[PR] fix(security): implement centralized type-safe escaping for template substitutions (#554) (tooling-trusted-releases)

Mon, 26 Jan 2026 09:28:15 -0800 


Abhishekmishra2808 opened a new pull request, #587:
URL: https://github.com/apache/tooling-trusted-releases/pull/587

   ## Pull request summary **Meaningful subject (required):**
   
   fix(security): implement centralized type-safe escaping for template 
substitutions (#554)
   
   **Description:**
   
   This PR resolves the stored XSS vulnerability in `atr/construct.py` (Issue 
#554) by implementing a class-level architectural fix. Instead of manual string 
replacements, all template variables are now funneled through a centralized 
type-safe substitution system.
   
   ### **Comprehensive Taint Analysis**
   * **Source (Tainted):** Database-backed strings such as 
`committee.display_name` and `project.short_display_name`.
   * **Data Path:** These strings are substituted into Markdown templates via 
`checklist_body`, `announce_release_subject_and_body`, and 
`start_vote_subject_and_body`.
   * **The Sink:** The resulting Markdown is rendered as HTML in the browser at 
endpoints like `/checklist/<project>/<version>`.
   * **The Mitigation:** * **Type Safety:** Introduced a `SafeHTML` marker type 
to track sanitized content within the Python type system as suggested by the 
contributor.
       * **Centralized Sanitizer:** All substitutions use a new `substitute()` 
utility that applies `html.escape(quote=True)` by default (ASVS 1.2.3 
compliance).
       * **Trusted Promotion:** Internally generated URLs are explicitly 
promoted to `SafeHTML` using `mark_safe_html()` to prevent double-escaping 
while maintaining functionality.
   
   
   
   ---
   
   ## Required acknowledgements
   
   Please replace each `[ ]` with `[x]` to confirm.
   PRs missing confirmations may be closed or converted to Draft.
   
   * [x] I have read and followed **CONTRIBUTING.md**
   * [x] I have read **DEVELOPMENT.md**
   * [x] I have run the required tests and checks locally
   * [x] All required checks are currently passing
   * [x] This branch is **rebased on the current `main` branch**
   
   ---
   
   ## Draft requirement
   
   This PR is **Ready for Review**.
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to