asf-tooling opened a new issue, #991:
URL: https://github.com/apache/tooling-trusted-releases/issues/991
**ASVS Level(s):** [L2-only]
**Description:**
### Summary
The email template construction in `atr/construct.py` uses sequential
`str.replace()` operations without escaping template markers (`{{...}}`) in
user-provided content. A committer can inject template variables (e.g., setting
revision tag to `{{YOUR_FULL_NAME}}`) that expand using the identity of whoever
triggers the email, breaking semantic integrity and allowing identity confusion
attacks.
### Details
The vulnerability exists because values from earlier replacements are not
sanitized against containing `{{VAR}}` patterns that match later substitution
variables. Affected functions include email template construction at lines
93-111, 106-117, 161-196, and 176-188 in `atr/construct.py`. An attacker can
inject variables that will be replaced with the announcer's real name or other
sensitive context in the final email.
### Recommended Remediation
**Option 1 (Quick Fix):** Implement `_escape_template_vars()` function to
escape `{{...}}` patterns in replacement values by replacing `{{` with `{ {`
and `}}` with `} }`. Apply this to all non-URL, non-validated replacement
values.
**Option 2 (Preferred):** Implement single-pass template substitution using
regex pattern matching where all variables are substituted simultaneously via a
`_substitute_template()` function that uses `re.compile()` with a pattern
matching all variable names at once. This prevents earlier substitutions from
affecting later ones.
### Acceptance Criteria
- [ ] Template variable injection is prevented through escaping or
single-pass substitution
- [ ] All email template construction paths sanitize user-provided content
- [ ] Unit tests verify that injected `{{VAR}}` patterns in user input are
not expanded
- [ ] Integration test confirms revision tags containing template markers do
not affect email output
### References
- Source reports: L2:1.3.3.md, L2:1.3.10.md
- Related findings: None
- ASVS sections: 1.3.3, 1.3.10
### Priority
Medium
---
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
