Sandbox Escape in Buffalo

Buffalo is a Go web framework that leverages the Plush templating engine for dynamic content generation. While Plush offers powerful features, it can become a conduit for sandbox escape attacks when user input is improperly handled. A sandbox escape occurs when an attacker breaks out of the intended template constraints to execute arbitrary Go code on the server, potentially leading to full system compromise.

Plush templates embed expressions within {{ ... }} delimiters. By default, Buffalo auto-escapes HTML output for data values, but this does not protect the template structure itself. The vulnerability arises when user-supplied input is used as part of the template source. For example, if a controller reads a query parameter and passes it directly to plush.NewTemplate().Parse(), an attacker can inject Plush directives that invoke system commands, read environment variables, or call arbitrary functions.

Consider this vulnerable controller action:

func (v *AdminController) RenderDynamic(c buffalo.Context) error {
    tmplSource := c.Param("template")
    tmpl, _ := plush.NewTemplate().Parse(tmplSource)
    data := map[string]interface{}{
        "Env": os.Getenv,
    }
    var buf bytes.Buffer
    tmpl.Execute(&buf, data)
    return c.Render(200, r.String(buf.String()))
}

Here, the template parameter is parsed as a Plush template. An attacker could supply {{ (call .Env "HOME") }} to leak the HOME environment variable, or {{ (call (import "os/exec").Command "ls") }} if the import function is available, to list directory contents. Even without import, functions inadvertently exposed in the context can be abused.

File upload features that store user-provided templates in the views directory also pose a risk. In multi-tenant applications, a successful sandbox escape can compromise isolation and lead to data breaches.

The impact is severe: arbitrary command execution, file system access, data exfiltration, and lateral movement. This vulnerability maps to OWASP API Security Top 10: A03:2021 – Injection and can cause non-compliance with PCI-DSS, HIPAA, and GDPR.

Detecting sandbox escape in Buffalo requires identifying template injection points. Look for any code that parses templates from user-controlled sources, such as plush.NewTemplate().Parse() with data from c.Param, c.Query, c.Body, or file uploads. Also check for custom template functions that might expose dangerous capabilities.

Manual testing involves sending payloads that attempt code execution. Simple tests like {{7*7}} should return 49 if evaluated. More targeted payloads can call functions: {{ (call .SomeFunc "arg") }}. Observe responses for unexpected data, error messages, or stack traces that reveal template processing.

middleBrick automates this through its Input Validation check. As a black-box scanner, it sends a battery of Plush-specific injection payloads to your API endpoints. It analyzes responses for signs of successful execution, including calculation results, Go stack traces, or leaked environment variables. The scanner also probes for eval-like behavior by evaluating simple expressions. Because it requires no credentials, middleBrick tests the unauthenticated surface exactly as an attacker would, and completes scans in 5–15 seconds.

For comprehensive coverage, combine automated scanning with periodic code reviews. Search the codebase for dynamic template parsing and review the context passed to templates. middleBrick's Pro plan offers continuous monitoring and CI/CD integration via GitHub Action, ensuring new vulnerabilities are caught before deployment.

Additionally, monitor for file upload handling that might store user content in the templates directory. Any such feature should be treated as high risk and tested rigorously.

Remediation centers on eliminating dynamic template parsing. Buffalo's architecture encourages static template files in the templates directory. Always render these static templates using c.Render and pass user data as context values. For example:

func (v *UserController) Profile(c buffalo.Context) error {
    user := getUser(c.Param("id"))
    return c.Render(200, r.HTML("users/profile.html", map[string]interface{}{
        "User": user,
    }))
}

In templates/users/profile.html, output user data with {{ .User.Name }}. Buffalo's Plush engine auto-escapes these values, preventing XSS. Since the template is static, injection is impossible.

If dynamic templates are unavoidable (e.g., a CMS), apply strict controls:

• Whitelist allowed template names; never accept raw template source from users.
• If snippets are necessary, render them in a separate, sandboxed service with minimal permissions.
• Consider alternative engines designed for safe user templates, but even html/template requires careful use.
• Remove hazardous functions from the Plush context. When configuring the view engine, override or delete eval, import, and similar functions.

Also, avoid passing objects with callable methods to templates. Pass simple data (maps, slices, primitives) and perform any method calls in the controller before rendering.

Maintain up-to-date dependencies. Past vulnerabilities like CVE-2020-36560 (arbitrary function call via call) were patched in newer Plush versions. Regularly scan with middleBrick to verify that your endpoints remain resilient against template injection and other input validation issues.

By following these practices, you can significantly reduce the risk of sandbox escape in your Buffalo APIs.