Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

contribs/gnodev/pkg/emitter: use html/template not text/template to avoid any HTML serving issues or future unescaped XSS attacks: minor #3544

Closed
odeke-em opened this issue Jan 19, 2025 · 0 comments · Fixed by #3545
Closed

contribs/gnodev/pkg/emitter: use html/template not text/template to avoid any HTML serving issues or future unescaped XSS attacks: minor #3544

odeke-em opened this issue Jan 19, 2025 · 0 comments · Fixed by #3545
Labels
🐞 bug Something isn't working

Comments

@odeke-em
Copy link
Contributor

This is a currently minor issue given that the code inside middleware.go is not attacker controlled but really when starting up a server

gno/contribs/gnodev/pkg/emitter/middleware.go

Line 24 in d2813f8

tmpl *template.Template

gno/contribs/gnodev/pkg/emitter/middleware.go

Lines 86 to 89 in d2813f8

err := m.tmpl.Execute(script, &data{
Remote: m.remote,
ReloadEvents: []events.Type{
events.EvtReload, events.EvtReset, events.EvtTxResult,

but it is best practice to using html/template not text/template for any HTML related code. Cross site scripting (XSS) attacks occur when injected code is not correctly escaped and I gave a proof of concept for the dangers of using text/template instead of html/template at https://cyber.orijtech.com/advisory/go-xss-concat-text-template

Exhibit

If an attacker ever got a hold of .RemoteAddr before it was generated or if the scripts evolved to later allow user input here is an exhibit of how text/template can go awry https://go.dev/play/p/dTAacWXE9uC

package main

import (
	htmltmpl "html/template"
	"os"
	texttmpl "text/template"
)

var naiveTmpl = texttmpl.Must(texttmpl.New("reloadscript").Parse("const ws = new WebSocket('ws://{{- .Remote -}}');"))
var goodTmpl = htmltmpl.Must(htmltmpl.New("reloadscript").Parse("const ws = new WebSocket('ws://{{- .Remote -}}');"))

func main() {
	m := map[string]string{
		"Remote": `localhost:9999');alert('pwned`,
	}

	_ = naiveTmpl.Execute(os.Stdout, m)
	println("")
	_ = goodTmpl.Execute(os.Stdout, m)
}

which when ran produces

const ws = new WebSocket('ws://localhost:9999');alert('pwned');
const ws = new WebSocket('ws://localhost:9999');alert('pwned');

of which the first one uses text/template and will get your pwned as I can now inject arbitrary code and as a proof of concept will pop up an alert telling you pwned but the imagination can go wild with what you could do

but the html/template code rightfully caught the problem and produced

const ws = new WebSocket('ws://localhost:9999');alert('pwned');

which will fail to connect entirely.
@odeke-em odeke-em added the 🐞 bug Something isn't working label Jan 19, 2025
odeke-em added a commit to odeke-em/gno that referenced this issue Jan 19, 2025
@odeke-em
security(contribs/gnodev/pkg/emitter): use html/template not text/tem…
c014723 
…plate for HTML generation

This change uses html/template instead of text/template for HTML
generation and also locks in tests to detect such subtle regressions
and thus help prevent future cross-side scripting (XSS) attacks
if later the scripts evolve and take in user input.

Fixes gnolang#3544
@odeke-em odeke-em mentioned this issue Jan 19, 2025
Merged
odeke-em added a commit to odeke-em/gno that referenced this issue Jan 19, 2025
@odeke-em
fix(contribs/gnodev/pkg/emitter): use html/template not text/template…
93d4261 
… for HTML generation

This change uses html/template instead of text/template for HTML
generation and also locks in tests to detect such subtle regressions
and thus help prevent future cross-side scripting (XSS) attacks
if later the scripts evolve and take in user input.

Fixes gnolang#3544
odeke-em added a commit to odeke-em/gno that referenced this issue Jan 19, 2025
@odeke-em
fix(contribs/gnodev/pkg/emitter): use html/template not text/template…
f510ab5 
… for HTML generation

This change uses html/template instead of text/template for HTML
generation and also locks in tests to detect such subtle regressions
and thus help prevent future cross-side scripting (XSS) attacks
if later the scripts evolve and take in user input.

Fixes gnolang#3544
odeke-em added a commit to odeke-em/gno that referenced this issue Jan 19, 2025
@odeke-em
fix(contribs/gnodev/pkg/emitter): use html/template not text/template…
b79efa2 
… for HTML generation

This change uses html/template instead of text/template for HTML
generation and also locks in tests to detect such subtle regressions
and thus help prevent future cross-side scripting (XSS) attacks
if later the scripts evolve and take in user input.

Fixes gnolang#3544
odeke-em added a commit to odeke-em/gno that referenced this issue Jan 19, 2025
@odeke-em
fix(contribs/gnodev/pkg/emitter): use html/template not text/template…
77f6d15 
… for HTML generation

This change uses html/template instead of text/template for HTML
generation and also locks in tests to detect such subtle regressions
and thus help prevent future cross-side scripting (XSS) attacks
if later the scripts evolve and take in user input.

Fixes gnolang#3544
odeke-em added a commit to odeke-em/gno that referenced this issue Jan 19, 2025
@odeke-em
fix(contribs/gnodev/pkg/emitter): use html/template not text/template…
6d86add 
… for HTML generation

This change uses html/template instead of text/template for HTML
generation and also locks in tests to detect such subtle regressions
and thus help prevent future cross-side scripting (XSS) attacks
if later the scripts evolve and take in user input.

Fixes gnolang#3544
odeke-em added a commit to odeke-em/gno that referenced this issue Jan 20, 2025
@odeke-em
fix(contribs/gnodev/pkg/emitter): use html/template not text/template…
99f8025 
… for HTML generation

This change uses html/template instead of text/template for HTML
generation and also locks in tests to detect such subtle regressions
and thus help prevent future cross-side scripting (XSS) attacks
if later the scripts evolve and take in user input.

Fixes gnolang#3544
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
🐞 bug Something isn't working
Projects
🧙‍♂️gno.land core team
Archived in project
Milestone
No milestone
1 participant
@odeke-em