go: Security fix for CVE-2023-24538

html/template: disallow actions in JS template literals Backport from https://github.com/golang/go/commit/b1e3ecfa06b67014429a197ec5e134ce4303ad9b (From OE-Core rev: c8a597b76505dab7649f4c9b18e1e14b0e3d57af) Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Shubham Kulkarni <skulkarni@mvista.com> 2023-05-02 21:40:12 +0530
committer: Steve Sakoman <steve@sakoman.com> 2023-05-16 06:18:21 -1000
commit: 79dcce4413fc4c785c7ed562dd2e7ca91fe9d68c (patch)
tree: a3c11a641268b23c2324cdfab7701fc1ec8af1e1 /meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch
parent: a631bfc3a38f7d00b2c666661a89a758a0af9831 (diff)
download: poky-79dcce4413fc4c785c7ed562dd2e7ca91fe9d68c.tar.gz
1 files changed, 196 insertions, 0 deletions
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch
new file mode 100644
index 0000000000..5036f2890b
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch
@@ -0,0 +1,196 @@
+From 6fc21505614f36178df0dad7034b6b8e3f7588d5 Mon Sep 17 00:00:00 2001
+From: empijei <robclap8@gmail.com>
+Date: Fri, 27 Mar 2020 19:27:55 +0100
+Subject: [PATCH 2/3] html/template,text/template: switch to Unicode escapes
+ for JSON compatibility
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+The existing implementation is not compatible with JSON
+escape as it uses hex escaping.
+Unicode escape, instead, is valid for both JSON and JS.
+This fix avoids creating a separate escaping context for
+scripts of type "application/ld+json" and it is more
+future-proof in case more JSON+JS contexts get added
+to the platform (e.g. import maps).
+Fixes #33671
+Fixes #37634
+Change-Id: Id6f6524b4abc52e81d9d744d46bbe5bf2e081543
+Reviewed-on: https://go-review.googlesource.com/c/go/+/226097
+Reviewed-by: Carl Johnson <me@carlmjohnson.net>
+Reviewed-by: Daniel Martí <mvdan@mvdan.cc>
+Run-TryBot: Daniel Martí <mvdan@mvdan.cc>
+TryBot-Result: Gobot Gobot <gobot@golang.org>
+Dependency Patch #2
+Upstream-Status: Backport from https://github.com/golang/go/commit/d4d298040d072ddacea0e0d6b55fb148fff18070
+CVE: CVE-2023-24538
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+---
+ src/html/template/js.go    | 70 +++++++++++++++++++++++++++-------------------
+ src/text/template/funcs.go |  8 +++---
+ 2 files changed, 46 insertions(+), 32 deletions(-)
+diff --git a/src/html/template/js.go b/src/html/template/js.go
+index 0e91458..ea9c183 100644
+--- a/src/html/template/js.go
+++ b/src/html/template/js.go
+@@ -163,7 +163,6 @@ func jsValEscaper(args ...interface{}) string {
+        }
+        // TODO: detect cycles before calling Marshal which loops infinitely on
+        // cyclic data. This may be an unacceptable DoS risk.
+-
+        b, err := json.Marshal(a)
+        if err != nil {
+                // Put a space before comment so that if it is flush against
+@@ -178,8 +177,8 @@ func jsValEscaper(args ...interface{}) string {
+        // TODO: maybe post-process output to prevent it from containing
+        // "<!--", "-->", "<![CDATA[", "]]>", or "</script"
+        // in case custom marshalers produce output containing those.
+-
+-       // TODO: Maybe abbreviate \u00ab to \xab to produce more compact output.
+       // Note: Do not use \x escaping to save bytes because it is not JSON compatible and this escaper
+       // supports ld+json content-type.
+        if len(b) == 0 {
+                // In, `x=y/{{.}}*z` a json.Marshaler that produces "" should
+                // not cause the output `x=y/*z`.
