GHSA-99f9-gv72-fw9r

Source
https://github.com/advisories/GHSA-99f9-gv72-fw9r
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-99f9-gv72-fw9r/GHSA-99f9-gv72-fw9r.json
Aliases
Published
2024-02-01T20:53:08Z
Modified
2024-02-16T08:08:57.650696Z
Details

Impacted Resources

bref/src/Event/Http/HttpResponse.php:61-90

Description

When Bref is used in combination with an API Gateway with the v2 format, it does not handle multiple values headers.

Precisely, if PHP generates a response with two headers having the same key but different values only the latest one is kept.

Impact

If an application relies on multiple headers with the same key being set for security reasons, then Bref would lower the application security.

For example, if an application sets multiple Content-Security-Policy headers, then Bref would just reflect the latest one.

PoC

  1. Create a new Bref project.
  2. Create an index.php file with the following content:
    <?php
    header("Content-Security-Policy: script-src 'none'", false);
    header("Content-Security-Policy: img-src 'self'", false);
    ?>
    <script>alert(document.domain)</script>
    <img src="https://bref.sh/favicon-32x32.png">
    
  3. Use the following serverless.yml to deploy the Lambda:
    service: app
    
    provider:
        name: aws
        region: eu-central-1
    
    plugins:
        - ./vendor/bref/bref
    
    functions:
        api:
            handler: index.php
            description: ''
            runtime: php-81-fpm
            timeout: 28 # in seconds (API Gateway has a timeout of 29 seconds)
            events:
                -   httpApi: '*'
    
    # Exclude files from deployment
    package:
        patterns:
            - '!node_modules/**'
            - '!tests/**'
    
  4. Browse the Lambda URL.
  5. Notice that the JavaScript code is executed as the Content-Security-Policy: script-src 'none' header has been removed.
  6. Notice that the external image has not been loaded as the Content-Security-Policy: img-src 'self' header has been kept.
  7. Start a PHP server inside the project directory (e.g. php -S 127.0.0.1:8090).
  8. Browse the index.php script through the PHP server (e.g. http://127.0.0.1:8090/index.php).
  9. Notice that the JavaScript code is not executed as the Content-Security-Policy: script-src 'none' header has been kept.
  10. Notice that the external image has not been loaded as the Content-Security-Policy: img-src 'self' header has been kept.

Suggested Remediation

Concatenate all the multiple value headers' values with a comma (,) as separator and return a single header with all the values to the API Gateway.

References

  • https://www.rfc-editor.org/rfc/rfc9110.html#section-5.2
References

Affected packages

Packagist / bref/bref

Package

Name
bref/bref

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0The exact introduced commit is unknown
Fixed
2.1.13

Affected versions

0.*

0.1.0
0.2.0
0.2.1
0.2.2
0.2.3
0.2.4
0.2.5
0.2.6
0.2.7
0.2.8
0.2.9
0.2.10
0.2.11
0.2.12
0.2.13
0.2.14
0.2.15
0.2.16
0.2.17
0.2.18
0.2.19
0.2.20
0.2.21
0.2.22
0.2.23
0.2.24
0.2.25
0.2.26
0.2.27
0.2.28
0.2.29
0.2.30
0.2.31
0.2.32
0.2.33
0.2.34
0.2.35
0.2.36
0.2.37
0.3.0
0.3.1
0.3.2
0.3.3
0.3.4
0.3.5
0.3.6
0.3.7
0.3.8
0.3.9
0.4.0
0.4.1
0.5.0-beta1
0.5.0
0.5.1
0.5.2
0.5.3
0.5.4
0.5.5
0.5.6-beta1
0.5.6
0.5.7
0.5.8
0.5.9
0.5.10
0.5.11
0.5.12
0.5.13
0.5.14-beta1
0.5.14-beta2
0.5.14
0.5.15
0.5.16
0.5.17
0.5.18
0.5.19
0.5.20
0.5.21
0.5.22
0.5.23
0.5.24
0.5.25
0.5.26
0.5.27
0.5.28
0.5.29
0.5.30
0.5.31
0.5.32
0.5.33

1.*

1.0.0-beta1
1.0.0-beta2
1.0.0
1.0.1
1.0.2
1.1.0
1.1.1
1.1.2
1.1.3
1.1.4
1.2.0
1.2.1
1.2.2
1.2.3
1.2.4
1.2.5
1.2.6
1.2.7
1.2.8
1.2.9
1.2.10
1.2.11
1.2.12
1.2.13
1.2.14
1.3.0
1.3.1
1.3.2
1.3.3
1.3.4
1.3.5
1.3.6
1.4.0
1.4.1
1.4.2
1.5.0
1.5.1
1.5.2
1.5.3
1.5.4
1.5.5
1.5.6
1.5.7
1.5.8
1.6.0
1.7.0
1.7.1
1.7.2
1.7.3
1.7.4
1.7.5
1.7.6
1.7.7
1.7.8
1.7.9
1.7.10
1.7.11
1.7.12
1.7.13
1.7.14
1.7.15
1.7.16
1.7.17
1.7.18
1.7.19
1.7.20
1.7.21
1.7.22
1.7.23
1.7.24
1.7.25
1.7.26
1.7.27
1.7.28
1.7.29
1.7.30
1.7.31
1.7.32
1.7.33
1.7.34
1.7.35
1.7.36
1.7.37
1.7.38
1.7.39
1.7.40
1.7.41
1.7.42

2.*

2.0.0-beta1
2.0.0-beta2
2.0.0-beta3
2.0.0-beta4
2.0.0-beta5
2.0.0-beta6
2.0.0-beta7
2.0.0-beta8
2.0.0-beta9
2.0.0-beta10
2.0.0-beta11
2.0.0-beta12
2.0.0-beta13
2.0.0-beta14
2.0.0-beta15
2.0.0-beta16
2.0.0-beta17
2.0.0
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
2.0.7
2.0.8
2.0.9
2.0.10
2.0.11
2.1.0
2.1.1
2.1.2
2.1.3
2.1.4
2.1.5
2.1.6
2.1.7
2.1.8
2.1.9
2.1.10
2.1.11
2.1.12