andrewmusselman opened a new issue, #603:
URL: https://github.com/apache/tooling-trusted-releases/issues/603
## Summary
Email subject lines and other headers are directly interpolated into email
headers without validating for CRLF characters. An attacker who can control the
subject could inject additional headers, including BCC recipients.
## ASVS Requirements
- 1.2.1 - Verify that output encoding prevents injection attacks
## Related Audit Reports
- [1.2.1.md](ASVS/reports/44ee502/L1/1.2.1.md) - ASVS-121-MED-002
## Affected Files
- `atr/mail.py` - `send()` function (lines 52-63)
- `atr/tasks/vote.py` - `_initiate_core_logic()` function
## Current Behavior
```python
# atr/mail.py
headers = [
f"Subject: {message.subject}", # User input, not sanitized
]
```
## Risk
- BCC injection for information disclosure
- Email spoofing
- Phishing attacks from legitimate infrastructure
- Header manipulation
## Recommended Fix
```python
# atr/mail.py
import re
def sanitize_header_value(value: str) -> str:
"""Remove characters that could enable header injection."""
return re.sub(r'[\r\n\x00]', '', value)
def send(message: Message) -> None:
headers = [
f"Subject: {sanitize_header_value(message.subject)}",
f"From: {sanitize_header_value(message.sender)}",
# ... apply to all header values
]
```
## Acceptance Criteria
- [ ] Header sanitization function created
- [ ] Applied to all email header values (Subject, From, Reply-To, etc.)
- [ ] CR, LF, and null bytes removed
- [ ] Test cases for injection attempts
- [ ] Consider using Python's email library which handles this automatically
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
