Published 7 months ago
Category: Code Injection
Source: GitHub
Severity: Severe

Vulnerability in secure_headers

If user-supplied input was passed into append/override_content_security_policy_directives, a newline could be injected leading to limited header injection.

Upon seeing a newline in the header, rails will silently create a new Content-Security-Policy header with the remaining value of the original string. It will continue to create new headers for each newline.


override_content_security_directives(script_src: ['', "\ninjected\n"])

would result in

Content-Security-Policy: ... script-src:
Content-Security-Policy: injected
Content-Security-Policy: rest-of-the-header

CSP supports multiple headers and all policies must be satisfied for execution to occur, but a malicious value that reports the current page is fairly trivial:

override_content_security_directives(script_src: ["", "\ndefault-src 'none'; report-uri"])
Content-Security-Policy: ... script-src:
Content-Security-Policy: default-src 'none'; report-uri
Content-Security-Policy: rest-of-the-header

Workarounds override_content_security_policy_directives(:frame_src, [user_input.gsub("\n", " ")])

CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
n/a n/a n/a n/a n/a n/a
Patched Versions

~> 3.9 ~> 5.2 >= 6.3.0

Unaffected Versions