diff options
author | Shubham Kulkarni <skulkarni@mvista.com> | 2023-05-02 21:43:24 +0530 |
---|---|---|
committer | Steve Sakoman <steve@sakoman.com> | 2023-05-10 04:19:56 -1000 |
commit | 7535036adba287743beae2009bb5ebca6895141b (patch) | |
tree | 71fd03d49ea1602a7fb25cd54146751fa6bee034 /meta | |
parent | f6b797d05d24368922555a6d5394032a2fd0cfda (diff) | |
download | poky-7535036adba287743beae2009bb5ebca6895141b.tar.gz |
go: Security fix for CVE-2023-24538
html/template: disallow actions in JS template literals
Backport from https://github.com/golang/go/commit/b1e3ecfa06b67014429a197ec5e134ce4303ad9b
(From OE-Core rev: 835462d697a5f294900843b8bcd628709c256605)
Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat (limited to 'meta')
-rw-r--r-- | meta/recipes-devtools/go/go-1.17.13.inc | 1 | ||||
-rw-r--r-- | meta/recipes-devtools/go/go-1.18/CVE-2023-24538.patch | 208 |
2 files changed, 209 insertions, 0 deletions
diff --git a/meta/recipes-devtools/go/go-1.17.13.inc b/meta/recipes-devtools/go/go-1.17.13.inc index c5260569e2..d7cb47ebf4 100644 --- a/meta/recipes-devtools/go/go-1.17.13.inc +++ b/meta/recipes-devtools/go/go-1.17.13.inc | |||
@@ -29,6 +29,7 @@ SRC_URI += "\ | |||
29 | file://CVE-2022-41722.patch \ | 29 | file://CVE-2022-41722.patch \ |
30 | file://CVE-2023-24537.patch \ | 30 | file://CVE-2023-24537.patch \ |
31 | file://CVE-2023-24534.patch \ | 31 | file://CVE-2023-24534.patch \ |
32 | file://CVE-2023-24538.patch \ | ||
32 | " | 33 | " |
33 | SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd" | 34 | SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd" |
34 | 35 | ||
diff --git a/meta/recipes-devtools/go/go-1.18/CVE-2023-24538.patch b/meta/recipes-devtools/go/go-1.18/CVE-2023-24538.patch new file mode 100644 index 0000000000..502486befc --- /dev/null +++ b/meta/recipes-devtools/go/go-1.18/CVE-2023-24538.patch | |||
@@ -0,0 +1,208 @@ | |||
1 | From 07cc3b8711a8efbb5885f56dd90d854049ad2f7d Mon Sep 17 00:00:00 2001 | ||
2 | From: Roland Shoemaker <bracewell@google.com> | ||
3 | Date: Mon, 20 Mar 2023 11:01:13 -0700 | ||
4 | Subject: [PATCH] html/template: disallow actions in JS template literals | ||
5 | |||
6 | ECMAScript 6 introduced template literals[0][1] which are delimited with | ||
7 | backticks. These need to be escaped in a similar fashion to the | ||
8 | delimiters for other string literals. Additionally template literals can | ||
9 | contain special syntax for string interpolation. | ||
10 | |||
11 | There is no clear way to allow safe insertion of actions within JS | ||
12 | template literals, as handling (JS) string interpolation inside of these | ||
13 | literals is rather complex. As such we've chosen to simply disallow | ||
14 | template actions within these template literals. | ||
15 | |||
16 | A new error code is added for this parsing failure case, errJsTmplLit, | ||
17 | but it is unexported as it is not backwards compatible with other minor | ||
18 | release versions to introduce an API change in a minor release. We will | ||
19 | export this code in the next major release. | ||
20 | |||
21 | The previous behavior (with the cavet that backticks are now escaped | ||
22 | properly) can be re-enabled with GODEBUG=jstmpllitinterp=1. | ||
23 | |||
24 | This change subsumes CL471455. | ||
25 | |||
26 | Thanks to Sohom Datta, Manipal Institute of Technology, for reporting | ||
27 | this issue. | ||
28 | |||
29 | Fixes CVE-2023-24538 | ||
30 | For #59234 | ||
31 | Fixes #59271 | ||
32 | |||
33 | [0] https://tc39.es/ecma262/multipage/ecmascript-language-expressions.html#sec-template-literals | ||
34 | [1] https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Template_literals | ||
35 | |||
36 | Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802457 | ||
37 | Reviewed-by: Damien Neil <dneil@google.com> | ||
