Skip to content

🐛 fix: Guard engine helper registration and template adapter races#483

Open
Copilot wants to merge 16 commits into
masterfrom
copilot/create-team-for-security-checks
Open

🐛 fix: Guard engine helper registration and template adapter races#483
Copilot wants to merge 16 commits into
masterfrom
copilot/create-team-for-security-checks

Conversation

Copy link
Copy Markdown

Copilot AI commented May 8, 2026
edited
Loading

  • Inspect the reported mustache CI lint failure and the affected file
  • Make the smallest code change to resolve the mustache revive warning
  • Run targeted mustache lint/test validation
  • Run final validation for the updated PR changes
  • Reply to the PR comment with the addressing commit

Copilot AI and others added 10 commits April 26, 2026 00:57
@gaby
test: add template security regression coverage
1befc9c 
Agent-Logs-Url: https://github.com/gofiber/template/sessions/3c6010a8-4292-477e-ae24-290aa3d2023a

Co-authored-by: gaby <835733+gaby@users.noreply.github.com>
@gaby
docs: add template security guidance
917e2fc 
Agent-Logs-Url: https://github.com/gofiber/template/sessions/3c6010a8-4292-477e-ae24-290aa3d2023a

Co-authored-by: gaby <835733+gaby@users.noreply.github.com>
@gaby
docs: remove top-level security docs references
02182ed 
Agent-Logs-Url: https://github.com/gofiber/template/sessions/2deee2c8-8f35-4459-85b4-9e75fde27bce

Co-authored-by: gaby <835733+gaby@users.noreply.github.com>
@gaby
fix: harden mustache partial loading
57e42b0 
Agent-Logs-Url: https://github.com/gofiber/template/sessions/883ab869-6196-4fea-8744-af04a6fbbbeb

Co-authored-by: gaby <835733+gaby@users.noreply.github.com>
@gaby
feat: harden django pongo2 loader and sandboxing
d7be205 
Agent-Logs-Url: https://github.com/gofiber/template/sessions/7bbee3e4-0d27-487f-bb6a-8e1b1fbc20fe

Co-authored-by: gaby <835733+gaby@users.noreply.github.com>
@gaby
fix: support secure pongo2 nested path resolution
2698e65 
Agent-Logs-Url: https://github.com/gofiber/template/sessions/7bbee3e4-0d27-487f-bb6a-8e1b1fbc20fe

Co-authored-by: gaby <835733+gaby@users.noreply.github.com>
@gaby
fix: keep django security changes non-breaking
8f4b818 
Agent-Logs-Url: https://github.com/gofiber/template/sessions/66f14082-3bbc-47f9-b4a1-550c5c32c067

Co-authored-by: gaby <835733+gaby@users.noreply.github.com>
@gaby
revert: restore previous django.go behavior
539397b 
Agent-Logs-Url: https://github.com/gofiber/template/sessions/c046bd1c-1802-4b89-8695-62cb48b66076

Co-authored-by: gaby <835733+gaby@users.noreply.github.com>
@gaby
test: parallelize django security tests
aeff100 
Agent-Logs-Url: https://github.com/gofiber/template/sessions/c046bd1c-1802-4b89-8695-62cb48b66076

Co-authored-by: gaby <835733+gaby@users.noreply.github.com>
@gaby
fix: guard zero-value engine func maps
ca9c5d5 
Agent-Logs-Url: https://github.com/gofiber/template/sessions/872f3cb1-fc49-4ca8-91e8-ac3671898d5c

Co-authored-by: gaby <835733+gaby@users.noreply.github.com>
Copilot AI assigned Copilot and gaby May 8, 2026
@gaby gaby changed the title Guard shared engine helper registration against zero-value panics fix: Guard shared engine helper registration against zero-value panics May 8, 2026
@ReneWerner87 ReneWerner87 added the ☢️ Bug Something isn't working label May 8, 2026
@gaby
Copy link
Copy Markdown
Member

gaby commented May 8, 2026

@copilot The amber template has a race condition during unit-tests.

