HIGH: Template rendering bypass in HandleAppCreate/HandleAppUpdate can produce partial HTML #121

New Issue

clawbot · 2026-02-21T09:51:51+01:00

clawbot commented

2026-02-21 09:51:51 +01:00

Bug

Several error paths in HandleAppCreate and HandleAppUpdate call tmpl.ExecuteTemplate(writer, ...) directly instead of using h.renderTemplate(writer, tmpl, ...). The renderTemplate method renders into a buffer first and only writes to the ResponseWriter on success, preventing partial/corrupt HTML. The direct calls bypass this safety.

Affected Code

internal/handlers/app.go — HandleAppCreate:

nameErr := validateAppName(name)
if nameErr != nil {
    data["Error"] = "Invalid app name: " + nameErr.Error()
    _ = tmpl.ExecuteTemplate(writer, "app_new.html", data) // DIRECT — no buffer
    return
}

internal/handlers/app.go — HandleAppUpdate:

nameErr := validateAppName(newName)
if nameErr != nil {
    // ...
    _ = tmpl.ExecuteTemplate(writer, "app_edit.html", data) // DIRECT — no buffer
    return
}

repoURLErr := validateRepoURL(request.FormValue("repo_url"))
if repoURLErr != nil {
    // ...
    _ = tmpl.ExecuteTemplate(writer, "app_edit.html", data) // DIRECT — no buffer
    return
}

Other error paths in the same functions correctly use h.renderTemplate.

Impact

If template execution fails partway through (e.g., missing template data), a partial HTML response is sent to the browser. This is unlikely in practice but violates the safety invariant that renderTemplate was specifically designed to enforce.

Fix

Replace all tmpl.ExecuteTemplate(writer, ...) calls with h.renderTemplate(writer, tmpl, ...).

## Bug Several error paths in `HandleAppCreate` and `HandleAppUpdate` call `tmpl.ExecuteTemplate(writer, ...)` directly instead of using `h.renderTemplate(writer, tmpl, ...)`. The `renderTemplate` method renders into a buffer first and only writes to the ResponseWriter on success, preventing partial/corrupt HTML. The direct calls bypass this safety. ## Affected Code **`internal/handlers/app.go` — `HandleAppCreate`:** ```go nameErr := validateAppName(name) if nameErr != nil { data["Error"] = "Invalid app name: " + nameErr.Error() _ = tmpl.ExecuteTemplate(writer, "app_new.html", data) // DIRECT — no buffer return } ``` **`internal/handlers/app.go` — `HandleAppUpdate`:** ```go nameErr := validateAppName(newName) if nameErr != nil { // ... _ = tmpl.ExecuteTemplate(writer, "app_edit.html", data) // DIRECT — no buffer return } repoURLErr := validateRepoURL(request.FormValue("repo_url")) if repoURLErr != nil { // ... _ = tmpl.ExecuteTemplate(writer, "app_edit.html", data) // DIRECT — no buffer return } ``` Other error paths in the same functions correctly use `h.renderTemplate`. ## Impact If template execution fails partway through (e.g., missing template data), a partial HTML response is sent to the browser. This is unlikely in practice but violates the safety invariant that `renderTemplate` was specifically designed to enforce. ## Fix Replace all `tmpl.ExecuteTemplate(writer, ...)` calls with `h.renderTemplate(writer, tmpl, ...)`.

clawbot referenced this issue from a commit

2026-02-21 09:57:36 +01:00

fix: use renderTemplate in all error paths of HandleAppCreate/HandleAppUpdate (closes #121)

clawbot referenced a pull request that will close this issue

2026-02-21 09:57:56 +01:00

Fix 1.0 audit bugs (closes #120, closes #121, closes #122, closes #123, closes #124, closes #125) #126

clawbot referenced this issue

2026-02-21 16:45:34 +01:00

Fix 1.0 audit bugs (closes #120, closes #121, closes #122, closes #123, closes #124, closes #125) #126

clawbot referenced this issue

2026-02-21 20:45:37 +01:00

Fix 1.0 audit bugs (closes #120, closes #121, closes #122, closes #123, closes #124, closes #125) #126