[Ruby - net/http] HTTP Header Injection in the set_content_type method
We discussed this vulnerability during Episode 117 on 07 February 2022
Maybe an issue, maybe not; the Ruby devs seem to think its a non-issue. This is a case of a library allowing some questionable input. The net/http
library provides a set_content_type
which takes in the mimetype and a dictionary. The dictionary is just joined and reflected in the final content-type
header as a key=value
string. An attacker who can control input to that dictionary can include new line characters and inject their own request headers.
This is a significant restriction for an attacker to be sure, however it also makes little sense for Ruby to include newline character at all even if they are passed in. While an actual vulnerability using this is probably a rare situation. It is a bit of a quirk that might pop-up somewhere.