blob: 5aa0812a76f351cc21414bd123fa28f9ce600f45 [file] [log] [blame]
Tatiana Bradleyf1409b02023-05-24 14:02:12 -04001id: GO-2023-1703
Tatiana Bradleyb9845302023-04-05 15:16:15 -04002modules:
Tatiana Bradley82175fd2023-05-31 17:04:08 -04003 - module: std
4 versions:
5 - fixed: 1.19.8
6 - introduced: 1.20.0-0
Tatiana Bradley6d0cca32024-07-17 15:54:18 -04007 - fixed: 1.20.3
Tatiana Bradley82175fd2023-05-31 17:04:08 -04008 vulnerable_at: 1.20.2
9 packages:
10 - package: html/template
11 symbols:
12 - tJS
13 - tJSDelimited
14 derived_symbols:
15 - Template.Execute
16 - Template.ExecuteTemplate
Tatiana Bradleyb9845302023-04-05 15:16:15 -040017summary: Backticks not treated as string delimiters in html/template
Tatiana Bradleyccdac2d2023-06-22 13:27:05 -040018description: |-
Tatiana Bradleyb9845302023-04-05 15:16:15 -040019 Templates do not properly consider backticks (`) as Javascript string
20 delimiters, and do not escape them as expected.
21
Tatiana Bradleyccdac2d2023-06-22 13:27:05 -040022 Backticks are used, since ES6, for JS template literals. If a template contains
23 a Go template action within a Javascript template literal, the contents of the
24 action can be used to terminate the literal, injecting arbitrary Javascript code
25 into the Go template.
Tatiana Bradleyb9845302023-04-05 15:16:15 -040026
27 As ES6 template literals are rather complex, and themselves can do string
Tatiana Bradleyccdac2d2023-06-22 13:27:05 -040028 interpolation, the decision was made to simply disallow Go template actions from
29 being used inside of them (e.g. "var a = {{.}}"), since there is no obviously
30 safe way to allow this behavior. This takes the same approach as
Tatiana Bradleyb9845302023-04-05 15:16:15 -040031 github.com/google/safehtml.
32
33 With fix, Template.Parse returns an Error when it encounters templates like
Tatiana Bradleyccdac2d2023-06-22 13:27:05 -040034 this, with an ErrorCode of value 12. This ErrorCode is currently unexported, but
35 will be exported in the release of Go 1.21.
Tatiana Bradleyb9845302023-04-05 15:16:15 -040036
Tatiana Bradleyccdac2d2023-06-22 13:27:05 -040037 Users who rely on the previous behavior can re-enable it using the GODEBUG flag
38 jstmpllitinterp=1, with the caveat that backticks will now be escaped. This
39 should be used with caution.
Tatiana Bradley09108142023-05-18 16:23:32 -040040credits:
Tatiana Bradley82175fd2023-05-31 17:04:08 -040041 - Sohom Datta, Manipal Institute of Technology
Tatiana Bradleyb9845302023-04-05 15:16:15 -040042references:
Tatiana Bradley82175fd2023-05-31 17:04:08 -040043 - report: https://go.dev/issue/59234
44 - fix: https://go.dev/cl/482079
45 - web: https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8
Tatiana Bradleyb9845302023-04-05 15:16:15 -040046cve_metadata:
47 id: CVE-2023-24538
48 cwe: 'CWE-94: Improper Control of Generation of Code (''Code Injection'')'
Tatiana Bradleybcb698b2023-12-05 12:33:14 -050049 references:
50 - https://security.gentoo.org/glsa/202311-09
Tatiana Bradley69d9a202024-05-14 15:19:00 -040051review_status: REVIEWED