+@@ -260,6 +259,8 @@ func replace(s string, replacementTable []string) string {
+                r, w = utf8.DecodeRuneInString(s[i:])
+                var repl string
+                switch {
+               case int(r) < len(lowUnicodeReplacementTable):
+                       repl = lowUnicodeReplacementTable[r]
+                case int(r) < len(replacementTable) && replacementTable[r] != "":
+                        repl = replacementTable[r]
+                case r == '\u2028':
+@@ -283,67 +284,80 @@ func replace(s string, replacementTable []string) string {
+        return b.String()
+ }
+var lowUnicodeReplacementTable = []string{
+       0: `\u0000`, 1: `\u0001`, 2: `\u0002`, 3: `\u0003`, 4: `\u0004`, 5: `\u0005`, 6: `\u0006`,
+       '\a': `\u0007`,
+       '\b': `\u0008`,
+       '\t': `\t`,
+       '\n': `\n`,
+       '\v': `\u000b`, // "\v" == "v" on IE 6.
+       '\f': `\f`,
+       '\r': `\r`,
+       0xe:  `\u000e`, 0xf: `\u000f`, 0x10: `\u0010`, 0x11: `\u0011`, 0x12: `\u0012`, 0x13: `\u0013`,
+       0x14: `\u0014`, 0x15: `\u0015`, 0x16: `\u0016`, 0x17: `\u0017`, 0x18: `\u0018`, 0x19: `\u0019`,
+       0x1a: `\u001a`, 0x1b: `\u001b`, 0x1c: `\u001c`, 0x1d: `\u001d`, 0x1e: `\u001e`, 0x1f: `\u001f`,
+}
+
+ var jsStrReplacementTable = []string{
+-       0:    `\0`,
+       0:    `\u0000`,
+        '\t': `\t`,
+        '\n': `\n`,
+-       '\v': `\x0b`, // "\v" == "v" on IE 6.
+       '\v': `\u000b`, // "\v" == "v" on IE 6.
+        '\f': `\f`,
+        '\r': `\r`,
+        // Encode HTML specials as hex so the output can be embedded
+        // in HTML attributes without further encoding.
+-       '"':  `\x22`,
+-       '&':  `\x26`,
+-       '\'': `\x27`,
+-       '+':  `\x2b`,
+       '"':  `\u0022`,
+       '&':  `\u0026`,
+       '\'': `\u0027`,
+       '+':  `\u002b`,
+        '/':  `\/`,
+-       '<':  `\x3c`,
+-       '>':  `\x3e`,
+       '<':  `\u003c`,
+       '>':  `\u003e`,
+        '\\': `\\`,
+ }
+ // jsStrNormReplacementTable is like jsStrReplacementTable but does not
+ // overencode existing escapes since this table has no entry for `\`.
+ var jsStrNormReplacementTable = []string{
+-       0:    `\0`,
+       0:    `\u0000`,
+        '\t': `\t`,
+        '\n': `\n`,
+-       '\v': `\x0b`, // "\v" == "v" on IE 6.
+       '\v': `\u000b`, // "\v" == "v" on IE 6.
+        '\f': `\f`,
+        '\r': `\r`,
+        // Encode HTML specials as hex so the output can be embedded
+        // in HTML attributes without further encoding.
+-       '"':  `\x22`,
+-       '&':  `\x26`,
+-       '\'': `\x27`,
+-       '+':  `\x2b`,
+       '"':  `\u0022`,
+       '&':  `\u0026`,
+       '\'': `\u0027`,
+       '+':  `\u002b`,
+        '/':  `\/`,
+-       '<':  `\x3c`,
+-       '>':  `\x3e`,
+       '<':  `\u003c`,
+       '>':  `\u003e`,
+ }
+-
+ var jsRegexpReplacementTable = []string{
+-       0:    `\0`,
+       0:    `\u0000`,
+        '\t': `\t`,
+        '\n': `\n`,
+-       '\v': `\x0b`, // "\v" == "v" on IE 6.
+       '\v': `\u000b`, // "\v" == "v" on IE 6.
+        '\f': `\f`,
+        '\r': `\r`,
+        // Encode HTML specials as hex so the output can be embedded
+        // in HTML attributes without further encoding.
+-       '"':  `\x22`,
+       '"':  `\u0022`,
+        '$':  `\$`,
+-       '&':  `\x26`,
+-       '\'': `\x27`,
+       '&':  `\u0026`,
+       '\'': `\u0027`,
+        '(':  `\(`,
+        ')':  `\)`,
+        '*':  `\*`,
+-       '+':  `\x2b`,
+       '+':  `\u002b`,
+        '-':  `\-`,
+        '.':  `\.`,
+        '/':  `\/`,
+-       '<':  `\x3c`,
+-       '>':  `\x3e`,
+       '<':  `\u003c`,
+       '>':  `\u003e`,
+        '?':  `\?`,
+        '[':  `\[`,
+        '\\': `\\`,
+diff --git a/src/text/template/funcs.go b/src/text/template/funcs.go
+index 46125bc..f3de9fb 100644
+--- a/src/text/template/funcs.go
+++ b/src/text/template/funcs.go
+@@ -640,10 +640,10 @@ var (
+        jsBackslash = []byte(`\\`)
+        jsApos      = []byte(`\'`)
+        jsQuot      = []byte(`\"`)
+-       jsLt        = []byte(`\x3C`)
+-       jsGt        = []byte(`\x3E`)
+-       jsAmp       = []byte(`\x26`)
+-       jsEq        = []byte(`\x3D`)
+       jsLt        = []byte(`\u003C`)
+       jsGt        = []byte(`\u003E`)
+       jsAmp       = []byte(`\u0026`)
+       jsEq        = []byte(`\u003D`)
+ )
+ // JSEscape writes to w the escaped JavaScript equivalent of the plain text data b.
+--
+2.7.4
author	Shubham Kulkarni <skulkarni@mvista.com>	2023-05-02 21:40:12 +0530
committer	Steve Sakoman <steve@sakoman.com>	2023-05-16 06:18:21 -1000
commit	79dcce4413fc4c785c7ed562dd2e7ca91fe9d68c (patch)
tree	a3c11a641268b23c2324cdfab7701fc1ec8af1e1 /meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch
parent	a631bfc3a38f7d00b2c666661a89a758a0af9831 (diff)
download	poky-79dcce4413fc4c785c7ed562dd2e7ca91fe9d68c.tar.gz

diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch new file mode 100644 index 0000000000..5036f2890b --- /dev/null +++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch
@@ -0,0 +1,196 @@
	1	From 6fc21505614f36178df0dad7034b6b8e3f7588d5 Mon Sep 17 00:00:00 2001
	2	From: empijei <robclap8@gmail.com>
	3	Date: Fri, 27 Mar 2020 19:27:55 +0100
	4	Subject: [PATCH 2/3] html/template,text/template: switch to Unicode escapes
	5	for JSON compatibility
	6	MIME-Version: 1.0
	7	Content-Type: text/plain; charset=UTF-8
	8	Content-Transfer-Encoding: 8bit
	9
	10	The existing implementation is not compatible with JSON
	11	escape as it uses hex escaping.
	12	Unicode escape, instead, is valid for both JSON and JS.
	13	This fix avoids creating a separate escaping context for
	14	scripts of type "application/ld+json" and it is more
	15	future-proof in case more JSON+JS contexts get added
	16	to the platform (e.g. import maps).
