull request title is misleading: this vulnerability affects any Ruby application utilizing OmniAuth v1 without proper CSRF protection.)
While mitigation strategies are possible from the end developer’s side, an insurmountable issue is that OmniAuth strategies which rely on OmniAuth v2 are fundamentally incompatible with the current omniauth-bnet
gem. Therefore, in the interest of user security and minimizing developer hassle, I would suggest that the omniauth-bnet
gem be updated to depend on version 2.0 or higher of the OmniAuth gem.