Don't allow Semicolon or CRLF injection

CSP-Builder is a developer tool. It is not meant to be used with user input.

However, the ability to inject CSP directives or additional headers violates the principle of least astonishment.

This was reported via user demonia on HackerOne.

composer.json

@@ -29,6 +29,11 @@
             "ParagonIE\\CSPBuilder\\": "src"
         }
     },
+    "autoload-dev": {
+        "psr-4": {
+            "ParagonIE\\CSPBuilderTest\\": "test"
+        }
+    },
     "require": {
         "php": "^7.1|^8",
         "ext-json": "*",

src/CSPBuilder.php

@@ -137,7 +137,7 @@ public function compile(): string
             if (!is_string($this->policies['report-uri'])) {
                 throw new TypeError('report-uri policy somehow not a string');
             }
-            $compiled [] = 'report-uri ' . $this->policies['report-uri'] . '; ';
+            $compiled [] = 'report-uri ' . $this->enc($this->policies['report-uri']) . '; ';
         }
         if (!empty($this->policies['report-to'])) {
             if (!is_string($this->policies['report-to'])) {
@@ -863,16 +863,16 @@ protected function compileSubgroup(string $directive, $policies = []): string
             if ($directive === 'plugin-types') {
                 return '';
             } elseif ($directive === 'sandbox') {
-                return $directive.'; ';
+                return $this->enc($directive) . '; ';
             }
             return $directive." 'none'; ";
         }
         /** @var array<array-key, mixed> $policies */
 
-        $ret = $directive.' ';
+        $ret = $this->enc($directive) . ' ';
         if ($directive === 'plugin-types') {
             // Expects MIME types, not URLs
-            return $ret . implode(' ', $policies['allow']).'; ';
+            return $ret . $this->enc(implode(' ', $policies['allow']), 'mime').'; ';
         }
         if (!empty($policies['self'])) {
             $ret .= "'self' ";
@@ -1009,6 +1009,28 @@ protected function getHeaderKeys(bool $legacy = true): array
         return $return;
     }
 
+    /**
+     * @param string $piece
+     * @param string $type
+     * @return string
+     */
+    protected function enc(string $piece, string $type = 'default'): string
+    {
+        switch ($type) {
+            case 'mime':
+                return preg_replace('#^[a-z0-9\-/]+#', '', strtolower($piece));
+            case 'url':
+                return urlencode($piece);
+            default:
+                // Don't inject
+                return str_replace(
+                    [';', "\r", "\n", ':'],
+                    ['%3B', '%0D', '%0A', '%3A'],
+                    $piece
+                );
+        }
+    }
+
     /**
      * Is this user currently connected over HTTPS?
      *

test/InvalidInputTest.php

@@ -0,0 +1,36 @@
+<?php
+declare(strict_types=1);
+
+namespace ParagonIE\CSPBuilderTest;
+
+use PHPUnit\Framework\TestCase;
+use ParagonIE\CSPBuilder\CSPBuilder;
+
+class InvalidInputTest extends TestCase
+{
+    public function testRejectSemicolon()
+    {
+        $csp = (new CSPBuilder([]))
+            ->setReportUri('https://example.com/csp_report.php; hello world')
+            ->compile();
+
+        $this->assertStringNotContainsString(
+            $csp,
+            'report-uri https://example.com/csp_report.php; hello world',
+            'Semicolon injection is possible'
+        );
+    }
+
+    public function testRejectCrLf()
+    {
+        $csp = (new CSPBuilder([]))
+            ->setReportUri("https://example.com/csp_report.php;\r\nContent-Type:text/plain")
+            ->compile();
+
+        $this->assertStringNotContainsString(
+            $csp,
+            "\r\nContent-Type:",
+            "CRLF Injection is possible"
+        );
+    }
+}