fix: Sanitize all http request fields to avoid XSS injection in templates

Related to CVE-2025-27088

Author: oxyno-zeta

.golangci.yaml

@@ -433,6 +433,9 @@ issues:
         - tagliatelle
         - lll
       path: pkg/.*/config/config\.go
+    - linters:
+        - dupl
+      path: pkg/.*/response-handler/handler\.go
   # issues:
   #   # List of regexps of issue texts to exclude, empty list by default.
   #   # But independently from this option we use default exclude patterns,

.mise.toml

@@ -9,3 +9,5 @@ gotestsum = "v1.12.0"
 "go:go.uber.org/mock/mockgen" = "v0.5.0"
 # renovate: datasource=go depName=golang.org/x/tools/go/analysis/passes/fieldalignment/cmd/fieldalignment
 # "go:golang.org/x/tools/go/analysis/passes/fieldalignment/cmd/fieldalignment" = "v0.30.0"
+# renovate: datasource=github-tags depName=jmattheis/goverter
+"go:github.com/jmattheis/goverter/cmd/goverter" = "v1.7.0"

Makefile

@@ -33,6 +33,7 @@ HAS_CURL:=$(shell command -v curl;)
 HAS_MOCKGEN:=$(shell command -v mockgen;)
 HAS_GOTESTSUM:=$(shell command -v gotestsum;)
 HAS_FIELDALIGNMENT:=$(shell command -v fieldalignment;)
+HAS_GOVERTER := $(shell command -v goverter;)
 
 #
 ## Tool versions
@@ -200,6 +201,10 @@ endif
 ifndef HAS_FIELDALIGNMENT
 	@echo "=> Installing fieldalignment tool"
 	$(GO) install golang.org/x/tools/go/analysis/passes/fieldalignment/cmd/[email protected]
+endif
+ifndef HAS_GOVERTER
+	@echo "=> Installing goverter tool"
+	$(GO) install github.com/jmattheis/goverter/cmd/[email protected]
 endif
 	go mod download all
 	go mod tidy

go.mod

@@ -17,6 +17,7 @@ require (
 	github.com/go-resty/resty/v2 v2.16.5
 	github.com/gobwas/glob v0.2.3
 	github.com/johannesboyne/gofakes3 v0.0.0-20240701191259-edd0227ffc37
+	github.com/microcosm-cc/bluemonday v1.0.27
 	github.com/opentracing/opentracing-go v1.2.0
 	github.com/prometheus/client_golang v1.20.5
 	github.com/sirupsen/logrus v1.9.3
@@ -38,6 +39,7 @@ require (
 	github.com/HdrHistogram/hdrhistogram-go v1.1.2 // indirect
 	github.com/Masterminds/goutils v1.1.1 // indirect
 	github.com/Masterminds/semver/v3 v3.3.1 // indirect
+	github.com/aymerick/douceur v0.2.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
@@ -46,6 +48,7 @@ require (
 	github.com/go-playground/locales v0.14.1 // indirect
 	github.com/go-playground/universal-translator v0.18.1 // indirect
 	github.com/google/uuid v1.6.0 // indirect
+	github.com/gorilla/css v1.0.1 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
 	github.com/huandu/xstrings v1.5.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect

go.sum

@@ -17,6 +17,8 @@ github.com/ajstarks/svgo v0.0.0-20180226025133-644b8db467af/go.mod h1:K08gAheRH3
 github.com/aws/aws-sdk-go v1.44.256/go.mod h1:aVsgQcEevwlmQ7qHE9I3h+dtQgpqhFB+i8Phjh7fkwI=
 github.com/aws/aws-sdk-go v1.55.6 h1:cSg4pvZ3m8dgYcgqB97MrcdjUmZ1BeMYKUxMMB89IPk=
 github.com/aws/aws-sdk-go v1.55.6/go.mod h1:eRwEWoyTWFMVYVQzKMNHWP5/RV4xIUGMQfXQHfHkpNU=
+github.com/aymerick/douceur v0.2.0 h1:Mv+mAeH1Q+n9Fr+oyamOlAkUNPWPlA8PPGR0QAaYuPk=
+github.com/aymerick/douceur v0.2.0/go.mod h1:wlT5vV2O3h55X9m7iVYN0TBM0NH/MmbLnd30/FjWUq4=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
@@ -70,6 +72,8 @@ github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/gorilla/css v1.0.1 h1:ntNaBIghp6JmvWnxbZKANoLyuXTPZ4cAMlo6RyhlbO8=
+github.com/gorilla/css v1.0.1/go.mod h1:BvnYkspnSzMmwRK+b8/xgNPLiIuNZr6vbZBTPQ2A3b0=
 github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4=
 github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
 github.com/huandu/xstrings v1.5.0 h1:2ag3IFq9ZDANvthTwTiqSSZLjDc+BedvHPAp5tJy2TI=
@@ -97,6 +101,8 @@ github.com/leodido/go-urn v1.4.0 h1:WT9HwE9SGECu3lg4d/dIA+jxlljEa1/ffXKmRjqdmIQ=
 github.com/leodido/go-urn v1.4.0/go.mod h1:bvxc+MVxLKB4z00jd1z+Dvzr47oO32F/QSNjSBOlFxI=
 github.com/magiconair/properties v1.8.9 h1:nWcCbLq1N2v/cpNsy5WvQ37Fb+YElfq20WJ/a8RkpQM=
 github.com/magiconair/properties v1.8.9/go.mod h1:Dhd985XPs7jluiymwWYZ0G4Z61jb3vdS329zhj2hYo0=
+github.com/microcosm-cc/bluemonday v1.0.27 h1:MpEUotklkwCSLeH+Qdx1VJgNqLlpY2KXwXFM08ygZfk=
+github.com/microcosm-cc/bluemonday v1.0.27/go.mod h1:jFi9vgW+H7c3V0lb6nR74Ib/DIB5OBs92Dimizgw2cA=
 github.com/mitchellh/copystructure v1.2.0 h1:vpKXTN4ewci03Vljg/q9QvCGUDttBOGBIa15WveJJGw=
 github.com/mitchellh/copystructure v1.2.0/go.mod h1:qLl+cE2AmVv+CoeAwDPye/v+N2HKCj9FbZEVFJRxO9s=
 github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=

