HIGH: Template rendering bypass in HandleAppCreate/HandleAppUpdate can produce partial HTML #121

New Issue

Open

opened 2026-02-21 09:51:51 +01:00 by clawbot · 0 comments

clawbot commented 2026-02-21 09:51:51 +01:00

Collaborator

Copy Link

Bug

Several error paths in HandleAppCreate and HandleAppUpdate call tmpl.ExecuteTemplate(writer, ...) directly instead of using h.renderTemplate(writer, tmpl, ...). The renderTemplate method renders into a buffer first and only writes to the ResponseWriter on success, preventing partial/corrupt HTML. The direct calls bypass this safety.

Affected Code

internal/handlers/app.go — HandleAppCreate:

nameErr := validateAppName(name)
if nameErr != nil {
    data["Error"] = "Invalid app name: " + nameErr.Error()
    _ = tmpl.ExecuteTemplate(writer, "app_new.html", data) // DIRECT — no buffer
    return
}

internal/handlers/app.go — HandleAppUpdate:

nameErr := validateAppName(newName)
if nameErr != nil {
    // ...
    _ = tmpl.ExecuteTemplate(writer, "app_edit.html", data) // DIRECT — no buffer
    return
}

repoURLErr := validateRepoURL(request.FormValue("repo_url"))
if repoURLErr != nil {
    // ...
    _ = tmpl.ExecuteTemplate(writer, "app_edit.html", data) // DIRECT — no buffer
    return
}

Other error paths in the same functions correctly use h.renderTemplate.

Impact

If template execution fails partway through (e.g., missing template data), a partial HTML response is sent to the browser. This is unlikely in practice but violates the safety invariant that renderTemplate was specifically designed to enforce.

Fix

Replace all tmpl.ExecuteTemplate(writer, ...) calls with h.renderTemplate(writer, tmpl, ...).

## Bug Several error paths in `HandleAppCreate` and `HandleAppUpdate` call `tmpl.ExecuteTemplate(writer, ...)` directly instead of using `h.renderTemplate(writer, tmpl, ...)`. The `renderTemplate` method renders into a buffer first and only writes to the ResponseWriter on success, preventing partial/corrupt HTML. The direct calls bypass this safety. ## Affected Code **`internal/handlers/app.go` — `HandleAppCreate`:** ```go nameErr := validateAppName(name) if nameErr != nil { data["Error"] = "Invalid app name: " + nameErr.Error() _ = tmpl.ExecuteTemplate(writer, "app_new.html", data) // DIRECT — no buffer return } ``` **`internal/handlers/app.go` — `HandleAppUpdate`:** ```go nameErr := validateAppName(newName) if nameErr != nil { // ... _ = tmpl.ExecuteTemplate(writer, "app_edit.html", data) // DIRECT — no buffer return } repoURLErr := validateRepoURL(request.FormValue("repo_url")) if repoURLErr != nil { // ... _ = tmpl.ExecuteTemplate(writer, "app_edit.html", data) // DIRECT — no buffer return } ``` Other error paths in the same functions correctly use `h.renderTemplate`. ## Impact If template execution fails partway through (e.g., missing template data), a partial HTML response is sent to the browser. This is unlikely in practice but violates the safety invariant that `renderTemplate` was specifically designed to enforce. ## Fix Replace all `tmpl.ExecuteTemplate(writer, ...)` calls with `h.renderTemplate(writer, tmpl, ...)`.

clawbot referenced this issue from a commit 2026-02-21 09:57:36 +01:00

fix: use renderTemplate in all error paths of HandleAppCreate/HandleAppUpdate (closes #121)

clawbot referenced a pull request that will close this issue 2026-02-21 09:57:56 +01:00

Fix 1.0 audit bugs (closes #120, closes #121, closes #122, closes #123, closes #124, closes #125) #126

clawbot referenced this issue 2026-02-21 16:45:34 +01:00

Fix 1.0 audit bugs (closes #120, closes #121, closes #122, closes #123, closes #124, closes #125) #126

clawbot referenced this issue 2026-02-21 20:45:37 +01:00

Fix 1.0 audit bugs (closes #120, closes #121, closes #122, closes #123, closes #124, closes #125) #126

clawbot referenced this issue 2026-02-21 20:49:16 +01:00

Fix 1.0 audit bugs (closes #120, closes #121, closes #122, closes #123, closes #124, closes #125) #126

clawbot referenced this issue 2026-02-22 12:31:42 +01:00

Fix 1.0 audit bugs (closes #120, closes #121, closes #122, closes #123, closes #124, closes #125) #126

clawbot referenced this issue 2026-02-22 12:43:43 +01:00

Fix 1.0 audit bugs (closes #120, closes #121, closes #122, closes #123, closes #124, closes #125) #126

clawbot referenced this issue from a commit 2026-02-23 20:54:34 +01:00

fix: use renderTemplate in all error paths of HandleAppCreate/HandleAppUpdate (closes #121)

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

fix/audit-bugs-120-125

fix/1.0-audit-bugs

refactor/split-app-js

fix/disable-api-write-methods

chore/code-cleanup

ci/check-workflow-only

fix/repo-url-validation

fix/main-lint-issues

feature/api-token-auth

revert/pr-98

feat/ci-make-check

ci/add-check-action

fix/deploy-cancel-cleanup

schema-consolidation

feature/json-api

chore/update-todo

feature/edit-config-entities

feature/deployment-rollback-tests

update-todo-md

feature/edit-entities

feature/deployment-rollback

feature/deploy-cancel

No results found.

Labels

Clear labels   

bug

Something is not working

  

duplicate

This issue or pull request already exists

  

enhancement

New feature

  

help wanted

Need some help

  

invalid

Something is wrong

  

merge-ready

All checks pass, reviewed, rebased, ready for merge

  

merge-ready

  

needs-checks

make check does not pass cleanly

  

needs-checks

  

needs-rebase

PR has merge conflicts or is behind main

  

needs-rebase

  

needs-review

Code review not yet done

  

needs-review

  

needs-rework

Code review found issues to fix

  

needs-rework

  

notplanned

  

question

More information is needed

  

wontfix

This won't be fixed

No Label

bug

duplicate

enhancement

help wanted

invalid

merge-ready

merge-ready

needs-checks

needs-checks

needs-rebase

needs-rebase

needs-review

needs-review

needs-rework

needs-rework

notplanned

question

wontfix

Milestone

Clear milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

No Assignees

1 Participants

Notifications

Subscribe

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: sneak/upaas#121

No description provided.