Abhishekmishra2808 commented on issue #554: URL: https://github.com/apache/tooling-trusted-releases/issues/554#issuecomment-3801118422
@sbp Understood. Here is the accurate and comprehensive taint analysis for the class of bugs in `atr/construct.py`, documented as the first inherent task. ### **Taint Analysis (Issue #554)** #### **1. Taint Sources (Untrusted Data)** The following database-backed or user-provided strings are "tainted" because they lack HTML validation at entry: * `committee.display_name` * `project.short_display_name` * `options.fullname` and `options.asfuid` (user-provided fields) #### **2. Conduits (Propagation Paths)** The taint propagates through raw string replacements in these functions: * `announce_release_subject_and_body` * `checklist_body` * `start_vote_subject_and_body` #### **3. Taint Sinks (Rendering Contexts)** * **Primary Sink:** The `/checklist/<project>/<version>` endpoint. While some renderers may omit raw tags, the current substitution logic performs no escaping, making it reliant on downstream behavior rather than being "secure by default". * **Secondary Sinks:** Email and vote initiation previews that render these substituted strings. ### **Proposed Mitigation Strategy** I have developed a solution that addresses this as a **class of bug** rather than individual instances: 1. **Type-Safe Tracking:** Introduce a `SafeHTML` marker type to track sanitized content in the type system. 2. **Centralized Sanitizer:** A new `substitute()` utility that automatically applies `html.escape(quote=True)` to any value not explicitly marked as `SafeHTML`. 3. **Context-Awareness:** Untrusted sources are escaped by default, while trusted, internally generated URLs are promoted to `SafeHTML` to maintain functionality. Does this documented analysis meet the requirement for me to open the new PR? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
