Go ParseThru vulnerability

microcosm-cc / bluemonday

bluemonday: a fast golang HTML sanitizer (inspired by the OWASP Java HTML Sanitizer) to scrub user generated content of XSS

https://github.com/microcosm-cc/bluemonday

BSD 3-Clause "New" or "Revised" License

3.08k stars 178 forks source link

Go ParseThru vulnerability #156

Closed f-hluchnik closed 1 year ago

f-hluchnik commented 1 year ago

There is a vulnerability in Go url parsing. More on that here: https://www.oxeye.io/blog/golang-parameter-smuggling-attack

In a nutshell, the method Query() ignores the error produced by another function when finding a semicolon when parsing the query. The solution is to replace usage of query = r.URL.Query() with query, err = url.ParseQuery(r.URL.RawQuery) to avoid ignoring the error produced by finding a semicolon when parsing the query.

buro9 commented 1 year ago

Thank you... have you checked whether this project has that vulnerability? Or whether it calls URL.Query()?

I could not find an instance when I searched at the time the blog post was originally published, and have just searched again in case there was a regression (most bugs creep in via regressions). But perhaps you found something I did not?

f-hluchnik commented 1 year ago

I'm so sorry. There is no instance of URL.Query() in your code I'm aware of. I found out that I'm just using an old version of your project. I should update to the latest version.

Thank you for your time.