	17
	18	Fixes #33671
	19	Fixes #37634
	20
	21	Change-Id: Id6f6524b4abc52e81d9d744d46bbe5bf2e081543
	22	Reviewed-on: https://go-review.googlesource.com/c/go/+/226097
	23	Reviewed-by: Carl Johnson <me@carlmjohnson.net>
	24	Reviewed-by: Daniel Martí <mvdan@mvdan.cc>
	25	Run-TryBot: Daniel Martí <mvdan@mvdan.cc>
	26	TryBot-Result: Gobot Gobot <gobot@golang.org>
	27
	28	Dependency Patch #2
	29
	30	Upstream-Status: Backport from https://github.com/golang/go/commit/d4d298040d072ddacea0e0d6b55fb148fff18070
	31	CVE: CVE-2023-24538
	32	Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
	33	---
	34	src/html/template/js.go \| 70 +++++++++++++++++++++++++++-------------------
	35	src/text/template/funcs.go \| 8 +++---
	36	2 files changed, 46 insertions(+), 32 deletions(-)
	37
	38	diff --git a/src/html/template/js.go b/src/html/template/js.go
	39	index 0e91458..ea9c183 100644
	40	--- a/src/html/template/js.go
	41	+++ b/src/html/template/js.go
	42	@@ -163,7 +163,6 @@ func jsValEscaper(args ...interface{}) string {
	43	}
	44	// TODO: detect cycles before calling Marshal which loops infinitely on
	45	// cyclic data. This may be an unacceptable DoS risk.
	46	-
	47	b, err := json.Marshal(a)
	48	if err != nil {
	49	// Put a space before comment so that if it is flush against
	50	@@ -178,8 +177,8 @@ func jsValEscaper(args ...interface{}) string {
	51	// TODO: maybe post-process output to prevent it from containing
	52	// "<!--", "-->", "<![CDATA[", "]]>", or "</script"
	53	// in case custom marshalers produce output containing those.
	54	-
	55	- // TODO: Maybe abbreviate \u00ab to \xab to produce more compact output.
	56	+ // Note: Do not use \x escaping to save bytes because it is not JSON compatible and this escaper
	57	+ // supports ld+json content-type.
	58	if len(b) == 0 {
	59	// In, `x=y/{{.}}*z` a json.Marshaler that produces "" should
	60	// not cause the output `x=y/*z`.
	61	@@ -260,6 +259,8 @@ func replace(s string, replacementTable []string) string {
	62	r, w = utf8.DecodeRuneInString(s[i:])
	63	var repl string
	64	switch {
	65	+ case int(r) < len(lowUnicodeReplacementTable):
	66	+ repl = lowUnicodeReplacementTable[r]
	67	case int(r) < len(replacementTable) && replacementTable[r] != "":
	68	repl = replacementTable[r]
	69	case r == '\u2028':
	70	@@ -283,67 +284,80 @@ func replace(s string, replacementTable []string) string {
	71	return b.String()
	72	}
	73
	74	+var lowUnicodeReplacementTable = []string{
	75	+ 0: `\u0000`, 1: `\u0001`, 2: `\u0002`, 3: `\u0003`, 4: `\u0004`, 5: `\u0005`, 6: `\u0006`,
	76	+ '\a': `\u0007`,
	77	+ '\b': `\u0008`,
	78	+ '\t': `\t`,
	79	+ '\n': `\n`,
	80	+ '\v': `\u000b`, // "\v" == "v" on IE 6.
	81	+ '\f': `\f`,
	82	+ '\r': `\r`,
	83	+ 0xe: `\u000e`, 0xf: `\u000f`, 0x10: `\u0010`, 0x11: `\u0011`, 0x12: `\u0012`, 0x13: `\u0013`,
	84	+ 0x14: `\u0014`, 0x15: `\u0015`, 0x16: `\u0016`, 0x17: `\u0017`, 0x18: `\u0018`, 0x19: `\u0019`,
	85	+ 0x1a: `\u001a`, 0x1b: `\u001b`, 0x1c: `\u001c`, 0x1d: `\u001d`, 0x1e: `\u001e`, 0x1f: `\u001f`,
	86	+}
	87	+
	88	var jsStrReplacementTable = []string{
	89	- 0: `\0`,
	90	+ 0: `\u0000`,
	91	'\t': `\t`,
	92	'\n': `\n`,
	93	- '\v': `\x0b`, // "\v" == "v" on IE 6.
	94	+ '\v': `\u000b`, // "\v" == "v" on IE 6.
	95	'\f': `\f`,
	96	'\r': `\r`,
	97	// Encode HTML specials as hex so the output can be embedded
	98	// in HTML attributes without further encoding.
