Google Git
Sign in
go / vulndb / b984530da4e5644b71d7b3a0c85ea10bcc4120da^! / . / data / reports / GO-2023-1703.yaml
commitb984530da4e5644b71d7b3a0c85ea10bcc4120da[log] [tgz]
authorTatiana Bradley <tatianabradley@google.com>Wed Apr 05 15:16:15 2023 -0400
committerTatiana Bradley <tatianabradley@google.com>Wed Apr 05 21:05:27 2023 +0000
tree0aa5319ff2860b369b0b7b5000ba4ab7a3a55516
parent08783bf3cc3b1870e6040babb834e43e5221baf3 [diff] [blame]
data/reports: add GO-2023-1703.yaml

Aliases: CVE-2023-24538

Updates golang/vulndb#1703

Change-Id: I14085ebbad5ff6593841480f05acba69a33da101
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/482618
Run-TryBot: Tatiana Bradley <tatianabradley@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Damien Neil <dneil@google.com>

diff --git a/data/reports/GO-2023-1703.yaml b/data/reports/GO-2023-1703.yaml
new file mode 100644
index 0000000..bc4ecfe
--- /dev/null
+++ b/data/reports/GO-2023-1703.yaml

@@ -0,0 +1,46 @@
+modules:
+  - module: std
+    versions:
+      - fixed: 1.19.8
+      - introduced: 1.20.0
+        fixed: 1.20.3
+    vulnerable_at: 1.20.2
+    packages:
+      - package: html/template
+        symbols:
+          - tJS
+          - tJSDelimited
+        derived_symbols:
+          - Template.Execute
+          - Template.ExecuteTemplate
+summary: Backticks not treated as string delimiters in html/template
+description: |
+    Templates do not properly consider backticks (`) as Javascript string
+    delimiters, and do not escape them as expected.
+
+    Backticks are used, since ES6, for JS template literals. If a template
+    contains a Go template action within a Javascript template literal, the
+    contents of the action can be used to terminate the literal, injecting
+    arbitrary Javascript code into the Go template.
+
+    As ES6 template literals are rather complex, and themselves can do string
+    interpolation, the decision was made to simply disallow Go template actions
+    from being used inside of them (e.g. "var a = {{.}}"), since there is no
+    obviously safe way to allow this behavior. This takes the same approach as
+    github.com/google/safehtml.
+
+    With fix, Template.Parse returns an Error when it encounters templates like
+    this, with an ErrorCode of value 12. This ErrorCode is currently
+    unexported, but will be exported in the release of Go 1.21.
+
+    Users who rely on the previous behavior can re-enable it using the
+    GODEBUG flag jstmpllitinterp=1, with the caveat that backticks will now be
+    escaped. This should be used with caution.
+credit: Sohom Datta, Manipal Institute of Technology
+references:
+  - report: https://go.dev/issue/59234
+  - fix: https://go.dev/cl/482079
+  - web: https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8
+cve_metadata:
+    id: CVE-2023-24538
+    cwe: 'CWE-94: Improper Control of Generation of Code (''Code Injection'')'