[Security] Bump secure_headers from 3.6.1 to 6.3.2

[dependabot-preview]

Bumps secure_headers from 3.6.1 to 6.3.2. This update includes security fixes.

Vulnerabilities fixed

Sourced from The GitHub Security Advisory Database.

Moderate severity vulnerability that affects secure_headers

Impact

If user-supplied input was passed into append/override_content_security_policy_directives, a newline could be injected leading to limited header injection.

Upon seeing a newline in the header, rails will silently create a new Content-Security-Policy header with the remaining value of the original string. It will continue to create new headers for each newline.

e.g.

override_content_security_directives(script_src: ['mycdn.com', "\ninjected\n"])` 

would result in

Content-Security-Policy: ... script-src: mycdn.com
Content-Security-Policy: injected
Content-Security-Policy: rest-of-the-header

... (truncated)

Affected versions: < 3.9.0

Sourced from The GitHub Security Advisory Database.

Moderate severity vulnerability that affects secure_headers

Impact

If user-supplied input was passed into append/override_content_security_policy_directives, a semicolon could be injected leading to directive injection.

This could be used to e.g. override a script-src directive. Duplicate directives are ignored and the first one wins. The directives in secure_headers are sorted alphabetically so they pretty much all come before script-src. A previously undefined directive would receive a value even if SecureHeaders::OPT_OUT was supplied.

The fixed versions will silently convert the semicolons to spaces and emit a deprecation warning when this happens. This will result in innocuous browser console messages if being exploited/accidentally used. In future releases, we will raise application errors resulting in 500s.

> Duplicate script-src directives detected. All but the first instance will be ignored.

See https://www.w3.org/TR/CSP3/#parse-serialized-policy

> Note: In this case, the user agent SHOULD notify developers that a duplicate directive was ignored. A console warning might be appropriate, for example.

Patches

Depending on what major version you are using, the fixed versions are 6.2.0, 5.1.0, 3.8.0.

Workarounds

... (truncated)

Affected versions: < 3.8.0

Sourced from The Ruby Advisory Database.

secure_headers XXX If user-supplied input was passed into append/override_content_security_policy_directives, a semicolon could be injected leading to directive injection.

This could be used to e.g. override a script-src directive. Duplicate directives are ignored and the first one wins. The directives in secure_headers are sorted alphabetically so they pretty much all come before script-src. A previously undefined directive would receive a value even if SecureHeaders::OPT_OUT was supplied.

The fixed versions will silently convert the semicolons to spaces and emit a deprecation warning when this happens. This will result in innocuous browser console messages if being exploited/accidentally used. In future releases, we will raise application errors resulting in 500s.

> Duplicate script-src directives detected. All but the first instance will be ignored.

See https://www.w3.org/TR/CSP3/#parse-serialized-policy

> Note: In this case, the user agent SHOULD notify developers that a duplicate directive was > ignored. A console warning might be appropriate, for example.

... (truncated)

Patched versions: ~> 3.8.0; ~> 5.1.0; >= 6.2.0 Unaffected versions: none

Sourced from The Ruby Advisory Database.

secure_headers header injection due to newline If user-supplied input was passed into append/override_content_security_policy_directives, a newline could be injected leading to limited header injection.

Upon seeing a newline in the header, rails will silently create a new Content-Security-Policy header with the remaining value of the original string. It will continue to create new headers for each newline.

e.g.

override_content_security_directives(script_src: ['mycdn.com', "\ninjected\n"])

would result in

Content-Security-Policy: ... script-src: mycdn.com
Content-Security-Policy: injected
Content-Security-Policy: rest-of-the-header

... (truncated)

Patched versions: ~> 3.9.0; ~> 5.2.0; >= 6.3.0 Unaffected versions: none

Sourced from The Ruby Advisory Database.

secure_headers header injection due to newline If user-supplied input was passed into append/override_content_security_policy_directives, a newline could be injected leading to limited header injection.

Upon seeing a newline in the header, rails will silently create a new Content-Security-Policy header with the remaining value of the original string. It will continue to create new headers for each newline.

e.g.

override_content_security_directives(script_src: ['mycdn.com', "\ninjected\n"])

would result in

Content-Security-Policy: ... script-src: mycdn.com
Content-Security-Policy: injected
Content-Security-Policy: rest-of-the-header

... (truncated)

Patched versions: ~> 3.9; ~> 5.2; >= 6.3.0 Unaffected versions: none

Sourced from The Ruby Advisory Database.

secure_headers XXX If user-supplied input was passed into append/override_content_security_policy_directives, a semicolon could be injected leading to directive injection.

