#36831: Add validation for CSP directive names and values in build_policy()
-------------------------------------+-------------------------------------
Reporter: Naveed Qadir | Owner: Naveed
Type: | Qadir
Cleanup/optimization | Status: assigned
Component: Utilities | Version: 6.0
Severity: Normal | Resolution:
Keywords: csp,validation | Triage Stage:
| Unreviewed
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Naveed Qadir):
* keywords: => csp,validation
* owner: (none) => Naveed Qadir
* status: new => assigned
Old description:
> The `build_policy()` function in `django/utils/csp.py` does not validate
> directive names or values, allowing malformed CSP policies to be
> generated.
>
> == Problem ==
>
> CSP policies use semicolons to separate directives. If a directive name
> or value contains a semicolon (e.g., from a misconfiguration), it can
> result in a malformed policy:
>
> {{{#!python
> from django.utils.csp import build_policy, CSP
>
> # This produces a malformed CSP header
> policy = {"script-src": ["https://good.com; report-uri
> https://evil.com"]}
> build_policy(policy)
> # Returns: "script-src https://good.com; report-uri https://evil.com";
> # The semicolon splits what should be one directive into two!
> }}}
>
> While this requires developer misconfiguration (not user input), it's a
> hardening improvement to catch these errors early with a clear error
> message rather than silently producing invalid policies.
>
> == Solution ==
>
> Add validation to `build_policy()` that raises `ValueError` if:
> - Directive names contain semicolons, `\r`, or `\n`
> - Values contain semicolons
>
> The error messages guide developers to use proper list syntax for
> multiple values.
>
> == Patch ==
>
> A patch with tests is ready and will be submitted as a PR.
New description:
The `build_policy()` function in `django/utils/csp.py` does not validate
directive names or values, allowing malformed CSP policies to be
generated.
== Problem ==
CSP policies use semicolons to separate directives. If a directive name or
value contains a semicolon (e.g., from a misconfiguration), it can result
in a malformed policy:
{{{#!python
from django.utils.csp import build_policy, CSP
# This produces a malformed CSP header
policy = {"script-src": ["https://good.com; report-uri https://evil.com"]}
build_policy(policy)
# Returns: "script-src https://good.com; report-uri https://evil.com";
# The semicolon splits what should be one directive into two!
}}}
While this requires developer misconfiguration (not user input), it's a
hardening improvement to catch these errors early with a clear error
message rather than silently producing invalid policies.
== Solution ==
Add validation to `build_policy()` that raises `ValueError` if:
- Directive names contain semicolons, `\r`, or `\n`
- Values contain semicolons
The error messages guide developers to use proper list syntax for multiple
values.
== Patch ==
A patch with tests is ready and is submitted as a PR.
--
--
Ticket URL: <https://code.djangoproject.com/ticket/36831#comment:1>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/d/msgid/django-updates/0107019b5ca474e1-5a786477-c045-4bc1-96a9-70d8aa7bd9e0-000000%40eu-central-1.amazonses.com.