Copilot AI and others added 2 commits May 8, 2026 12:11
Copy link
Copy Markdown
Author

Copilot AI commented May 8, 2026

@copilot The amber template has a race condition during unit-tests.

Fixed in 50e1a17. The amber adapter now serializes access to the upstream package-global amber.FuncMap during Load, which removes the race between parallel amber tests. I re-ran cd /home/runner/work/template/template/amber && GOTOOLCHAIN=go1.25.0 go test ./... -race -count=1 -v and it passed.

Copilot AI changed the title fix: Guard shared engine helper registration against zero-value panics fix: Guard engine helper registration and amber compilation against panics and races May 8, 2026
Copilot finished work on behalf of gaby May 8, 2026 12:15
Copilot AI requested a review from gaby May 8, 2026 12:15
@gaby gaby changed the title fix: Guard engine helper registration and amber compilation against panics and races fix: Guard engine helper registration May 9, 2026
@gaby gaby changed the title fix: Guard engine helper registration 🐛 fix: Guard engine helper registration May 9, 2026
@gaby
Copy link
Copy Markdown
Member

gaby commented May 9, 2026

@copilot race condition in django tests:

=== NAME Test_HelperOutputIsEscaped
testing.go:1617: race detected during execution of test
--- FAIL: Test_HelperOutputIsEscaped (0.00s)
=== NAME Test_XSS_DefaultAutoEscape
testing.go:1617: race detected during execution of test
--- FAIL: Test_XSS_DefaultAutoEscape (0.00s)
=== NAME Test_Layout_DoesNotTrustUserProvidedEmbed
testing.go:1617: race detected during execution of test

Copilot AI and others added 2 commits May 9, 2026 15:00
Copy link
Copy Markdown
Author

Copilot AI commented May 9, 2026

@copilot race condition in django tests:

=== NAME Test_HelperOutputIsEscaped
...

Fixed in 2dca1a5. The django adapter now stops mutating pongo2’s global autoescape setting during Load and instead serializes render-time autoescape swaps around template execution, which removes the race across parallel tests. I re-ran cd /home/runner/work/template/template/django && GOTOOLCHAIN=go1.25.0 go test ./... -race -count=1 -v and it passed.

Copilot AI changed the title 🐛 fix: Guard engine helper registration 🐛 fix: Guard engine helper registration and template adapter races May 9, 2026
Copilot finished work on behalf of gaby May 9, 2026 15:02
@gaby
Copy link
Copy Markdown
Member

gaby commented May 9, 2026

@copilot Running [/home/runner/go/bin/golangci-lint run --path-mode=abs --tests=false --timeout=5m] in [/home/runner/work/template/template/mustache] ...
Error: /home/runner/work/template/template/mustache/mustache.go:114:17: import-shadowing: The name 'path' shadows an import name (revive)
walkFn := func(path string, info os.FileInfo, err error) error {
^
1 issues:

  • revive: 1

Copy link
Copy Markdown
Author

Copilot AI commented May 9, 2026

@copilot Running [/home/runner/go/bin/golangci-lint run --path-mode=abs --tests=false --timeout=5m] in [/home/runner/work/template/template/mustache] ...
Error: /home/runner/work/template/templat...

Fixed in 6d5b760. I renamed the local walkFn parameter in mustache/mustache.go so it no longer shadows the imported path package, and the CI-matching lint command now passes: cd /home/runner/work/template/template/mustache && GOTOOLCHAIN=go1.25.0 go run github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.6.1 run --path-mode=abs --tests=false --timeout=5m.

