Abhishekmishra2808 opened a new pull request, #608: URL: https://github.com/apache/tooling-trusted-releases/pull/608
## PR Description ### Summary This PR addresses the CRLF injection vulnerability in the atr/mail.py module as reported in Issue #603. The email construction logic has been refactored to rely on native Python security mechanisms for robust header validation, ensuring compliance with secure communication standards. ### Changes - **Security Refactor**: Refactored email construction to use `email.message.EmailMessage`, providing built-in protection against CRLF injection in headers. - **Address Registry**: Integrated `email.headerregistry.Address` for `From` and `To` headers to ensure RFC-compliant address handling and block malformed address exploits, as suggested by @sebbASF. - **Error Handling**: Added a `try...except ValueError` block in `send()` to catch and log unauthorized injection attempts as high-priority **SECURITY** events. - **Style Compliance**: Reorganized all functions in `atr/mail.py` in strict alphabetical order to adhere to the project style guide. - **Test Suite**: Added 11 comprehensive unit tests under `tests/unit/test_mail.py` to validate protection against multiple injection patterns (`\r`, `\n`, `\r\n`). - **Dependency Sync**: Updated `uv.lock` after resolving merge conflicts to ensure a fully synchronized environment using `uv sync --frozen --all-groups`. ### Acceptance Criteria Verification - [x] Header sanitization function created: Leveraging native `EmailMessage` validation logic. - [x] Applied to all email header values: Covers `Subject`, `From`, `To`, `Date`, and `Reply-To`. - [x] CR, LF, and null bytes removed: Structural validation prevents these characters from entering headers. - [x] Test cases for injection attempts: 11 new tests added in `tests/unit/`. - [x] Standard library usage: Fully transitioned to `EmailMessage` and `Address` for automatic RFC-compliant handling. ### Verification Results All 11 tests pass locally using: bash `pytest tests/unit/test_mail.py` <img width="1268" height="284" alt="image" src="https://github.com/user-attachments/assets/5818427c-2b86-441a-b0c9-5d786ee9273a"; /> Make Check Results <img width="940" height="511" alt="image" src="https://github.com/user-attachments/assets/31a0dd11-eaa8-4297-87f0-384938b4716e"; /> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