	99	- '"': `\x22`,
	100	- '&': `\x26`,
	101	- '\'': `\x27`,
	102	- '+': `\x2b`,
	103	+ '"': `\u0022`,
	104	+ '&': `\u0026`,
	105	+ '\'': `\u0027`,
	106	+ '+': `\u002b`,
	107	'/': `\/`,
	108	- '<': `\x3c`,
	109	- '>': `\x3e`,
	110	+ '<': `\u003c`,
	111	+ '>': `\u003e`,
	112	'\\': `\\`,
	113	}
	114
	115	// jsStrNormReplacementTable is like jsStrReplacementTable but does not
	116	// overencode existing escapes since this table has no entry for `\`.
	117	var jsStrNormReplacementTable = []string{
	118	- 0: `\0`,
	119	+ 0: `\u0000`,
	120	'\t': `\t`,
	121	'\n': `\n`,
	122	- '\v': `\x0b`, // "\v" == "v" on IE 6.
	123	+ '\v': `\u000b`, // "\v" == "v" on IE 6.
	124	'\f': `\f`,
	125	'\r': `\r`,
	126	// Encode HTML specials as hex so the output can be embedded
	127	// in HTML attributes without further encoding.
	128	- '"': `\x22`,
	129	- '&': `\x26`,
	130	- '\'': `\x27`,
	131	- '+': `\x2b`,
	132	+ '"': `\u0022`,
	133	+ '&': `\u0026`,
	134	+ '\'': `\u0027`,
	135	+ '+': `\u002b`,
	136	'/': `\/`,
	137	- '<': `\x3c`,
	138	- '>': `\x3e`,
	139	+ '<': `\u003c`,
	140	+ '>': `\u003e`,
	141	}
	142	-
	143	var jsRegexpReplacementTable = []string{
	144	- 0: `\0`,
	145	+ 0: `\u0000`,
	146	'\t': `\t`,
	147	'\n': `\n`,
	148	- '\v': `\x0b`, // "\v" == "v" on IE 6.
	149	+ '\v': `\u000b`, // "\v" == "v" on IE 6.
	150	'\f': `\f`,
	151	'\r': `\r`,
	152	// Encode HTML specials as hex so the output can be embedded
	153	// in HTML attributes without further encoding.
	154	- '"': `\x22`,
	155	+ '"': `\u0022`,
	156	'$': `\$`,
	157	- '&': `\x26`,
	158	- '\'': `\x27`,
	159	+ '&': `\u0026`,
	160	+ '\'': `\u0027`,
	161	'(': `\(`,
	162	')': `\)`,
	163	'': `\`,
	164	- '+': `\x2b`,
	165	+ '+': `\u002b`,
	166	'-': `\-`,
	167	'.': `\.`,
	168	'/': `\/`,
	169	- '<': `\x3c`,
	170	- '>': `\x3e`,
	171	+ '<': `\u003c`,
	172	+ '>': `\u003e`,
	173	'?': `\?`,
	174	'[': `\[`,
	175	'\\': `\\`,
	176	diff --git a/src/text/template/funcs.go b/src/text/template/funcs.go
	177	index 46125bc..f3de9fb 100644
	178	--- a/src/text/template/funcs.go
	179	+++ b/src/text/template/funcs.go
	180	@@ -640,10 +640,10 @@ var (
	181	jsBackslash = []byte(`\\`)
	182	jsApos = []byte(`\'`)
	183	jsQuot = []byte(`\"`)
	184	- jsLt = []byte(`\x3C`)
	185	- jsGt = []byte(`\x3E`)
	186	- jsAmp = []byte(`\x26`)
	187	- jsEq = []byte(`\x3D`)
	188	+ jsLt = []byte(`\u003C`)
	189	+ jsGt = []byte(`\u003E`)
	190	+ jsAmp = []byte(`\u0026`)
	191	+ jsEq = []byte(`\u003D`)
	192	)
	193
	194	// JSEscape writes to w the escaped JavaScript equivalent of the plain text data b.
	195	--
	196	2.7.4