38 | Run-TryBot: Damien Neil <dneil@google.com> | ||
39 | Reviewed-by: Julie Qiu <julieqiu@google.com> | ||
40 | Reviewed-by: Roland Shoemaker <bracewell@google.com> | ||
41 | Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802612 | ||
42 | Run-TryBot: Roland Shoemaker <bracewell@google.com> | ||
43 | Change-Id: Ic7f10595615f2b2740d9c85ad7ef40dc0e78c04c | ||
44 | Reviewed-on: https://go-review.googlesource.com/c/go/+/481987 | ||
45 | Auto-Submit: Michael Knyszek <mknyszek@google.com> | ||
46 | TryBot-Result: Gopher Robot <gobot@golang.org> | ||
47 | Run-TryBot: Michael Knyszek <mknyszek@google.com> | ||
48 | Reviewed-by: Matthew Dempsky <mdempsky@google.com> | ||
49 | |||
50 | Upstream-Status: Backport from https://github.com/golang/go/commit/b1e3ecfa06b67014429a197ec5e134ce4303ad9b | ||
51 | CVE: CVE-2023-24538 | ||
52 | Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com> | ||
53 | --- | ||
54 | src/html/template/context.go | 2 ++ | ||
55 | src/html/template/error.go | 13 +++++++++++++ | ||
56 | src/html/template/escape.go | 11 +++++++++++ | ||
57 | src/html/template/js.go | 2 ++ | ||
58 | src/html/template/jsctx_string.go | 9 +++++++++ | ||
59 | src/html/template/transition.go | 7 ++++++- | ||
60 | 6 files changed, 43 insertions(+), 1 deletion(-) | ||
61 | |||
62 | diff --git a/src/html/template/context.go b/src/html/template/context.go | ||
63 | index f7d4849..0b65313 100644 | ||
64 | --- a/src/html/template/context.go | ||
65 | +++ b/src/html/template/context.go | ||
66 | @@ -116,6 +116,8 @@ const ( | ||
67 | stateJSDqStr | ||
68 | // stateJSSqStr occurs inside a JavaScript single quoted string. | ||
69 | stateJSSqStr | ||
70 | + // stateJSBqStr occurs inside a JavaScript back quoted string. | ||
71 | + stateJSBqStr | ||
72 | // stateJSRegexp occurs inside a JavaScript regexp literal. | ||
73 | stateJSRegexp | ||
74 | // stateJSBlockCmt occurs inside a JavaScript /* block comment */. | ||
75 | diff --git a/src/html/template/error.go b/src/html/template/error.go | ||
76 | index 0e52706..fd26b64 100644 | ||
77 | --- a/src/html/template/error.go | ||
78 | +++ b/src/html/template/error.go | ||
79 | @@ -211,6 +211,19 @@ const ( | ||
80 | // pipeline occurs in an unquoted attribute value context, "html" is | ||
81 | // disallowed. Avoid using "html" and "urlquery" entirely in new templates. | ||
82 | ErrPredefinedEscaper | ||
83 | + | ||
84 | + // errJSTmplLit: "... appears in a JS template literal" | ||
85 | + // Example: | ||
86 | + // <script>var tmpl = `{{.Interp}`</script> | ||
87 | + // Discussion: | ||
88 | + // Package html/template does not support actions inside of JS template | ||
89 | + // literals. | ||
90 | + // | ||
91 | + // TODO(rolandshoemaker): we cannot add this as an exported error in a minor | ||
92 | + // release, since it is backwards incompatible with the other minor | ||
93 | + // releases. As such we need to leave it unexported, and then we'll add it | ||
94 | + // in the next major release. | ||
95 | + errJSTmplLit | ||
96 | ) | ||
97 | |||
98 | func (e *Error) Error() string { | ||
99 | diff --git a/src/html/template/escape.go b/src/html/template/escape.go | ||
100 | index 8739735..ca078f4 100644 | ||
101 | --- a/src/html/template/escape.go | ||
102 | +++ b/src/html/template/escape.go | ||
103 | @@ -8,6 +8,7 @@ import ( | ||
104 | "bytes" | ||
105 | "fmt" | ||
106 | "html" | ||
107 | + "internal/godebug" | ||
108 | "io" | ||
109 | "text/template" | ||
110 | "text/template/parse" | ||
111 | @@ -205,6 +206,16 @@ func (e *escaper) escapeAction(c context, n *parse.ActionNode) context { | ||
112 | c.jsCtx = jsCtxDivOp | ||
113 | case stateJSDqStr, stateJSSqStr: | ||
114 | s = append(s, "_html_template_jsstrescaper") | ||
115 | + case stateJSBqStr: | ||
116 | + debugAllowActionJSTmpl := godebug.Get("jstmpllitinterp") | ||
