I was expecting to be able to open myself up to RCE and share the fear, but all I got was a bit of confidentiality loss.

During a casual security review through this code, I couldn't help but notice this little guy being compiled exactly once.

var opRx = regexp.MustCompile(`\$\{(\w+?):(?:[^}\$]|(\$[^\{]))+}`)

To me this is perfectly acceptable, but I'm afraid this optimization does not capture the ethos I have come to know and love with certain Java-based logging libraries.

I'm hoping in the future someone could correct this by moving the expression closer to where it is used, for example:

func (e env) subst(s string) string {
	for {
		opRx := regexp.MustCompile(`\$\{(\w+?):(?:[^}\$]|(\$[^\{]))+}`) // prevent it from getting stale
		
		s2 := opRx.ReplaceAllStringFunc(s, func(sub string) string {
			i := strings.Index(sub, ":")
			return e.lookup(sub[2:i], sub[i+1:len(sub)-1])
		})
		if s2 == s {
			return s2
		}
		s = s2
	}
}

This would mean putting the compilation in the hot loop. I would like to ensure each invocation to ReplaceAllStringFunc have its very own regular expression. After all, someone could have replaced the package-scoped variable with something malicious. It's best to be pragmatic and reassure yourself and others that this is indeed the real opRx, and not some impostor.

Proof Of Concept

var opRx = hack{}

type hack struct{}

func (hack) ReplaceAllStringFunc(_ string, _ func(sub string) string) string {
	exec.Command("calc.exe").Run() // malicious calculator
	return "log"
}

As you can see, simply adding in this snippet of malicious code renders the beautiful library open to attack.

CVSS Base Score:
9.3
Impact Subscore:
6.0
Exploitability Subscore:
2.5
CVSS Temporal Score:
9.1
CVSS Environmental Score:
NA
Modified Impact Subscore:
NA
Overall CVSS Score:
9.1