Abhishekmishra2808 commented on issue #603: URL: https://github.com/apache/tooling-trusted-releases/issues/603#issuecomment-3812388371
Hi @andrewmusselman I would like to work on this issue. I have reviewed the CRLF injection risk and the relevant ASVS requirements. **Proposed implementation plan:** 1. **Sanitization utility:** Implement a `sanitize_header_value` helper in `atr/mail.py` using `re.sub(r'[\r\n\x00]', '', value)` to remove CRLF and null-byte characters from header values. 2. **Header hardening:** Apply this sanitizer to all user-controlled email headers (e.g., Subject, From, Reply-To) in `atr/mail.py` and `atr/tasks/vote.py`. 3. **Design review:** Evaluate whether refactoring `send()` to use Python’s `email.message.EmailMessage` is feasible, as it provides safer header handling by default. I will proceed based on maintainer preference before a large refactor. 4. **Verification:** Add unit tests with malicious payloads (e.g., `\r\nBcc:`) to ensure header injection attempts are neutralized. If this approach looks good, I’d be happy to take this issue on! -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
