chore(deps): update dependency mako to v1.3.11 [security] (#16695)

renovate-bot · web-flow · commit dec9813125a6 · 2026-04-17T12:09:19.000-04:00
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [mako](https://www.makotemplates.org/) ([source](https://redirect.github.com/sqlalchemy/mako)) | `==1.3.10` → `==1.3.11` | ![age](https://developer.mend.io/api/mc/badges/age/pypi/mako/1.3.11?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/mako/1.3.10/1.3.11?slim=true) | ### GitHub Vulnerability Alerts #### [GHSA-v92g-xgxw-vvmm](https://redirect.github.com/sqlalchemy/mako/security/advisories/GHSA-v92g-xgxw-vvmm) ### Summary `TemplateLookup.get_template()` is vulnerable to path traversal when a URI starts with `//` (e.g., `//../../../secret.txt`). The root cause is an inconsistency between two slash-stripping implementations: - `Template.__init__` strips **one** leading `/` using `if`/slice - `TemplateLookup.get_template()` strips **all** leading `/` using `re.sub(r"^\/+", "")` When a URI like `//../../../../etc/passwd` is passed: 1. `get_template()` strips all `/` → `../../../../etc/passwd` → file found via `posixpath.join(dir_, u)` 2. `Template.__init__` strips one `/` → `/../../../../etc/passwd` → `normpath` → `/etc/passwd` 3. `/etc/passwd`.startswith(`..`) → `False` → **check bypassed** ### Impact Arbitrary file read: any file readable by the process can be returned as rendered template content when an application passes untrusted input directly to `TemplateLookup.get_template()`. Note: this is exploitable at the library API level. HTTP-based exploitation is mitigated by Python's `BaseHTTPRequestHandler` which normalizes double-slash prefixes since CPython gh-87389. Applications using other HTTP servers that do not normalize paths may be affected. ### Fix Changed `Template.__init__` to use `lstrip("/")` instead of stripping only a single leading slash, so both code paths handle leading slashes consistently. ##### Severity - CVSS Score: 6.3 / 10 (Medium) - Vector String: `CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N` --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - "" - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/googleapis/google-cloud-python).
diff --git a/packages/sqlalchemy-spanner/requirements.txt b/packages/sqlalchemy-spanner/requirements.txt
@@ -313,9 +313,9 @@ importlib-metadata==8.7.1 \
     --hash=sha256:49fef1ae6440c182052f407c8d34a68f72efc36db9ca90dc0113398f2fdde8bb \
     --hash=sha256:5a1f80bf1daa489495071efbb095d75a634cf28a8bc299581244063b53176151
     # via opentelemetry-api
-mako==1.3.10 \
-    --hash=sha256:99579a6f39583fa7e5630a28c3c1f440e4e97a414b80372649c0ce338da2ea28 \
-    --hash=sha256:baef24a52fc4fc514a0887ac600f9f1cff3d82c61d4d700a1fa84d597b88db59
+Mako==1.3.11 \
+    --hash=sha256:071eb4ab4c5010443152255d77db7faa6ce5916f35226eb02dc34479b6858069 \
+    --hash=sha256:e372c6e333cf004aa736a15f425087ec977e1fcbd2966aae7f17c8dc1da27a77
     # via alembic
 markupsafe==3.0.3 \
     --hash=sha256:0303439a41979d9e74d18ff5e2dd8c43ed6c6001fd40e5bf2e43f7bd9bbc523f \