Copilot finished work on behalf of gaby May 9, 2026 15:26
@gaby gaby marked this pull request as ready for review May 9, 2026 17:20
@gaby gaby requested a review from a team as a code owner May 9, 2026 17:20
@gaby gaby requested review from ReneWerner87, Copilot, efectn and sixcolors and removed request for a team May 9, 2026 17:20
Copilot AI reviewed May 9, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens the core template Engine and several adapters against races, and adds security-focused regression tests and documentation notes around escaping/trust boundaries across engines.

Changes:

  • Initialize Engine.Funcmap on-demand in AddFunc / AddFuncMap to support zero-value Engine usage safely.
  • Serialize access to upstream package-global state in adapters (Django/pongo2 autoescape; Amber compiler func map) and add Mustache partial-name sanitization + traversal tests.
  • Add per-engine XSS/regression tests and document security guidance in engine READMEs.

Reviewed changes

Copilot reviewed 24 out of 24 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
template.go Initializes Funcmap lazily during helper registration under lock.
template_test.go Adds regression tests ensuring AddFunc/AddFuncMap initialize Funcmap.
ace/security_test.go Adds XSS/layout escaping regression tests for Ace templates.
ace/README.md Adds Security guidance and adjusts code snippet formatting.
amber/amber.go Serializes global amber.FuncMap usage during compilation to avoid races.
amber/security_test.go Adds XSS/layout escaping regression tests for Amber templates.
amber/README.md Adds Security guidance and adjusts code snippet formatting.
django/django.go Serializes pongo2 autoescape toggling at render time to prevent cross-engine races.
django/security_test.go Adds XSS/layout/helper escaping regression tests for Django templates.
django/README.md Adds Security guidance for auto-escape and safe output.
handlebars/security_test.go Adds XSS/layout/helper escaping regression tests for Handlebars templates.
handlebars/README.md Adds Security guidance and adjusts code snippet formatting.
html/security_test.go Adds XSS/layout + contextual escaping regression tests for html/template adapter.
html/README.md Adds Security guidance and adjusts code snippet formatting.
jet/security_test.go Adds XSS/layout/helper escaping regression tests for Jet templates.
jet/README.md Adds Security guidance and adjusts code snippet formatting.
mustache/mustache.go Adds partial name sanitization and safer path/root handling for partial loading.
mustache/security_test.go Adds XSS/layout escaping tests plus partial traversal tests.
mustache/README.md Adds Security guidance and adjusts code snippet formatting.
pug/security_test.go Adds XSS/layout escaping regression tests for Pug templates.
pug/README.md Adds Security guidance and adjusts code snippet formatting.
slim/security_test.go Adds XSS/layout/helper escaping regression tests for Slim templates.
slim/README.md Adds Security guidance and adjusts code snippet formatting.
README.md Removes stray whitespace in top-level README.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread mustache/mustache.go
Comment on lines +50 to +63
func sanitizePartialName(name string) (string, error) {
cleanName := strings.ReplaceAll(strings.TrimSpace(name), `\`, "/")
cleanName = path.Clean(cleanName)

switch {
case cleanName == "." || cleanName == "..":
return "", fmt.Errorf("mustache: invalid partial path %q", name)
case path.IsAbs(cleanName):
return "", fmt.Errorf("mustache: invalid partial path %q", name)
case strings.HasPrefix(cleanName, "../"):
return "", fmt.Errorf("mustache: invalid partial path %q", name)
}

return cleanName, nil
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@gaby gaby Awaiting requested review from gaby

@sixcolors sixcolors Awaiting requested review from sixcolors sixcolors is a code owner automatically assigned from gofiber/maintainers

@ReneWerner87 ReneWerner87 Awaiting requested review from ReneWerner87 ReneWerner87 is a code owner automatically assigned from gofiber/maintainers

@efectn efectn Awaiting requested review from efectn efectn is a code owner automatically assigned from gofiber/maintainers

At least 1 approving review is required to merge this pull request.

Assignees

@gaby gaby

Copilot code review Copilot

Labels

☢️ Bug Something isn't working

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@gaby @ReneWerner87