Template Injection Flaw in Email Construction Module Allows Identity Confusion Attacks

A security researcher has identified a template injection vulnerability in the email template construction logic of `atr/construct.py` that could allow committers to inject arbitrary template variables into system-generated emails. The flaw stems from sequential `str.replace()` operations that fail to escape template markers in user-provided content before substitution. The issue affects multiple functions handling email generation at lines 93-111, 106-117, 161-196, and 176-188 in the affected module, classified as ASVS Level 2 severity.

The vulnerability enables an attacker to inject template variables—particularly `{{VAR}}` patterns—into fields that survive intermediate replacements and expand using the identity of whoever triggers the final email. For example, a committer could set a revision tag to `{{YOUR_FULL_NAME}}`, which would resolve to the real name of the email recipient when processed. This breaks semantic integrity of automated communications and creates conditions for identity confusion attacks, where recipients receive messages that appear authored or customized by the system but contain attacker-controlled variable expansions.

The discovery raises concerns about trust in automated notification systems and highlights risks in template architectures that perform chained string replacements without sanitizing intermediate outputs. Affected functions in `atr/construct.py` lack safeguards against nested or cross-referencing variable injection. A proposed remediation involves implementing an `_escape_template_vars()` helper function to neutralize `{{...}}` patterns in values before they enter the substitution pipeline. Until patched, organizations using this module should audit email-triggering workflows for potential injection points in user-supplied fields.