[AUTO-CHERRYPICK] Fix CVE-2023-3978 for containerized-data-importer - branch 3.0-dev (#12581)

Co-authored-by: Sudipta Pandit <sudpandit@microsoft.com>
Co-authored-by: jslobodzian <joslobo@microsoft.com>

Author: 3 people

SPECS/containerized-data-importer/CVE-2023-3978.patch

@@ -0,0 +1,66 @@
+From 5abbff46d6a70d0e31b41ce98cddaa08cc911e3f Mon Sep 17 00:00:00 2001
+From: Sudipta Pandit <sudpandit@microsoft.com>
+Date: Wed, 5 Feb 2025 20:58:22 +0530
+Subject: [PATCH] Backport fix for CVE-2023-3978
+
+Reference: https://go-review.googlesource.com/c/net/+/514896
+---
+ vendor/golang.org/x/net/html/render.go | 28 ++++++++++++++++++++++----
+ 1 file changed, 24 insertions(+), 4 deletions(-)
+
+diff --git a/vendor/golang.org/x/net/html/render.go b/vendor/golang.org/x/net/html/render.go
+index 497e132..1da09c8 100644
+--- a/vendor/golang.org/x/net/html/render.go
++++ b/vendor/golang.org/x/net/html/render.go
+@@ -194,9 +194,8 @@ func render1(w writer, n *Node) error {
+ 		}
+ 	}
+ 
+-	// Render any child nodes.
+-	switch n.Data {
+-	case "iframe", "noembed", "noframes", "noscript", "plaintext", "script", "style", "xmp":
++	// Render any child nodes
++	if childTextNodesAreLiteral(n) {
+ 		for c := n.FirstChild; c != nil; c = c.NextSibling {
+ 			if c.Type == TextNode {
+ 				if _, err := w.WriteString(c.Data); err != nil {
+@@ -213,7 +212,7 @@ func render1(w writer, n *Node) error {
+ 			// last element in the file, with no closing tag.
+ 			return plaintextAbort
+ 		}
+-	default:
++	} else {
+ 		for c := n.FirstChild; c != nil; c = c.NextSibling {
+ 			if err := render1(w, c); err != nil {
+ 				return err
+@@ -231,6 +230,27 @@ func render1(w writer, n *Node) error {
+ 	return w.WriteByte('>')
+ }
+ 
++func childTextNodesAreLiteral(n *Node) bool {
++	// Per WHATWG HTML 13.3, if the parent of the current node is a style,
++	// script, xmp, iframe, noembed, noframes, or plaintext element, and the
++	// current node is a text node, append the value of the node's data
++	// literally. The specification is not explicit about it, but we only
++	// enforce this if we are in the HTML namespace (i.e. when the namespace is
++	// "").
++	// NOTE: we also always include noscript elements, although the
++	// specification states that they should only be rendered as such if
++	// scripting is enabled for the node (which is not something we track).
++	if n.Namespace != "" {
++		return false
++	}
++	switch n.Data {
++	case "iframe", "noembed", "noframes", "noscript", "plaintext", "script", "style", "xmp":
++		return true
++	default:
++		return false
++	}
++}
++
+ // writeQuoted writes s to w surrounded by quotes. Normally it will use double
+ // quotes, but if s contains a double quote, it will use single quotes.
+ // It is used for writing the identifiers in a doctype declaration.
+-- 
+2.34.1
+

SPECS/containerized-data-importer/containerized-data-importer.spec

@@ -18,7 +18,7 @@
 Summary:        Container native virtualization
 Name:           containerized-data-importer
 Version:        1.57.0
-Release:        11%{?dist}
+Release:        12%{?dist}
 License:        ASL 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -33,6 +33,7 @@ Patch4:         CVE-2023-39325.patch
 Patch5:         CVE-2023-44487.patch
 Patch6:         CVE-2024-28180.patch
 Patch7:         CVE-2023-45288.patch
+Patch8:         CVE-2023-3978.patch
 BuildRequires:  golang
 BuildRequires:  golang-packaging
 BuildRequires:  libnbd-devel
@@ -227,6 +228,9 @@ install -m 0644 _out/manifests/release/cdi-cr.yaml %{buildroot}%{_datadir}/cdi/m
 %{_datadir}/cdi/manifests
 
 %changelog
+* Sun Feb 23 2025 Sudipta Pandit <sudpandit@microsoft.com> - 1.57.0-12
+- Fix CVE-2023-3978 with a backported patch
+
 * Fri Feb 14 2025 Kanishk Bansal <kanbansal@microsoft.com> - 1.57.0-11
 - Address CVE-2023-45288