Skip to content

fix(flag): validate template file extension#10296

Open
DmitriyLewen wants to merge 6 commits intoaquasecurity:mainfrom
DmitriyLewen:fix/template-extension-validation
Open

fix(flag): validate template file extension#10296
DmitriyLewen wants to merge 6 commits intoaquasecurity:mainfrom
DmitriyLewen:fix/template-extension-validation

Conversation

@DmitriyLewen
Copy link
Contributor

@DmitriyLewen DmitriyLewen commented Mar 3, 2026
edited
Loading

Description

This PR adds security validation to the --template flag to prevent arbitrary file disclosure. Previously, users could specify any file path (e.g., @/etc/passwd) as a template, and Trivy would read and potentially expose its contents in the
report output. Now, template files must have the .tpl extension.

Changes

  • pkg/flag/report_flags.go: Added validation logic that checks if a template file path (prefixed with @) has the .tpl extension. The validation only triggers when --format template is specified.
  • pkg/flag/report_flags_test.go: Added test cases covering:
    • Valid .tpl template files are accepted
    • Files without .tpl extension are rejected with an error
    • Files with wrong extensions (e.g., .txt) are rejected
    • Inline templates (without @ prefix) continue to work
  • docs/: Updated CLI documentation for all commands using --template flag to indicate the .tpl extension requirement
  • schema/trivy-config.json: Updated schema description for the template field

Benefits

  • Security: Prevents information disclosure by restricting template files to .tpl extension only
  • Clear error messages: Users get an explicit error when attempting to use non-.tpl files
  • Backward compatible: Inline templates and existing .tpl files continue to work without changes
  • No false positives: Validation only applies when --format template is actually used

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

@DmitriyLewen
fix(report): validate template file extension
c3d460a 
Require .tpl extension for template files specified via --template flag
to prevent arbitrary file disclosure through the reporting system.

Template paths starting with @ are validated only when --format template
is specified. Inline templates (without @ prefix) are not affected.
@DmitriyLewen
test(report): add tests for template extension validation
4c81b14 
Add test cases to verify:
- Template files with .tpl extension are accepted
- Template files without .tpl extension are rejected
- Files with wrong extension are rejected
- Inline templates (without @ prefix) are allowed
@DmitriyLewen
docs: update --template flag description
df72671 
Regenerate documentation to reflect the new .tpl extension requirement
for template files.
@DmitriyLewen
docs: clarify .tpl extension requirement in reporting guide
cda546a 
Update the "Load templates from a file" section to explicitly mention
that template files must have .tpl extension.
@DmitriyLewen
fix: linter error
1ea5336
@DmitriyLewen
fix: typo in log
c7a8df6
@DmitriyLewen DmitriyLewen requested a review from knqyf263 as a code owner March 3, 2026 11:22
@DmitriyLewen
Copy link
Contributor Author

DmitriyLewen commented Mar 3, 2026

Reopened from #10220 after recreating the fork.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@knqyf263 knqyf263 Awaiting requested review from knqyf263 knqyf263 is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@DmitriyLewen