A critical vulnerability has been recently discovered in Go Templates (included in Go standard library package) that could allow attackers to inject and execute arbitrary JavaScript code through template literals. This vulnerability has been assigned the CVE number CVE-2023-24538. This article will discuss the details of this exploit, the potential risks, and the available fix.

Exploit Details

The vulnerability arises from the fact that Go Templates do not correctly handle backticks (`) that are used as JavaScript string delimiters since ES6. These backticks are used for JavaScript template literals, which allows developers to include placeholders and expression inside of string literals. However, if a Go template action is placed within a JavaScript template literal, the contents of the action could be used to terminate the literal and inject arbitrary JavaScript code into the Go template.

For example

var hacked = Hello, {{.UserName}}! Your secret is ${eval('{{.Secret}}')};

In this example, if .Secret contains malicious JavaScript code, it could be executed by the eval function.

Fix and Mitigation

To address this issue, the Go team has decided to disallow Go template actions from being used inside JavaScript template literals (as in "var a = {{.}}"), as there is no obvious safe way to allow this functionality. This follows the same approach as the safehtml package from Google.

Starting from Go 1.21, when parsing a template containing such an action, the Template.Parse method will return an error with an ErrorCode of value 12. This ErrorCode is currently unexported, but it will be made public in the upcoming Go 1.21 release.

If you rely on the previous behavior, you can re-enable it by setting the GODEBUG flag jstmpllitinterp=1. However, please note that this will cause the backticks to be escaped, and it is not recommended to use this flag unless absolutely necessary.

Original References

* Go Issue Tracker: #49732
* GoLang Template Package Documentation

Conclusion

The discovery of this vulnerability (CVE-2023-24538) in Go Templates highlights the importance of properly handling JavaScript template literals and securing the web applications built with Go. Developers are advised to update their code to avoid placing Go template actions inside JavaScript template literals and watch for the upcoming Go 1.21 release to benefit from the automatic protection offered by the modified Template.Parse method.

Timeline

Published on: 04/06/2023 16:15:00 UTC
Last modified on: 04/17/2023 16:54:00 UTC