Contents

---
gem: secure_headers
cve: 2020-5217
ghsa: xq52-rv6w-397c
url: https://github.com/twitter/secure_headers/security/advisories/GHSA-xq52-rv6w-397c
date: 2020-01-23
title: secure_headers directive injection using semicolon
description: |-
  If user-supplied input was passed into append/override_content_security_policy_directives,
  a semicolon could be injected leading to directive injection.

  This could be used to e.g. override a script-src directive. Duplicate directives are ignored
  and the first one wins. The directives in secure_headers are sorted alphabetically so they
  pretty much all come before script-src. A previously undefined directive would receive a value
  even if SecureHeaders::OPT_OUT was supplied.

  The fixed versions will silently convert the semicolons to spaces and emit a deprecation warning
  when this happens. This will result in innocuous browser console messages if being
  exploited/accidentally used. In future releases, we will raise application errors resulting in
  500s.

  > Duplicate script-src directives detected. All but the first instance will be ignored.

  See https://www.w3.org/TR/CSP3/#parse-serialized-policy

  > Note: In this case, the user agent SHOULD notify developers that a duplicate directive was
  > ignored. A console warning might be appropriate, for example.

  # Workarounds

  If you are passing user input into the above methods, you could filter out the input:

  ```
  override_content_security_policy_directives(:frame_src, [user_input.gsub(";", " ")])
  ```

cvss_v3: 4.4

patched_versions:
  - "~> 3.8"
  - "~> 5.1"
  - ">= 6.2.0"

Version data entries

1 entries across 1 versions & 1 rubygems

Version	Path
bundler-audit-0.7.0.1	data/ruby-advisory-db/gems/secure_headers/CVE-2020-5217.yml