Описание
Limited header injection when using dynamic overrides with user input in RubyGems secure_headers
Impact
If user-supplied input was passed into append/override_content_security_policy_directives, a newline could be injected leading to limited header injection.
Upon seeing a newline in the header, rails will silently create a new Content-Security-Policy header with the remaining value of the original string. It will continue to create new headers for each newline.
e.g.
would result in
CSP supports multiple headers and all policies must be satisfied for execution to occur, but a malicious value that reports the current page is fairly trivial:
Patches
This has been fixed in 6.3.0, 5.2.0, and 3.9.0
Workarounds
References
https://github.com/twitter/secure_headers/security/advisories/GHSA-xq52-rv6w-397c The effect of multiple policies
For more information
If you have any questions or comments about this advisory:
- Open an issue in this repo
- DM us at @ndm on twitter
Ссылки
- https://github.com/twitter/secure_headers/security/advisories/GHSA-w978-rmpf-qmwg
- https://nvd.nist.gov/vuln/detail/CVE-2020-5216
- https://github.com/twitter/secure_headers/commit/301695706f6a70517c2a90c6ef9b32178440a2d0
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/secure_headers/CVE-2020-5216.yml
Пакеты
secure_headers
>= 6.0.0, < 6.3.0
6.3.0
secure_headers
>= 5.0.0, < 5.2.0
5.2.0
secure_headers
< 3.9.0
3.9.0
Связанные уязвимости
In Secure Headers (RubyGem secure_headers), a directive injection vulnerability is present in versions before 3.9.0, 5.2.0, and 6.3.0. If user-supplied input was passed into append/override_content_security_policy_directives, a newline could be injected leading to limited header injection. Upon seeing a newline in the header, rails will silently create a new Content-Security-Policy header with the remaining value of the original string. It will continue to create new headers for each newline. This has been fixed in 6.3.0, 5.2.0, and 3.9.0.
In Secure Headers (RubyGem secure_headers), a directive injection vulnerability is present in versions before 3.9.0, 5.2.0, and 6.3.0. If user-supplied input was passed into append/override_content_security_policy_directives, a newline could be injected leading to limited header injection. Upon seeing a newline in the header, rails will silently create a new Content-Security-Policy header with the remaining value of the original string. It will continue to create new headers for each newline. This has been fixed in 6.3.0, 5.2.0, and 3.9.0.
In Secure Headers (RubyGem secure_headers), a directive injection vulnerability is present in versions before 3.9.0, 5.2.0, and 6.3.0. If user-supplied input was passed into append/override_content_security_policy_directives, a newline could be injected leading to limited header injection. Upon seeing a newline in the header, rails will silently create a new Content-Security-Policy header with the remaining value of the original string. It will continue to create new headers for each newline. This has been fixed in 6.3.0, 5.2.0, and 3.9.0.
In Secure Headers (RubyGem secure_headers), a directive injection vuln ...