This could be used to e.g. override a script-src directive. Duplicate directives are ignored and the first one wins. The directives in secure_headers are sorted alphabetically so they pretty much all come before script-src. A previously undefined directive would receive a value even if SecureHeaders::OPT_OUT was supplied.

The fixed versions will silently convert the semicolons to spaces and emit a deprecation warning when this happens. This will result in innocuous browser console messages if being exploited/accidentally used. In future releases, we will raise application errors resulting in 500s.

> Duplicate script-src directives detected. All but the first instance will be ignored.

See https://www.w3.org/TR/CSP3/#parse-serialized-policy

> Note: In this case, the user agent SHOULD notify developers that a duplicate directive was > ignored. A console warning might be appropriate, for example.

... (truncated)

Patched versions: ~> 3.8; ~> 5.1; >= 6.2.0 Unaffected versions: none

Sourced from The Ruby Advisory Database.

secure_headers directive injection using semicolon If user-supplied input was passed into append/override_content_security_policy_directives, a semicolon could be injected leading to directive injection.

This could be used to e.g. override a script-src directive. Duplicate directives are ignored and the first one wins. The directives in secure_headers are sorted alphabetically so they pretty much all come before script-src. A previously undefined directive would receive a value even if SecureHeaders::OPT_OUT was supplied.

The fixed versions will silently convert the semicolons to spaces and emit a deprecation warning when this happens. This will result in innocuous browser console messages if being exploited/accidentally used. In future releases, we will raise application errors resulting in 500s.

> Duplicate script-src directives detected. All but the first instance will be ignored.

See https://www.w3.org/TR/CSP3/#parse-serialized-policy

> Note: In this case, the user agent SHOULD notify developers that a duplicate directive was > ignored. A console warning might be appropriate, for example.

... (truncated)

Patched versions: ~> 3.8; ~> 5.1; >= 6.2.0 Unaffected versions: none

Changelog

Sourced from secure_headers's changelog.

6.3.2

Add support for style-src-attr, style-src-elem, script-src-attr, and script-src-elem directives (@ggalmazor)

6.3.1

Fixes deprecation warnings when running under ruby 2.7

6.3.0

Fixes newline injection issue

6.2.0

Fixes semicolon injection issue reported by @mvgijssel see twitter/secure_headers#418

6.1.2

Adds the ability to specify SameSite=none with the same configurability as Strict/Lax in order to disable Chrome's soon-to-be-lax-by-default state.

6.1.1

Adds the ability to disable the automatically-appended 'unsafe-inline' value when nonces are used #404 (@will)

6.1

Adds support for navigate-to, prefetch-src, and require-sri-for #395

NOTE: this version is a breaking change due to the removal of HPKP. Remove the HPKP config, the standard is dead. Apologies for not doing a proper deprecate/major rev cycle 🙏

6.0

• See the upgrading to 6.0 guide for the breaking changes.

5.0.5

• A release to deprecate SecureHeaders::Configuration#get in prep for 6.x

5.0.4

• Adds support for nonced_stylesheet_pack_tag #373 (@paulfri)

5.0.3

• Add nonced versions of Rails link/include tags #372 (@steveh)

5.0.2

• Updates Referrer-Policy header to support multiple policy values

... (truncated)

Commits

• 5592e9a bump to 6.3.2
• 7693be0 Merge pull request #465 from ggalmazor/enhancement/add_missing_v3_directives
• 9bfb355 Change: add specs to verify that the added directives are included in the CSP...
• b0190c5 Change: update the README with the new directives
• 722f9c8 Change: add missing directives from CSP version 3:
• 62d5fb8 Merge pull request #451 from MrCull/patch-1
• e7c56e6 Deadlink in readme file in this repo to https://github.com/sourceclear/headli...
• ffec182 Minor improvements to 6.0 upgrade doc [ci skip] (#446)
• f3d3f9d bump to 6.3.1
• 3815ab4 Fix ruby 2.7 deprecation warnings with ** (#443)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Note: This repo was added to Dependabot recently, so you'll receive a maximum of 5 PRs for your first few update runs. Once an update run creates fewer than 5 PRs we'll remove that limit.

You can always request more updates by clicking Bump now in your Dependabot dashboard.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)