From b56b717bbd68ef0c0d0141541e5d160307eb095e Mon Sep 17 00:00:00 2001 From: Dirkjan Bussink Date: Mon, 2 Dec 2024 16:47:59 +0100 Subject: [PATCH] Merge commit from fork These templates were rendered using text/template which is fundamentally broken as it would allow for trivial HTML injection. Instead render using safehtml/template so that we have automatic escaping. Signed-off-by: Dirkjan Bussink --- go/vt/vtgate/debugenv.go | 3 ++- go/vt/vtgate/querylogz.go | 4 ++-- go/vt/vtgate/querylogz_test.go | 8 ++++---- go/vt/vttablet/tabletserver/debugenv.go | 3 ++- go/vt/vttablet/tabletserver/querylogz.go | 3 ++- go/vt/vttablet/tabletserver/querylogz_test.go | 8 ++++---- 6 files changed, 16 insertions(+), 13 deletions(-) diff --git a/go/vt/vtgate/debugenv.go b/go/vt/vtgate/debugenv.go index 4fa989c69a3..7213353432d 100644 --- a/go/vt/vtgate/debugenv.go +++ b/go/vt/vtgate/debugenv.go @@ -22,9 +22,10 @@ import ( "html" "net/http" "strconv" - "text/template" "time" + "github.com/google/safehtml/template" + "vitess.io/vitess/go/acl" "vitess.io/vitess/go/vt/discovery" "vitess.io/vitess/go/vt/log" diff --git a/go/vt/vtgate/querylogz.go b/go/vt/vtgate/querylogz.go index 7c72e950d4a..05d301f28be 100644 --- a/go/vt/vtgate/querylogz.go +++ b/go/vt/vtgate/querylogz.go @@ -20,15 +20,15 @@ import ( "net/http" "strconv" "strings" - "text/template" "time" - "vitess.io/vitess/go/vt/vtgate/logstats" + "github.com/google/safehtml/template" "vitess.io/vitess/go/acl" "vitess.io/vitess/go/vt/log" "vitess.io/vitess/go/vt/logz" "vitess.io/vitess/go/vt/sqlparser" + "vitess.io/vitess/go/vt/vtgate/logstats" ) var ( diff --git a/go/vt/vtgate/querylogz_test.go b/go/vt/vtgate/querylogz_test.go index 3cecb983b3f..9236b2ac840 100644 --- a/go/vt/vtgate/querylogz_test.go +++ b/go/vt/vtgate/querylogz_test.go @@ -35,7 +35,7 @@ import ( func TestQuerylogzHandlerFormatting(t *testing.T) { req, _ := http.NewRequest("GET", "/querylogz?timeout=10&limit=1", nil) - logStats := logstats.NewLogStats(context.Background(), "Execute", "select name from test_table limit 1000", "suuid", nil) + logStats := logstats.NewLogStats(context.Background(), "Execute", "select name, 'inject ' from test_table limit 1000", "suuid", nil) logStats.StmtType = "select" logStats.RowsAffected = 1000 logStats.ShardQueries = 1 @@ -64,7 +64,7 @@ func TestQuerylogzHandlerFormatting(t *testing.T) { `0.002`, `0.003`, `select`, - `select name from test_table limit 1000`, + regexp.QuoteMeta(`select name,​ 'inject <script>alert()​;</script>' from test_table limit 1000`), `1`, `1000`, ``, @@ -94,7 +94,7 @@ func TestQuerylogzHandlerFormatting(t *testing.T) { `0.002`, `0.003`, `select`, - `select name from test_table limit 1000`, + regexp.QuoteMeta(`select name,​ 'inject <script>alert()​;</script>' from test_table limit 1000`), `1`, `1000`, ``, @@ -124,7 +124,7 @@ func TestQuerylogzHandlerFormatting(t *testing.T) { `0.002`, `0.003`, `select`, - `select name from test_table limit 1000`, + regexp.QuoteMeta(`select name,​ 'inject <script>alert()​;</script>' from test_table limit 1000`), `1`, `1000`, ``, diff --git a/go/vt/vttablet/tabletserver/debugenv.go b/go/vt/vttablet/tabletserver/debugenv.go index 924d5acbebb..e0a6e3a2337 100644 --- a/go/vt/vttablet/tabletserver/debugenv.go +++ b/go/vt/vttablet/tabletserver/debugenv.go @@ -23,9 +23,10 @@ import ( "html" "net/http" "strconv" - "text/template" "time" + "github.com/google/safehtml/template" + "vitess.io/vitess/go/acl" "vitess.io/vitess/go/vt/log" ) diff --git a/go/vt/vttablet/tabletserver/querylogz.go b/go/vt/vttablet/tabletserver/querylogz.go index 33341d1641b..09f375aa329 100644 --- a/go/vt/vttablet/tabletserver/querylogz.go +++ b/go/vt/vttablet/tabletserver/querylogz.go @@ -20,9 +20,10 @@ import ( "net/http" "strconv" "strings" - "text/template" "time" + "github.com/google/safehtml/template" + "vitess.io/vitess/go/acl" "vitess.io/vitess/go/vt/log" "vitess.io/vitess/go/vt/logz" diff --git a/go/vt/vttablet/tabletserver/querylogz_test.go b/go/vt/vttablet/tabletserver/querylogz_test.go index 25f03c762c7..ee26437f330 100644 --- a/go/vt/vttablet/tabletserver/querylogz_test.go +++ b/go/vt/vttablet/tabletserver/querylogz_test.go @@ -37,7 +37,7 @@ func TestQuerylogzHandler(t *testing.T) { req, _ := http.NewRequest("GET", "/querylogz?timeout=10&limit=1", nil) logStats := tabletenv.NewLogStats(context.Background(), "Execute") logStats.PlanType = planbuilder.PlanSelect.String() - logStats.OriginalSQL = "select name from test_table limit 1000" + logStats.OriginalSQL = "select name, 'inject ' from test_table limit 1000" logStats.RowsAffected = 1000 logStats.NumberOfQueries = 1 logStats.StartTime, _ = time.Parse("Jan 2 15:04:05", "Nov 29 13:33:09") @@ -64,7 +64,7 @@ func TestQuerylogzHandler(t *testing.T) { `0.001`, `1e-08`, `Select`, - `select name from test_table limit 1000`, + regexp.QuoteMeta(`select name,​ 'inject <script>alert()​;</script>' from test_table limit 1000`), `1`, `none`, `1000`, @@ -95,7 +95,7 @@ func TestQuerylogzHandler(t *testing.T) { `0.001`, `1e-08`, `Select`, - `select name from test_table limit 1000`, + regexp.QuoteMeta(`select name,​ 'inject <script>alert()​;</script>' from test_table limit 1000`), `1`, `none`, `1000`, @@ -126,7 +126,7 @@ func TestQuerylogzHandler(t *testing.T) { `0.001`, `1e-08`, `Select`, - `select name from test_table limit 1000`, + regexp.QuoteMeta(`select name,​ 'inject <script>alert()​;</script>' from test_table limit 1000`), `1`, `none`, `1000`,