pkg/s3-proxy/bucket/bucket-req-impl.go

@@ -14,6 +14,7 @@ import (
 	"github.com/oxyno-zeta/s3-proxy/pkg/s3-proxy/config"
 	"github.com/oxyno-zeta/s3-proxy/pkg/s3-proxy/log"
 	responsehandler "github.com/oxyno-zeta/s3-proxy/pkg/s3-proxy/response-handler"
+	responsehandlermodels "github.com/oxyno-zeta/s3-proxy/pkg/s3-proxy/response-handler/models"
 	"github.com/oxyno-zeta/s3-proxy/pkg/s3-proxy/s3client"
 	utils "github.com/oxyno-zeta/s3-proxy/pkg/s3-proxy/utils/generalutils"
 	"github.com/oxyno-zeta/s3-proxy/pkg/s3-proxy/utils/templateutils"
@@ -310,7 +311,7 @@ func (bri *bucketReqImpl) manageGetFolder(ctx context.Context, key string, input
 		// Answer directly
 		resHan.FoldersFilesList(
 			bri.LoadFileContent,
-			make([]*responsehandler.Entry, 0),
+			make([]*responsehandlermodels.Entry, 0),
 		)
 
 		// Stop
@@ -604,7 +605,7 @@ func (bri *bucketReqImpl) Put(ctx context.Context, inp *PutInput) {
 	// Answer
 	resHan.Put(
 		bri.LoadFileContent,
-		&responsehandler.PutInput{
+		&responsehandlermodels.PutInput{
 			Key:          key,
 			ContentType:  inp.ContentType,
 			ContentSize:  inp.ContentSize,
@@ -692,7 +693,7 @@ func (bri *bucketReqImpl) Delete(ctx context.Context, requestPath string) {
 	// Answer
 	resHan.Delete(
 		bri.LoadFileContent,
-		&responsehandler.DeleteInput{
+		&responsehandlermodels.DeleteInput{
 			Key: key,
 		},
 	)
@@ -702,9 +703,9 @@ func transformS3Entries(
 	s3Entries []*s3client.ListElementOutput,
 	rctx *bucketReqImpl,
 	bucketRootPrefixKey string,
-) []*responsehandler.Entry {
+) []*responsehandlermodels.Entry {
 	// Prepare result
-	entries := make([]*responsehandler.Entry, 0)
+	entries := make([]*responsehandlermodels.Entry, 0)
 	// Loop over s3 entries
 	for _, item := range s3Entries {
 		// Store path
@@ -715,7 +716,7 @@ func transformS3Entries(
 			ePath += "/"
 		}
 		// Save new entry
-		entries = append(entries, &responsehandler.Entry{
+		entries = append(entries, &responsehandlermodels.Entry{
 			Type:         item.Type,
 			ETag:         item.ETag,
 			Name:         item.Name,
@@ -807,7 +808,7 @@ func (bri *bucketReqImpl) answerHead(
 	)
 
 	// Transform input
-	inp := &responsehandler.StreamInput{
+	inp := &responsehandlermodels.StreamInput{
 		CacheControl:       hOutput.CacheControl,
 		Expires:            hOutput.Expires,
 		ContentDisposition: hOutput.ContentDisposition,
@@ -848,7 +849,7 @@ func (bri *bucketReqImpl) streamFileForResponse(ctx context.Context, key string,
 	defer objOutput.Body.Close()
 
 	// Transform input
-	inp := &responsehandler.StreamInput{
+	inp := &responsehandlermodels.StreamInput{
 		Body:               objOutput.Body,
 		CacheControl:       objOutput.CacheControl,
 		Expires:            objOutput.Expires,