Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected], [email protected]
Control: affects -1 + src:python-memray
User: [email protected]
Usertags: pu
* CVE-2026-32722: XSS in generated HTML reports via unescaped
command-line metadata (Closes: #1131372)
diffstat for python-memray-1.17.0+dfsg python-memray-1.17.0+dfsg
changelog | 8 ++
patches/0001-Fix-escaping-in-HTML-reports.patch | 88 ++++++++++++++++++++++++
patches/series | 1
3 files changed, 97 insertions(+)
diff -Nru python-memray-1.17.0+dfsg/debian/changelog
python-memray-1.17.0+dfsg/debian/changelog
--- python-memray-1.17.0+dfsg/debian/changelog 2025-04-04 22:28:26.000000000
+0300
+++ python-memray-1.17.0+dfsg/debian/changelog 2026-06-24 14:32:46.000000000
+0300
@@ -1,3 +1,11 @@
+python-memray (1.17.0+dfsg-1.1) trixie; urgency=medium
+
+ * Non-maintainer upload.
+ * CVE-2026-32722: XSS in generated HTML reports via unescaped
+ command-line metadata (Closes: #1131372)
+
+ -- Adrian Bunk <[email protected]> Wed, 24 Jun 2026 14:32:46 +0300
+
python-memray (1.17.0+dfsg-1) unstable; urgency=medium
* New upstream version 1.17.0.
diff -Nru
python-memray-1.17.0+dfsg/debian/patches/0001-Fix-escaping-in-HTML-reports.patch
python-memray-1.17.0+dfsg/debian/patches/0001-Fix-escaping-in-HTML-reports.patch
---
python-memray-1.17.0+dfsg/debian/patches/0001-Fix-escaping-in-HTML-reports.patch
1970-01-01 02:00:00.000000000 +0200
+++
python-memray-1.17.0+dfsg/debian/patches/0001-Fix-escaping-in-HTML-reports.patch
2026-06-24 14:32:46.000000000 +0300
@@ -0,0 +1,88 @@
+From b08620f772126ed3e340ddbb9893819a32289ab5 Mon Sep 17 00:00:00 2001
+From: Matt Wozniski <[email protected]>
+Date: Wed, 11 Mar 2026 14:52:56 -0400
+Subject: Fix escaping in HTML reports
+
+Ensure the command line is properly HTML escaped when writing it into
+flamegraph and table reports.
+
+Signed-off-by: Matt Wozniski <[email protected]>
+---
+ src/memray/reporters/templates/base.html | 2 +-
+ tests/unit/test_templates.py | 43 ++++++++++++++++++++++++
+ 2 files changed, 44 insertions(+), 1 deletion(-)
+
+diff --git a/src/memray/reporters/templates/base.html
b/src/memray/reporters/templates/base.html
+index b3bfc94..ce5f4ea 100644
+--- a/src/memray/reporters/templates/base.html
++++ b/src/memray/reporters/templates/base.html
+@@ -95,7 +95,7 @@
+ </button>
+ </div>
+ <div class="modal-body">
+- Command line: <code>{{ metadata.command_line }}</code><br>
++ Command line: <code>{{ metadata.command_line|e }}</code><br>
+ Start time: <span id="stats-start-time"> {{ metadata.start_time
}}</span><br>
+ End time: <span id="stats-end-time"> {{ metadata.end_time
}}</span><br>
+ Duration: {{ metadata.end_time - metadata.start_time }}<br>
+diff --git a/tests/unit/test_templates.py b/tests/unit/test_templates.py
+index 2a57ef3..1938f5c 100644
+--- a/tests/unit/test_templates.py
++++ b/tests/unit/test_templates.py
+@@ -1,6 +1,11 @@
++from datetime import datetime
++
+ import pytest
+
++from memray import Metadata
++from memray._memray import FileFormat
+ from memray.reporters.templates import get_report_title
++from memray.reporters.templates import render_report
+
+
+ @pytest.mark.parametrize(
+@@ -21,3 +26,41 @@ def test_title_for_regular_report(kind, show_memory_leaks,
inverted, expected):
+ )
+ == expected
+ )
++
++
[email protected](
++ "kind",
++ ["flamegraph", "table"],
++)
++def test_html_report_escaping(kind):
++ """Test that command line arguments are properly escaped."""
++ # GIVEN
++ metadata = Metadata(
++ start_time=datetime(2024, 1, 1, 0, 0, 0),
++ end_time=datetime(2024, 1, 1, 0, 1, 0),
++ total_allocations=100,
++ total_frames=10,
++ peak_memory=1024,
++ command_line="python test.py </code>",
++ pid=12345,
++ main_thread_id=1,
++ python_allocator="pymalloc",
++ has_native_traces=False,
++ trace_python_allocators=False,
++ file_format=FileFormat.ALL_ALLOCATIONS,
++ )
++
++ # WHEN
++ html_output = render_report(
++ kind=kind,
++ data=[],
++ metadata=metadata,
++ memory_records=[],
++ show_memory_leaks=False,
++ merge_threads=False,
++ inverted=False,
++ )
++
++ # THEN
++ assert html_output.count("<code>") == html_output.count("</code>")
++ assert "python test.py </code>" in html_output
+--
+2.47.3
+
diff -Nru python-memray-1.17.0+dfsg/debian/patches/series
python-memray-1.17.0+dfsg/debian/patches/series
--- python-memray-1.17.0+dfsg/debian/patches/series 2025-04-04
22:28:26.000000000 +0300
+++ python-memray-1.17.0+dfsg/debian/patches/series 2026-06-24
14:32:44.000000000 +0300
@@ -3,3 +3,4 @@
003-rm-distutils-from-setup.patch
002-rm-external-git-link.patch
001-fix-html-privacy-breach.patch
+0001-Fix-escaping-in-HTML-reports.patch