[AUTO-CHERRYPICK] [Low] Patch vitess for CVE-2024-53257 - branch main (#12953)

Co-authored-by: Kevin Lockwood <57274670+kevin-b-lockwood@users.noreply.github.com>

Author: CBL-Mariner-Bot

SPECS/vitess/CVE-2024-53257.patch

@@ -0,0 +1,172 @@
+From 2b71d1b5f8ca676beeab2875525003cd45096217 Mon Sep 17 00:00:00 2001
+From: Dirkjan Bussink <d.bussink@gmail.com>
+Date: Mon, 2 Dec 2024 16:47:59 +0100
+Subject: [PATCH] Merge commit from fork
+
+These templates were rendered using text/template which is fundamentally
+broken as it would allow for trivial HTML injection.
+
+Instead render using safehtml/template so that we have automatic
+escaping.
+
+Signed-off-by: Dirkjan Bussink <d.bussink@gmail.com>
+Link: https://github.com/vitessio/vitess/commit/2b71d1b5f8ca676beeab2875525003cd45096217.patch
+---
+ go/vt/vtgate/debugenv.go                      | 3 ++-
+ go/vt/vtgate/querylogz.go                     | 4 ++--
+ go/vt/vtgate/querylogz_test.go                | 8 ++++----
+ go/vt/vttablet/tabletserver/debugenv.go       | 3 ++-
+ go/vt/vttablet/tabletserver/querylogz.go      | 3 ++-
+ go/vt/vttablet/tabletserver/querylogz_test.go | 8 ++++----
+ 6 files changed, 16 insertions(+), 13 deletions(-)
+
+diff --git a/go/vt/vtgate/debugenv.go b/go/vt/vtgate/debugenv.go
+index 4fa989c69a3..7213353432d 100644
+--- a/go/vt/vtgate/debugenv.go
++++ b/go/vt/vtgate/debugenv.go
+@@ -22,9 +22,10 @@ import (
+ 	"html"
+ 	"net/http"
+ 	"strconv"
+-	"text/template"
+ 	"time"
+ 
++	"github.com/google/safehtml/template"
++
+ 	"vitess.io/vitess/go/acl"
+ 	"vitess.io/vitess/go/vt/discovery"
+ 	"vitess.io/vitess/go/vt/log"
+diff --git a/go/vt/vtgate/querylogz.go b/go/vt/vtgate/querylogz.go
+index 7c72e950d4a..05d301f28be 100644
+--- a/go/vt/vtgate/querylogz.go
++++ b/go/vt/vtgate/querylogz.go
+@@ -20,15 +20,15 @@ import (
+ 	"net/http"
+ 	"strconv"
+ 	"strings"
+-	"text/template"
+ 	"time"
+ 
+-	"vitess.io/vitess/go/vt/vtgate/logstats"
++	"github.com/google/safehtml/template"
+ 
+ 	"vitess.io/vitess/go/acl"
+ 	"vitess.io/vitess/go/vt/log"
+ 	"vitess.io/vitess/go/vt/logz"
+ 	"vitess.io/vitess/go/vt/sqlparser"
++	"vitess.io/vitess/go/vt/vtgate/logstats"
+ )
+ 
+ var (
+diff --git a/go/vt/vtgate/querylogz_test.go b/go/vt/vtgate/querylogz_test.go
+index 3cecb983b3f..9236b2ac840 100644
+--- a/go/vt/vtgate/querylogz_test.go
++++ b/go/vt/vtgate/querylogz_test.go
+@@ -35,7 +35,7 @@ import (
+ 
+ func TestQuerylogzHandlerFormatting(t *testing.T) {
+ 	req, _ := http.NewRequest("GET", "/querylogz?timeout=10&limit=1", nil)
+-	logStats := logstats.NewLogStats(context.Background(), "Execute", "select name from test_table limit 1000", "suuid", nil)
++	logStats := logstats.NewLogStats(context.Background(), "Execute", "select name, 'inject <script>alert();</script>' from test_table limit 1000", "suuid", nil)
+ 	logStats.StmtType = "select"
+ 	logStats.RowsAffected = 1000
+ 	logStats.ShardQueries = 1
+@@ -64,7 +64,7 @@ func TestQuerylogzHandlerFormatting(t *testing.T) {
+ 		`<td>0.002</td>`,
+ 		`<td>0.003</td>`,
+ 		`<td>select</td>`,
+-		`<td>select name from test_table limit 1000</td>`,
++		regexp.QuoteMeta(`<td>select name,​ &#39;inject &lt;script&gt;alert()​;&lt;/script&gt;&#39; from test_table limit 1000</td>`),
+ 		`<td>1</td>`,
+ 		`<td>1000</td>`,
+ 		`<td></td>`,
+@@ -94,7 +94,7 @@ func TestQuerylogzHandlerFormatting(t *testing.T) {
+ 		`<td>0.002</td>`,
+ 		`<td>0.003</td>`,
+ 		`<td>select</td>`,
+-		`<td>select name from test_table limit 1000</td>`,
++		regexp.QuoteMeta(`<td>select name,​ &#39;inject &lt;script&gt;alert()​;&lt;/script&gt;&#39; from test_table limit 1000</td>`),
+ 		`<td>1</td>`,
+ 		`<td>1000</td>`,
+ 		`<td></td>`,
+@@ -124,7 +124,7 @@ func TestQuerylogzHandlerFormatting(t *testing.T) {
+ 		`<td>0.002</td>`,
+ 		`<td>0.003</td>`,
+ 		`<td>select</td>`,
+-		`<td>select name from test_table limit 1000</td>`,
