Reproduce CVE-2025-9556 (Gonja SSTI in Go). Pair the Go reproduction with your Python target and produce the cross-language mapping document.
What you ship
- A Go program that reproduces CVE-2025-9556 against a pinned vulnerable Gonja.
- A one-to-two-page cross-language mapping document covering Jinja2 plus Gonja and pointing at Eta (JS) and FreeMarker (Java).
- A short README naming the Go and Gonja versions pinned.
- A Toolchain Diary entry for the Go toolchain and Gonja.
Tools you use
- Go 1.21+ installed locally.
- The cohort-pinned vulnerable Gonja per
lab-7/go.mod. - Your Module-4 Python reproduction harness for side-by-side comparison.
Success criteria
- The Gonja SSTI fires on the pinned vulnerable install.
- The cross-language document names at least one structural similarity and one structural difference per language pair.
- An instructor can rebuild the Gonja reproduction from your
go.modalone.
Time budget
Plan for two ninety-minute lab sessions plus two hours of independent build-out. Modules 4 and 6 commonly run over; budget one extra session for those.
Submission
Push to your student repo under adv-102/labs/lab-7/. Include source, a one-paragraph README, the output you observed, and where applicable a structured detector or trace file.