diff options
author | Bjørn Erik Pedersen <bjorn.erik.pedersen@gmail.com> | 2023-06-15 16:34:16 +0200 |
---|---|---|
committer | Bjørn Erik Pedersen <bjorn.erik.pedersen@gmail.com> | 2023-06-15 23:04:33 +0200 |
commit | ee359df172ece11989e9b1bf35c2d376f2608ac6 (patch) | |
tree | 98513578d0ad8c2ced1c6aacf2ca5ba40a703b6a /tpl/tplimpl | |
parent | 0f989d5e21b200d848b45a4e305958636fd00779 (diff) |
Fix upstream Go templates bug with reversed key/value assignment
The template packages are based on go1.20.5 with the patch in befec5ddbbfbd81ec84e74e15a38044d67f8785b added.
This also includes a security fix that now disallows Go template actions in JS literals (inside backticks).
This will throw an error saying "... appears in a JS template literal".
If you're really sure this isn't a security risk in your case, you can revert to the old behaviour:
```toml
[security]
[security.gotemplates]
allowActionJSTmpl = true
```
See https://github.com/golang/go/issues/59234
Fixes #11112
Diffstat (limited to 'tpl/tplimpl')
-rw-r--r-- | tpl/tplimpl/integration_test.go | 68 |
1 files changed, 68 insertions, 0 deletions
diff --git a/tpl/tplimpl/integration_test.go b/tpl/tplimpl/integration_test.go index 4107a1faa..fa511fbab 100644 --- a/tpl/tplimpl/integration_test.go +++ b/tpl/tplimpl/integration_test.go @@ -2,6 +2,7 @@ package tplimpl_test import ( "path/filepath" + "strings" "testing" qt "github.com/frankban/quicktest" @@ -160,3 +161,70 @@ title: "S3P1" b.AssertFileContent("public/s2/p1/index.html", `S2P1`) b.AssertFileContent("public/s3/p1/index.html", `S3P1`) } + +func TestGoTemplateBugs(t *testing.T) { + + t.Run("Issue 11112", func(t *testing.T) { + t.Parallel() + + files := ` +-- config.toml -- +-- layouts/index.html -- +{{ $m := dict "key" "value" }} +{{ $k := "" }} +{{ $v := "" }} +{{ range $k, $v = $m }} +{{ $k }} = {{ $v }} +{{ end }} + ` + + b := hugolib.NewIntegrationTestBuilder( + hugolib.IntegrationTestConfig{ + T: t, + TxtarString: files, + }, + ) + b.Build() + + b.AssertFileContent("public/index.html", `key = value`) + }) + +} + +func TestSecurityAllowActionJSTmpl(t *testing.T) { + + filesTemplate := ` +-- config.toml -- +SECURITYCONFIG +-- layouts/index.html -- +<script> +var a = §§{{.Title }}§§; +</script> + ` + + files := strings.ReplaceAll(filesTemplate, "SECURITYCONFIG", "") + + b, err := hugolib.NewIntegrationTestBuilder( + hugolib.IntegrationTestConfig{ + T: t, + TxtarString: files, + }, + ).BuildE() + + b.Assert(err, qt.Not(qt.IsNil)) + b.Assert(err.Error(), qt.Contains, "{{.Title}} appears in a JS template literal") + + files = strings.ReplaceAll(filesTemplate, "SECURITYCONFIG", ` +[security] +[security.gotemplates] +allowActionJSTmpl = true +`) + + b = hugolib.NewIntegrationTestBuilder( + hugolib.IntegrationTestConfig{ + T: t, + TxtarString: files, + }, + ).Build() + +} |