++		regexp.QuoteMeta(`<td>select name,​ &#39;inject &lt;script&gt;alert()​;&lt;/script&gt;&#39; from test_table limit 1000</td>`),
+ 		`<td>1</td>`,
+ 		`<td>1000</td>`,
+ 		`<td></td>`,
+diff --git a/go/vt/vttablet/tabletserver/debugenv.go b/go/vt/vttablet/tabletserver/debugenv.go
+index 9a802a5d49c..6f1ea854ea9 100644
+--- a/go/vt/vttablet/tabletserver/debugenv.go
++++ b/go/vt/vttablet/tabletserver/debugenv.go
+@@ -23,9 +23,10 @@ import (
+ 	"html"
+ 	"net/http"
+ 	"strconv"
+-	"text/template"
+ 	"time"
+ 
++	"github.com/google/safehtml/template"
++
+ 	"vitess.io/vitess/go/acl"
+ 	"vitess.io/vitess/go/vt/log"
+ )
+diff --git a/go/vt/vttablet/tabletserver/querylogz.go b/go/vt/vttablet/tabletserver/querylogz.go
+index 33341d1641b..09f375aa329 100644
+--- a/go/vt/vttablet/tabletserver/querylogz.go
++++ b/go/vt/vttablet/tabletserver/querylogz.go
+@@ -20,9 +20,10 @@ import (
+ 	"net/http"
+ 	"strconv"
+ 	"strings"
+-	"text/template"
+ 	"time"
+ 
++	"github.com/google/safehtml/template"
++
+ 	"vitess.io/vitess/go/acl"
+ 	"vitess.io/vitess/go/vt/log"
+ 	"vitess.io/vitess/go/vt/logz"
+diff --git a/go/vt/vttablet/tabletserver/querylogz_test.go b/go/vt/vttablet/tabletserver/querylogz_test.go
+index 25f03c762c7..ee26437f330 100644
+--- a/go/vt/vttablet/tabletserver/querylogz_test.go
++++ b/go/vt/vttablet/tabletserver/querylogz_test.go
+@@ -37,7 +37,7 @@ func TestQuerylogzHandler(t *testing.T) {
+ 	req, _ := http.NewRequest("GET", "/querylogz?timeout=10&limit=1", nil)
+ 	logStats := tabletenv.NewLogStats(context.Background(), "Execute")
+ 	logStats.PlanType = planbuilder.PlanSelect.String()
+-	logStats.OriginalSQL = "select name from test_table limit 1000"
++	logStats.OriginalSQL = "select name, 'inject <script>alert();</script>' from test_table limit 1000"
+ 	logStats.RowsAffected = 1000
+ 	logStats.NumberOfQueries = 1
+ 	logStats.StartTime, _ = time.Parse("Jan 2 15:04:05", "Nov 29 13:33:09")
+@@ -64,7 +64,7 @@ func TestQuerylogzHandler(t *testing.T) {
+ 		`<td>0.001</td>`,
+ 		`<td>1e-08</td>`,
+ 		`<td>Select</td>`,
+-		`<td>select name from test_table limit 1000</td>`,
++		regexp.QuoteMeta(`<td>select name,​ &#39;inject &lt;script&gt;alert()​;&lt;/script&gt;&#39; from test_table limit 1000</td>`),
+ 		`<td>1</td>`,
+ 		`<td>none</td>`,
+ 		`<td>1000</td>`,
+@@ -95,7 +95,7 @@ func TestQuerylogzHandler(t *testing.T) {
+ 		`<td>0.001</td>`,
+ 		`<td>1e-08</td>`,
+ 		`<td>Select</td>`,
+-		`<td>select name from test_table limit 1000</td>`,
++		regexp.QuoteMeta(`<td>select name,​ &#39;inject &lt;script&gt;alert()​;&lt;/script&gt;&#39; from test_table limit 1000</td>`),
+ 		`<td>1</td>`,
+ 		`<td>none</td>`,
+ 		`<td>1000</td>`,
+@@ -126,7 +126,7 @@ func TestQuerylogzHandler(t *testing.T) {
+ 		`<td>0.001</td>`,
+ 		`<td>1e-08</td>`,
+ 		`<td>Select</td>`,
+-		`<td>select name from test_table limit 1000</td>`,
++		regexp.QuoteMeta(`<td>select name,​ &#39;inject &lt;script&gt;alert()​;&lt;/script&gt;&#39; from test_table limit 1000</td>`),
+ 		`<td>1</td>`,
+ 		`<td>none</td>`,
+ 		`<td>1000</td>`,

SPECS/vitess/vitess.spec

@@ -3,7 +3,7 @@
 
 Name:           vitess
 Version:        17.0.7
-Release:        5%{?dist}
+Release:        6%{?dist}
 Summary:        Database clustering system for horizontal scaling of MySQL
 # Upstream license specification: MIT and Apache-2.0
 License:        MIT and ASL 2.0
@@ -29,6 +29,7 @@ Source1:        %{name}-%{version}-vendor.tar.gz
 Patch0:         CVE-2024-45338.patch
 Patch1:         CVE-2024-45339.patch
 Patch2:         CVE-2025-22868.patch
+Patch3:         CVE-2024-53257.patch
 BuildRequires: golang
 
 %description
@@ -101,6 +102,9 @@ go test -v ./go/cmd/... \
 %{_bindir}/*
 
 %changelog
+* Thu Mar 06 2025 Kevin Lockwood <v-klockwood@microsoft.com> - 17.0.7-6
+- Fix add patch for CVE-2024-53257
+
 * Mon Mar 03 2025 Kanishk Bansal <kanbansal@microsoft.com> - 17.0.7-5
 - Fix CVE-2025-22868 with an upstream patch