ADVISORIES
GEM
SEVERITY
CVSS v3.x: 4.4 (Medium)
PATCHED VERSIONS
- ~> 3.8
- ~> 5.1
- >= 6.2.0
DESCRIPTION
If user-supplied input was passed into append/override_content_security_policy_directives, a semicolon could be injected leading to directive injection.
This could be used to e.g. override a script-src directive. Duplicate directives are ignored and the first one wins. The directives in secure_headers are sorted alphabetically so they pretty much all come before script-src. A previously undefined directive would receive a value even if SecureHeaders::OPT_OUT was supplied.
The fixed versions will silently convert the semicolons to spaces and emit a deprecation warning when this happens. This will result in innocuous browser console messages if being exploited/accidentally used. In future releases, we will raise application errors resulting in 500s.
> Duplicate script-src directives detected. All but the first instance will be ignored.
See https://www.w3.org/TR/CSP3/#parse-serialized-policy
> Note: In this case, the user agent SHOULD notify developers that a duplicate directive was > ignored. A console warning might be appropriate, for example.
Workarounds
If you are passing user input into the above methods, you could filter out the input:
override_content_security_policy_directives(:frame_src, [user_input.gsub(";", " ")])