From 30aebeae56973193826b741bc178274cefa1d774 Mon Sep 17 00:00:00 2001 From: Dirkjan Bussink Date: Mon, 2 Dec 2024 16:47:59 +0100 Subject: [PATCH] Merge commit from fork These templates were rendered using text/template which is fundamentally broken as it would allow for trivial HTML injection. Instead render using safehtml/template so that we have automatic escaping. Signed-off-by: Dirkjan Bussink --- go/vt/vtgate/debugenv.go | 3 ++- go/vt/vtgate/querylogz.go | 4 ++-- go/vt/vtgate/querylogz_test.go | 8 ++++---- go/vt/vttablet/tabletserver/debugenv.go | 3 ++- go/vt/vttablet/tabletserver/querylogz.go | 3 ++- go/vt/vttablet/tabletserver/querylogz_test.go | 8 ++++---- 6 files changed, 16 insertions(+), 13 deletions(-) diff --git a/go/vt/vtgate/debugenv.go b/go/vt/vtgate/debugenv.go index 4fa989c69a3..7213353432d 100644 --- a/go/vt/vtgate/debugenv.go +++ b/go/vt/vtgate/debugenv.go @@ -22,9 +22,10 @@ import ( "html" "net/http" "strconv" - "text/template" "time" + "github.com/google/safehtml/template" + "vitess.io/vitess/go/acl" "vitess.io/vitess/go/vt/discovery" "vitess.io/vitess/go/vt/log" diff --git a/go/vt/vtgate/querylogz.go b/go/vt/vtgate/querylogz.go index acfb970df5a..7a21b4cd36e 100644 --- a/go/vt/vtgate/querylogz.go +++ b/go/vt/vtgate/querylogz.go @@ -20,15 +20,15 @@ import ( "net/http" "strconv" "strings" - "text/template" "time" - "vitess.io/vitess/go/vt/vtgate/logstats" + "github.com/google/safehtml/template" "vitess.io/vitess/go/acl" "vitess.io/vitess/go/vt/log" "vitess.io/vitess/go/vt/logz" "vitess.io/vitess/go/vt/sqlparser" + "vitess.io/vitess/go/vt/vtgate/logstats" ) var ( diff --git a/go/vt/vtgate/querylogz_test.go b/go/vt/vtgate/querylogz_test.go index ce0f4d4311b..adf74726842 100644 --- a/go/vt/vtgate/querylogz_test.go +++ b/go/vt/vtgate/querylogz_test.go @@ -34,7 +34,7 @@ import ( func TestQuerylogzHandlerFormatting(t *testing.T) { req, _ := http.NewRequest("GET", "/querylogz?timeout=10&limit=1", nil) - logStats := logstats.NewLogStats(context.Background(), "Execute", "select name from test_table limit 1000", "suuid", nil) + logStats := logstats.NewLogStats(context.Background(), "Execute", "select name, 'inject ' from test_table limit 1000", "suuid", nil) logStats.StmtType = "select" logStats.RowsAffected = 1000 logStats.ShardQueries = 1 @@ -63,7 +63,7 @@ func TestQuerylogzHandlerFormatting(t *testing.T) { `0.002`, `0.003`, `select`, - `select name from test_table limit 1000`, + regexp.QuoteMeta(`select name,​ 'inject <script>alert()​;</script>' from test_table limit 1000`), `1`, `1000`, ``, @@ -93,7 +93,7 @@ func TestQuerylogzHandlerFormatting(t *testing.T) { `0.002`, `0.003`, `select`, - `select name from test_table limit 1000`, + regexp.QuoteMeta(`select name,​ 'inject <script>alert()​;</script>' from test_table limit 1000`), `1`, `1000`, ``, @@ -123,7 +123,7 @@ func TestQuerylogzHandlerFormatting(t *testing.T) { `0.002`, `0.003`, `select`, - `select name from test_table limit 1000`, + regexp.QuoteMeta(`select name,​ 'inject <script>alert()​;</script>' from test_table limit 1000`), `1`, `1000`, ``, diff --git a/go/vt/vttablet/tabletserver/debugenv.go b/go/vt/vttablet/tabletserver/debugenv.go index e229c46cadd..323bbf17974 100644 --- a/go/vt/vttablet/tabletserver/debugenv.go +++ b/go/vt/vttablet/tabletserver/debugenv.go @@ -22,9 +22,10 @@ import ( "html" "net/http" "strconv" - "text/template" "time" + "github.com/google/safehtml/template" + "vitess.io/vitess/go/acl" "vitess.io/vitess/go/vt/log" ) diff --git a/go/vt/vttablet/tabletserver/querylogz.go b/go/vt/vttablet/tabletserver/querylogz.go index 41a40a0720c..2e4e92dd368 100644 --- a/go/vt/vttablet/tabletserver/querylogz.go +++ b/go/vt/vttablet/tabletserver/querylogz.go @@ -20,9 +20,10 @@ import ( "net/http" "strconv" "strings" - "text/template" "time" + "github.com/google/safehtml/template" + "vitess.io/vitess/go/acl" "vitess.io/vitess/go/vt/log" "vitess.io/vitess/go/vt/logz" diff --git a/go/vt/vttablet/tabletserver/querylogz_test.go b/go/vt/vttablet/tabletserver/querylogz_test.go index 2e5caa3891b..e28bf04e5e9 100644 --- a/go/vt/vttablet/tabletserver/querylogz_test.go +++ b/go/vt/vttablet/tabletserver/querylogz_test.go @@ -36,7 +36,7 @@ func TestQuerylogzHandler(t *testing.T) { req, _ := http.NewRequest("GET", "/querylogz?timeout=10&limit=1", nil) logStats := tabletenv.NewLogStats(context.Background(), "Execute") logStats.PlanType = planbuilder.PlanSelect.String() - logStats.OriginalSQL = "select name from test_table limit 1000" + logStats.OriginalSQL = "select name, 'inject ' from test_table limit 1000" logStats.RowsAffected = 1000 logStats.NumberOfQueries = 1 logStats.StartTime, _ = time.Parse("Jan 2 15:04:05", "Nov 29 13:33:09") @@ -63,7 +63,7 @@ func TestQuerylogzHandler(t *testing.T) { `0.001`, `1e-08`, `Select`, - `select name from test_table limit 1000`, + regexp.QuoteMeta(`select name,​ 'inject <script>alert()​;</script>' from test_table limit 1000`), `1`, `none`, `1000`, @@ -94,7 +94,7 @@ func TestQuerylogzHandler(t *testing.T) { `0.001`, `1e-08`, `Select`, - `select name from test_table limit 1000`, + regexp.QuoteMeta(`select name,​ 'inject <script>alert()​;</script>' from test_table limit 1000`), `1`, `none`, `1000`, @@ -125,7 +125,7 @@ func TestQuerylogzHandler(t *testing.T) { `0.001`, `1e-08`, `Select`, - `select name from test_table limit 1000`, + regexp.QuoteMeta(`select name,​ 'inject <script>alert()​;</script>' from test_table limit 1000`), `1`, `none`, `1000`,