From 3466a0d31c4b7aa920c7e39301dee2a2a0be3a87 Mon Sep 17 00:00:00 2001
From: newklei <magmacicada@proton.me>
Date: Mon, 23 Feb 2026 17:10:14 -0500
Subject: [PATCH 1/2] fix(ct_analyzer): escape XML special chars in
 _compile_csharp()

source_path and output_dir were embedded into the .csproj f-string
without escaping. On Linux, filenames may contain XML-special chars
(", <, >, &), allowing a crafted filename to inject arbitrary MSBuild
XML (CWE-91 -> CWE-78).

Fix: wrap both values with xml.sax.saxutils.escape() before
interpolation. The extra {chr(34): '&quot;'} arg covers double-quotes
inside the attribute value (chr(34) avoids an f-string quote conflict
on Python < 3.12).
---
 .../constant-time-analysis/ct_analyzer/script_analyzers.py   | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/plugins/constant-time-analysis/ct_analyzer/script_analyzers.py b/plugins/constant-time-analysis/ct_analyzer/script_analyzers.py
index 50008d8..f060a62 100644
--- a/plugins/constant-time-analysis/ct_analyzer/script_analyzers.py
+++ b/plugins/constant-time-analysis/ct_analyzer/script_analyzers.py
@@ -14,6 +14,7 @@
 import subprocess
 import sys
 import tempfile
+import xml.sax.saxutils as _saxutils
 from abc import ABC, abstractmethod
 from pathlib import Path
 
@@ -2600,11 +2601,11 @@ def _compile_csharp(self, source_file: str, output_dir: str) -> tuple[bool, str]
   <PropertyGroup>
     <TargetFramework>net8.0</TargetFramework>
     <OutputType>Library</OutputType>
-    <OutputPath>{output_dir}</OutputPath>
+    <OutputPath>{_saxutils.escape(str(output_dir))}</OutputPath>
     <EnableDefaultCompileItems>false</EnableDefaultCompileItems>
   </PropertyGroup>
   <ItemGroup>
-    <Compile Include="{source_path.absolute()}" />
+    <Compile Include="{_saxutils.escape(str(source_path.absolute()), {chr(34): '&quot;'})}" />
   </ItemGroup>
 </Project>
 """

From 8dd843ab6bf759a5b41e4a52c39a9a2f684dea43 Mon Sep 17 00:00:00 2001
From: Scott Arciszewski <147527775+tob-scott-a@users.noreply.github.com>
Date: Wed, 25 Feb 2026 09:53:59 -0500
Subject: [PATCH 2/2] Update script_analyzers.py

---
 plugins/constant-time-analysis/ct_analyzer/script_analyzers.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/plugins/constant-time-analysis/ct_analyzer/script_analyzers.py b/plugins/constant-time-analysis/ct_analyzer/script_analyzers.py
index f060a62..a8c5295 100644
--- a/plugins/constant-time-analysis/ct_analyzer/script_analyzers.py
+++ b/plugins/constant-time-analysis/ct_analyzer/script_analyzers.py
@@ -2605,7 +2605,7 @@ def _compile_csharp(self, source_file: str, output_dir: str) -> tuple[bool, str]
     <EnableDefaultCompileItems>false</EnableDefaultCompileItems>
   </PropertyGroup>
   <ItemGroup>
-    <Compile Include="{_saxutils.escape(str(source_path.absolute()), {chr(34): '&quot;'})}" />
+    <Compile Include="{_saxutils.escape(str(source_path.absolute()), {chr(34): "&quot;"})}" />
   </ItemGroup>
 </Project>
 """