Open niallnsec opened 11 months ago
cc @rolandshoemaker
This is still broken in 1.23.0, considering CDATA comments are used as a security safety feature I think this issue should be fixed.
Doing some more digging, the issue seems to be more specifically related to having content after a CDATA end tag.
For example, the following would work:
<script id="__bs_script__">//<![CDATA[
//]]>
</script>
But this would not:
<script id="__bs_script__">//<![CDATA[
//]]></script>
If I add in some template stuff like this:
<script id="__bs_script__">//<![CDATA[
//]]>{{ . }}
</script>
If you run that template with any content it will be omitted because the parser is throwing away the whole line because it starts with //
In the hopes of showing that this is worth fixing, here is an (admittedly contrived) example of how this bug can be used to achieve XSS:
<body><script id="__bs_script__">//<![CDATA[
(function() {
console.log("something")
})()
//]]></script>
alert('you have been pwned')
<script>
console.log("hello")
</script>
</body>
When parsed correctly the code above should render then string "alert('you have been pwned')" to the browser display. But with the behaviour since Go 1.21 this results in execution of the alert statement.
Hey, sorry this fell through the cracks. I will look into this further. In the future you can contact security@golang.org to report these types of issues to make sure the Security team triages them.
What version of Go are you using (
go version
)?Does this issue reproduce with the latest release?
Yes, it does. The script parses correctly using go1.21.0
What operating system and processor architecture are you using (
go env
)?go env
OutputWhat did you do?
I have a Golang service which is parsing templates generated on the fly by a npm/gulp backend for the purposes of development. One of the packages in use in the node side is browsersync, which injects a script into the top of the body of the page. This script is encapsulated in CDATA tags.
A simple reproduction is available here: https://go.dev/play/p/zDDuftHipgG
This issue appears to have been caused by this commit: https://github.com/golang/go/commit/bbd043ff0d6d59f1a9232d31ecd5eacf6507bf6a
And is related to this security issue: https://github.com/golang/go/issues/62197
The commit author does mention that this change will break some legitimate code, but I believe that breaking CDATA tags is a significant enough issue that it should not be ignored.
What did you expect to see?
The template parse and execute correctly.
What did you see instead?
The execution fails with the error: