Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix upstream Go templates bug with reversed key/value assignment #11114

Merged
merged 1 commit into from
Jun 15, 2023

Conversation

bep
Copy link
Member

@bep bep commented Jun 15, 2023

Fix upstream Go templates bug with reversed key/value assignment

The template packages are based on go1.20.5 with the patch in befec5ddbbfbd81ec84e74e15a38044d67f8785b added.

This also includes a security fix that now disallows Go template actions in JS literals (inside backticks).

This will throw an error saying "... appears in a JS template literal".

If you're really sure this isn't a security risk in your case, you can revert to the old behaviour:

[security]
[security.gotemplates]
allowActionJSTmpl = true

See golang/go#59234

Fixes #11112

@bep bep force-pushed the fix/gobug-11112 branch from 4f3d7ce to 24bfaa9 Compare June 15, 2023 14:46
@@ -17,6 +17,10 @@ import (
template "github.com/gohugoio/hugo/tpl/internal/go_templates/texttemplate"
)

// See https://github.com/golang/go/issues/59234
// Moved here to avoid dependency on Go's internal/debug package.
var debugAllowActionJSTmpl = false
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jmooring this has been in Go since 1.20.3, but will be introduced in Hugo with this PR. I fear it will ... break stuff. What do you think?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ideal: If the choice is between backwards compatibility and security, then security wins.

Practical: It depends on how many sites will break, and to some extent, which sites.

I will need to work with this PR to understand the effects before I can provide meaningful feedback and examples.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it's worth it to have this default secure, but add an option for it in Hugo's security config. I don't think either of us can know how much this will break until it ... breaks.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm fine with that approach.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK, the above seem to be restricted to just script inside back ticks, which should be pretty rare:

var a = `{{.Title }}`;

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The only example usage of JS template literals that I can remember seeing is #10707.

@bep bep force-pushed the fix/gobug-11112 branch 3 times, most recently from 0fb411f to eed4b41 Compare June 15, 2023 17:44
The template packages are based on go1.20.5 with the patch in befec5ddbbfbd81ec84e74e15a38044d67f8785b  added.

This also includes a security fix that now disallows Go template actions in JS literals (inside backticks).

This will throw an error saying "... appears in a JS template literal".

If you're really sure this isn't a security risk in your case, you can revert to the old behaviour:

```toml
[security]
[security.gotemplates]
allowActionJSTmpl = true
```

See golang/go#59234

Fixes gohugoio#11112
@bep bep force-pushed the fix/gobug-11112 branch from eed4b41 to 5c9b678 Compare June 15, 2023 19:36
@bep bep requested a review from jmooring June 15, 2023 20:30
Copy link
Member

@jmooring jmooring left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Tested cases from #11112, and

<script>console.log(`{{ .Title }}`)</script>

with security.gotemplates.allowActionJSTmpl undefined (default to false), explicitly true, and explicitly false.

@bep bep merged commit ee359df into gohugoio:master Jun 15, 2023
Copy link

This pull request has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jun 15, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

In nested range the map key and value become are inverted.
2 participants