sbp commented on issue #554:
URL:
https://github.com/apache/tooling-trusted-releases/issues/554#issuecomment-3778720333
@Abhishekmishra2808 As part of this issue, but not yet documented in this
thread, we first wanted to perform taint analysis of all of the values. The
functions in `atr/construct.py` that emit Markdown after substituting variables
are `announce_release_subject_and_body`, `checklist_body`, and
`start_vote_subject_and_body`, and ideally we would look at how they're used
and whether they get injected into unsafe contexts. We should be able to
substitute in some HTML, e.g. `<script>console.log("script
injection");</script>`, and see if it renders as HTML through any of the output
conduits (the paths in the code from those functions to the user).
Then, to fix it, we really want to fix the class of bug rather than the
individual instance. It would be great if we could track potentially tainted
values in the type system, for example. If you have any thoughts on this,
please let us know!
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
