search

shapesecurity / salvation

Parse Content Security Policy headers, warn about policy errors, safely manipulate, render, and optimise policies
http://cspvalidator.org
Apache License 2.0
68 stars 27 forks source link

https://alfchen.de/ causes “CSP parsing error: String index out of range: -1” #244

Open sideshowbarker opened 4 years ago

sideshowbarker commented 4 years ago

Checking https://alfchen.de/ with Salvation 2.7.2 causes an unexpected exception:

RuntimeException, doc: https://alfchen.de/ schema:  lax: false
java.lang.StringIndexOutOfBoundsException: String index out of range: -1
        at java.lang.String.substring(String.java:1967)
        at com.shapesecurity.salvation.Parser.parseSourceExpression(Parser.java:586)
        at com.shapesecurity.salvation.Parser.parseSourceList(Parser.java:480)
        at com.shapesecurity.salvation.Parser.parseDirective(Parser.java:376)
        at com.shapesecurity.salvation.Parser.parsePolicy(Parser.java:236)
        at com.shapesecurity.salvation.Parser.parsePolicyAndAssertEOF(Parser.java:252)
        at com.shapesecurity.salvation.Parser.parse(Parser.java:150)

It’s also reproducible with https://cspvalidator.org/ — which claims to be running Salvation 2.6.0:

https://cspvalidator.org/#url=https://alfchen.de/

(I haven’t tested with Salvation 3.0.0, so I don’t know whether it’s reproducible there.)

sideshowbarker commented 4 years ago

OK, the https://alfchen.de/ problem can be minimally reproduced with the following (invalid) policy:

script-src 'sha256- RFWPLDbv2BY+rCkDzsE+0fr8ylGr2R2faWMhq4lfEQc=';

https://cspvalidator.org/#headerValue%5B%5D=script-src+'sha256-+RFWPLDbv2BY%2BrCkDzsE%2B0fr8ylGr2R2faWMhq4lfEQc%3D'%3B&strategy=intersection

Specifically, the exception can be reproduced with any policy containing a hash-source expression which (incorrectly) has whitespace after the hash-algorithm-and-dash prefix and before the base64 hash/digest value itself.