Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Backport fix for CVE-2024-53257 to release-18.0-github #132

Open
wants to merge 1 commit into
base: release-18.0-github
Choose a base branch
from
Open

Backport fix for CVE-2024-53257 to release-18.0-github #132

wants to merge 1 commit into from
+16 −13

Conversation

danieljoos
Copy link

@danieljoos danieljoos commented Dec 12, 2024
edited
Loading

These templates were rendered using text/template which is fundamentally broken as it would allow for trivial HTML injection.

Instead render using safehtml/template so that we have automatic escaping.

This is backporting the fix for CVE-2024-53257 to release-18.0-github.

Description

Related Issue(s)

Checklist

  • "Backport to:" labels have been added if this change should be back-ported
  • Tests were added or are not required
  • Documentation was added or is not required

Deployment Notes

@dbussink @danieljoos
Merge commit from fork
30aebea 
These templates were rendered using text/template which is fundamentally
broken as it would allow for trivial HTML injection.

Instead render using safehtml/template so that we have automatic
escaping.

Signed-off-by: Dirkjan Bussink <[email protected]>
@Copilot Copilot bot review requested due to automatic review settings December 12, 2024 09:24
Copilot
Copilot AI reviewed Dec 12, 2024
View reviewed changes

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot reviewed 5 out of 6 changed files in this pull request and generated no suggestions.

Files not reviewed (1)
  • go/vt/vtgate/debugenv.go: Evaluated as low risk
Comments skipped due to low confidence (3)

go/vt/vttablet/tabletserver/querylogz_test.go:39

  • Ensure that the test case covers scenarios where the SQL query contains potentially malicious content to verify that the safehtml/template correctly sanitizes the output.
logStats.OriginalSQL = "select name, 'inject <script>alert();</script>' from test_table limit 1000"

go/vt/vtgate/querylogz.go:25

  • Ensure that all templates previously rendered with text/template are now rendered with safehtml/template to prevent HTML injection vulnerabilities.
+	"github.com/google/safehtml/template"

go/vt/vttablet/tabletserver/querylogz.go:25

  • [nitpick] Ensure that the import alias for the safehtml/template package is consistent across the codebase for clarity.
"github.com/google/safehtml/template"

Tip: If you use Visual Studio Code, you can request a review from Copilot before you push from the "Source Control" tab. Learn more
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot Copilot left review comments

@arthurschreiber arthurschreiber arthurschreiber approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@danieljoos @arthurschreiber @dbussink