GSC-G203 @ 5da1e62 • gogs / gogs

Run summary

a year ago

5da1e62..5da1e62

2 mins 51 s

Audit the usage of unescaped data in HTML templates GSC-G203

Security

Major

9 occurrences in this check

a03 cwe-79 sans top 25 owasp top 10

The used method does not auto-escape HTML. This can potentially lead to 'Cross-site Scripting' vulnerabilities, in case the attacker controls the input.

internal/tool/tool.go

302
303// TimeSince calculates the time interval and generate user-friendly string.
304func TimeSince(t time.Time, lang string) template.HTML {
305	return template.HTML(fmt.Sprintf(`<span class="time-since" title="%s">%s</span>`, t.Format(conf.Time.FormatLayout), timeSince(t, lang)))306}
307
308// Subtract deals with subtraction of all types of number.

The used method does not auto-escape HTML. This can potentially lead to 'Cross-site Scripting' vulnerabilities, in case the attacker controls the input.

internal/template/template.go

142}
143
144func Str2HTML(raw string) template.HTML {
145	return template.HTML(markup.Sanitize(raw))146}
147
148// NewLine2br simply replaces "\n" to "<br>".

The used method does not auto-escape HTML. This can potentially lead to 'Cross-site Scripting' vulnerabilities, in case the attacker controls the input.

internal/template/template.go

138}
139
140func Safe(raw string) template.HTML {
141	return template.HTML(raw)142}
143
144func Str2HTML(raw string) template.HTML {

The used method does not auto-escape HTML. This can potentially lead to 'Cross-site Scripting' vulnerabilities, in case the attacker controls the input.

internal/route/user/setting.go

429		c.Errorf(err, "encode image")
430		return
431	}
432	c.Data["QRCode"] = template.URL("data:image/png;base64," + base64.StdEncoding.EncodeToString(buf.Bytes()))433
434	_ = c.Session.Set("twoFactorSecret", c.Data["TwoFactorSecret"])
435	_ = c.Session.Set("twoFactorURL", key.String())

The used method does not auto-escape HTML. This can potentially lead to 'Cross-site Scripting' vulnerabilities, in case the attacker controls the input.

internal/route/repo/view.go

188			for i := 0; i < len(lines); i++ {
189				output.WriteString(fmt.Sprintf(`<span id="L%d">%d</span>`, i+1, i+1))
190			}
191			c.Data["LineNums"] = gotemplate.HTML(output.String())192		}
193
194		if canEnableEditor {

The used method does not auto-escape HTML. This can potentially lead to 'Cross-site Scripting' vulnerabilities, in case the attacker controls the input.

internal/route/repo/view.go

182			for index, line := range lines {
183				output.WriteString(fmt.Sprintf(`<li class="L%d" rel="L%d">%s</li>`, index+1, index+1, gotemplate.HTMLEscapeString(strings.TrimRight(line, "\r"))) + "\n")
184			}
185			c.Data["FileContent"] = gotemplate.HTML(output.String())186
187			output.Reset()
188			for i := 0; i < len(lines); i++ {

The used method does not auto-escape HTML. This can potentially lead to 'Cross-site Scripting' vulnerabilities, in case the attacker controls the input.

internal/gitutil/diff.go

 33
 34// ComputedInlineDiffFor computes inline diff for the given line.
 35func (s *DiffSection) ComputedInlineDiffFor(line *git.DiffLine) template.HTML {
 36	fallback := template.HTML(html.EscapeString(line.Content)) 37	if conf.Git.DisableDiffHighlight {
 38		return fallback
 39	}

The used method does not auto-escape HTML. This can potentially lead to 'Cross-site Scripting' vulnerabilities, in case the attacker controls the input.

internal/gitutil/diff.go

106		}
107	}
108
109	return template.HTML(buf.Bytes())110}
111
112// DiffFile is a wrapper to git.DiffFile with helper methods.

The used method does not auto-escape HTML. This can potentially lead to 'Cross-site Scripting' vulnerabilities, in case the attacker controls the input.

internal/email/email.go

 55					return time.Now().Year()
 56				},
 57				"Str2HTML": func(raw string) template.HTML {
 58					return template.HTML(markup.Sanitize(raw)) 59				},
 60			}},
 61		}

Description

Potential unescaped data in HTML template.

Do not use external values in the template without escaping as it will not auto-escape HTML and could lead to code injection attacks.

Recommendations:

template.JS: Using JS to include valid but untrusted JSON is not safe. A safe alternative is to parse the JSON with json.Unmarshal and then pass the resultant object into the template, where it will be converted to sanitized JSON when presented in a JavaScript context.
template.HTML: Use of this type presents a security risk: the encapsulated content should come from a trusted source, as it will be included verbatim in the template output.
template.HTMLAttr: Use of this type presents a security risk: the encapsulated content should come from a trusted source, as it will be included verbatim in the template output.
template.URL: Use of this type presents a security risk: the encapsulated content should come from a trusted source, as it will be included verbatim in the template output.

Bad practice

package main

import (
    "fmt"
    "html/template"
    "os"
)

func main() {
    // Tainted untrusted JSON
    a := `{"name": "untrusted"}`
    t := template.Must(template.New("x").Parse(""))
    v := map[string]interface{}{
        "Body": template.JS(a),
    }

    if err := t.Execute(os.Stdout, v); err != nil {
        fmt.Fprintln(os.Stderr, err)
        os.Exit(1)
    }
}

package main

import (
    "fmt"
    "html/template"
    "os"
)

func main() {
    // We assume that hardcoded template strings are safe as the programmer would
    // need to be explicitly shooting themselves in the foot (as below)
    t := template.Must(template.New("x").Parse(""))
    v := map[string]interface{}{
        "Body": template.JS(`{"name": "trusted"}`),
    }

    if err := t.Execute(os.Stdout, v); err != nil {
        fmt.Fprintln(os.Stderr, err)
        os.Exit(1)
    }
}

gogs / gogs

Bad practice

Recommended

References