117 | + if debugAllowActionJSTmpl == "1" { | ||
118 | + s = append(s, "_html_template_jsstrescaper") | ||
119 | + } else { | ||
120 | + return context{ | ||
121 | + state: stateError, | ||
122 | + err: errorf(errJSTmplLit, n, n.Line, "%s appears in a JS template literal", n), | ||
123 | + } | ||
124 | + } | ||
125 | case stateJSRegexp: | ||
126 | s = append(s, "_html_template_jsregexpescaper") | ||
127 | case stateCSS: | ||
128 | diff --git a/src/html/template/js.go b/src/html/template/js.go | ||
129 | index ea9c183..b888eaf 100644 | ||
130 | --- a/src/html/template/js.go | ||
131 | +++ b/src/html/template/js.go | ||
132 | @@ -308,6 +308,7 @@ var jsStrReplacementTable = []string{ | ||
133 | // Encode HTML specials as hex so the output can be embedded | ||
134 | // in HTML attributes without further encoding. | ||
135 | '"': `\u0022`, | ||
136 | + '`': `\u0060`, | ||
137 | '&': `\u0026`, | ||
138 | '\'': `\u0027`, | ||
139 | '+': `\u002b`, | ||
140 | @@ -331,6 +332,7 @@ var jsStrNormReplacementTable = []string{ | ||
141 | '"': `\u0022`, | ||
142 | '&': `\u0026`, | ||
143 | '\'': `\u0027`, | ||
144 | + '`': `\u0060`, | ||
145 | '+': `\u002b`, | ||
146 | '/': `\/`, | ||
147 | '<': `\u003c`, | ||
148 | diff --git a/src/html/template/jsctx_string.go b/src/html/template/jsctx_string.go | ||
149 | index dd1d87e..2394893 100644 | ||
150 | --- a/src/html/template/jsctx_string.go | ||
151 | +++ b/src/html/template/jsctx_string.go | ||
152 | @@ -4,6 +4,15 @@ package template | ||
153 | |||
154 | import "strconv" | ||
155 | |||
156 | +func _() { | ||
157 | + // An "invalid array index" compiler error signifies that the constant values have changed. | ||
158 | + // Re-run the stringer command to generate them again. | ||
159 | + var x [1]struct{} | ||
160 | + _ = x[jsCtxRegexp-0] | ||
161 | + _ = x[jsCtxDivOp-1] | ||
162 | + _ = x[jsCtxUnknown-2] | ||
163 | +} | ||
164 | + | ||
165 | const _jsCtx_name = "jsCtxRegexpjsCtxDivOpjsCtxUnknown" | ||
166 | |||
167 | var _jsCtx_index = [...]uint8{0, 11, 21, 33} | ||
168 | diff --git a/src/html/template/transition.go b/src/html/template/transition.go | ||
169 | index 06df679..92eb351 100644 | ||
170 | --- a/src/html/template/transition.go | ||
171 | +++ b/src/html/template/transition.go | ||
172 | @@ -27,6 +27,7 @@ var transitionFunc = [...]func(context, []byte) (context, int){ | ||
173 | stateJS: tJS, | ||
174 | stateJSDqStr: tJSDelimited, | ||
175 | stateJSSqStr: tJSDelimited, | ||
176 | + stateJSBqStr: tJSDelimited, | ||
177 | stateJSRegexp: tJSDelimited, | ||
178 | stateJSBlockCmt: tBlockCmt, | ||
179 | stateJSLineCmt: tLineCmt, | ||
180 | @@ -262,7 +263,7 @@ func tURL(c context, s []byte) (context, int) { | ||
181 | |||
182 | // tJS is the context transition function for the JS state. | ||
183 | func tJS(c context, s []byte) (context, int) { | ||
184 | - i := bytes.IndexAny(s, `"'/`) | ||
185 | + i := bytes.IndexAny(s, "\"`'/") | ||
186 | if i == -1 { | ||
187 | // Entire input is non string, comment, regexp tokens. | ||
188 | c.jsCtx = nextJSCtx(s, c.jsCtx) | ||
189 | @@ -274,6 +275,8 @@ func tJS(c context, s []byte) (context, int) { | ||
190 | c.state, c.jsCtx = stateJSDqStr, jsCtxRegexp | ||
191 | case '\'': | ||
192 | c.state, c.jsCtx = stateJSSqStr, jsCtxRegexp | ||
193 | + case '`': | ||
194 | + c.state, c.jsCtx = stateJSBqStr, jsCtxRegexp | ||
195 | case '/': | ||
196 | switch { | ||
197 | case i+1 < len(s) && s[i+1] == '/': | ||
198 | @@ -303,6 +306,8 @@ func tJSDelimited(c context, s []byte) (context, int) { | ||
199 | switch c.state { | ||
200 | case stateJSSqStr: | ||
201 | specials = `\'` | ||
202 | + case stateJSBqStr: | ||
203 | + specials = "`\\" | ||
204 | case stateJSRegexp: | ||
205 | specials = `\/[]` | ||
206 | } | ||
207 | -- | ||
208 | 2.7.4 | ||