@lukasreschke reported an issue where a form was not correctly validating its authenticity token, allowing a CSRF attack to import code from external sources into an attacker-specified repository. This caused unexpected branches to appear in the target repository, but would not overwrite any existing code or add code to existing branches.
The cause of the issue was the way that the application handles authenticity token mismatches. The default Rails behavior is to
nil out the session. This can lead to issues with session memoization that may occur before the session is
niled. We modified the application to use a safer method for CSRF handling and now raise a Exception on token mismatch, halting the request chain. This is now the default behavior for newly generated rails applications and can be added to Rails 4 applications with
protect_from_forgery with: :exception. A proposed change to Brakeman would create a new warning for Rails 4 applications that do not use
protect_from_forgery with: :exception.
This vulnerability was considered to be low-risk because no code could be deleted or overwritten, just added. The mitigation for this bug does not affect enterprise installations.
@lukasreschke earned an additional 500 points for donating his bounty to a great cause — Doctors Without Borders. GitHub matches all bounties donated to 501(c)(3) organizations.