secfixes: add disclosure of the template.sh bug

template: sanitize all inputs to prevent delimeter injection
2025-08-03 12:23:34 +02:00 · 2025-02-24 15:52:39 +01:00 · 2025-02-24 15:43:24 +01:00
2 changed files with 15 additions and 4 deletions
--- a/docs/sec-fixes/2025-02-24_template.md
+++ b/docs/sec-fixes/2025-02-24_template.md
@ -0,0 +1,11 @@
+# 2025-02-24 Template injection leading to RCE
+
+Between commits 4e6c5c0ba3af3d93a67961651db0906c6dfa686f (2024-07-17) and
+89c285042835bec5cdd23128102dbeeba37bfa16 (2025-02-24), template.sh included
+a code path which allowed an attacker to inject the delimeter (\x02) into
+a rendered value, which coupled with using the `e` sed filter could lead to
+remote code execution.
+
+This vulnerability could only be triggered in apps using the subtemplate
+feature. It arose due to an inconsistency with input sanitization between
+including a raw value and including a raw value while recursing.
--- a/src/template.sh
+++ b/src/template.sh
@ -7,7 +7,7 @@ function render() {
 	if [[ "$3" != true ]]; then
 		local template="$(tr -d $'\01'$'\02' < "$2" | sed 's/\&/<2F>UwU<77>/g')"
 	else
-		local template="$(cat "$2" | sed -E 's/\\/\\\\/g')"
+		local template="$(tr -d '$\02' < "$2" | sed -E 's/\\/\\\\/g')"
 	fi
 	local -n ref=$1
 	local tmp=$(mktemp)
@ -29,12 +29,12 @@ function render() {

 				value+="$(render fdsa "$subtemplate" true)"
 			done
-			value="$(sed -E 's'$'\02''\{\{start '"$key"'\}\}'$'\02'$'\02'';s'$'\02''\{\{end '"$key"'\}\}'$'\02'$'\02' <<< "$value")"
+			value="$(tr -d '$\02' <<< "$value" | sed -E 's'$'\02''\{\{start '"$key"'\}\}'$'\02'$'\02'';s'$'\02''\{\{end '"$key"'\}\}'$'\02'$'\02')"

 			echo 's'$'\02''\{\{'"$key"'\}\}'$'\02'''"$value"''$'\02'';' >> "$tmp"
 			rm "$subtemplate"
 		elif [[ "$key" == "@"* && "${ref["$key"]}" != '' ]]; then
-			local value="$(sed -E 's/\&/<2F>UwU<77>/g' <<< "${ref["$key"]}")"
+			local value="$(tr -d $'\01\02' <<< "${ref["$key"]}" | sed -E 's/\&/<2F>UwU<77>/g')"
 			echo 's'$'\02''\{\{\'"$key"'\}\}'$'\02'''"$value"''$'\02''g;' >> "$tmp" #'
 		elif [[ "$key" == '?'* ]]; then
 			local _key="\\?${key/?/}"
@ -53,7 +53,7 @@ function render() {
 		elif [[ "${ref["$key"]}" != "" ]]; then
 			echo "VALUE: ${ref["$key"]}" > /dev/stderr
 			if [[ "$3" != true ]]; then
-				local value="$(html_encode <<< "${ref["$key"]}" | sed -E 's/\&/<2F>UwU<77>/g')"
+				local value="$(html_encode <<< "${ref["$key"]}" | tr -d $'\02' | sed -E 's/\&/<2F>UwU<77>/g')"
 			else
 				local value="$(echo -n "${ref["$key"]}" | tr -d $'\01'$'\02' | tr $'\n' $'\01' | sed -E 's/\\\\/<2F>OwO<77>/g;s/\\//g;s/<2F>OwO<77>/\\/g' | html_encode | sed -E 's/\&/<2F>UwU<77>/g')"
 			fi
Author	SHA1	Message	Date
sdomi	7f0cd58986	secfixes: add disclosure of the template.sh bug	2025-02-24 15:52:39 +01:00
sdomi	89c2850428	template: sanitize all inputs to prevent delimeter injection	2025-02-24 15:43:24 +01:00