checker: go_html_req_template_injection

[Thiru-moorthi]

Description

This PR adds a new Go checker to detect security risks associated with rendering user-controlled data using html/template without proper sanitization. Improper handling of user inputs in templates can lead to Server-Side Template Injection (SSTI), allowing attackers to execute arbitrary code, leak sensitive data, or launch Cross-Site Scripting (XSS) attacks.

Detection Logic

This checker flags instances where:

• User-controlled input (from r.Cookie, r.URL.Query().Get, or r.FormValue) is directly mapped to a template.
• The template executes user input without proper sanitization.

Recommended Alternatives

To mitigate security risks, always sanitize user inputs and ensure context-aware encoding before rendering:

Insecure Example:

http.HandleFunc("/unsafe", func(w http.ResponseWriter, r *http.Request) {
    r.ParseForm()
    data := map[string]string{"Username": r.FormValue("username")}
    tmpl, _ := template.New("example").Parse("<h1>Hello, {{.Username}}</h1>")
    tmpl.Execute(w, data) // Vulnerable: renders unsanitized user input
})

Secure Example:

http.HandleFunc("/safe", func(w http.ResponseWriter, r *http.Request) {
    r.ParseForm()
    userInput := template.HTMLEscapeString(r.FormValue("username"))
    data := map[string]string{"Username": userInput}
    tmpl, _ := template.New("example").Parse("<h1>Hello, {{.Username}}</h1>")
    tmpl.Execute(w, data) // Safe: sanitized input prevents injection
})

Exclusions

To reduce noise, this checker does not flag occurrences in:

• Test files (test/**, *_test.go, tests/**, __tests__/**)

References

• [CWE-1336: Improper Neutralization of Special Elements]

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

1 Skipped Deployment

Name	Status	Preview	Comments	Updated (UTC)
globstar	⬜️ Ignored (Inspect)	Visit Preview		Mar 7, 2025 0:14am