Update dependency mako to v1.3.12 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
mako (source)	==1.3.11 → ==1.3.12

---

Mako vulnerable to path traversal via backslash URI on Windows in TemplateLookup

CVE-2026-44307 / GHSA-2h4p-vjrc-8xpq

More information

Details

Summary

On Windows, a URI using backslash traversal (e.g. \..\..\ secret.txt) bypasses the directory traversal check in Template.__init__ and the posixpath-based normalization in TemplateLookup.get_template(), allowing reads of files outside the configured template directory.

Details

The root cause is a mismatch between posixpath (used for URI normalization in get_template()) and os.path (used for file access via os.path.isfile() and validation via os.path.normpath() in Template.__init__). On Windows, os.path is ntpath, which treats \ as a path separator, while posixpath treats it as a literal character.

The vulnerability chain:

1. get_template() strips only leading / via re.sub(r"^\/+", "", uri) and normalizes with posixpath — backslash \ is treated as a literal character, so \..\ secret.txt passes through with .. undetected.
2. Template.__init__() validation uses os.path.normpath() — on Windows this resolves \..\ secret.txt to \secret.txt, which does not start with .., so the startswith("..") check passes.
3. os.path.isfile() on Windows interprets \ as a path separator, resolving the .. traversal and finding files outside the template directory.

Affected code

• mako/lookup.py: TemplateLookup.get_template() uses posixpath.normpath/posixpath.join for path construction but os.path.isfile() for existence check
• mako/template.py: Template.__init__() URI validation uses os.path.normpath() which on Windows resolves backslash traversal to a form that passes the startswith("..") guard

Impact

If an application passes user-controlled template names or include paths to TemplateLookup.get_template(), an attacker on Windows may be able to load and disclose readable files outside the configured template directory. The primary impact is local file disclosure. If the targeted file contains Mako/Python template syntax, it may also be parsed and executed as a template.

Remediation

The fix should normalize backslashes to forward slashes early in the URI processing pipeline, before any path operations, to ensure consistent behavior across platforms.

Severity

• CVSS Score: 8.7 / 10 (High)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

References

• https://github.com/sqlalchemy/mako/security/advisories/GHSA-2h4p-vjrc-8xpq
• https://github.com/sqlalchemy/mako/issues/435
• https://github.com/sqlalchemy/mako/commit/72e10c573ca0fbcbddd4455abca8ce92a61780d7
• https://github.com/sqlalchemy/mako/releases/tag/rel_1_3_12
• https://nvd.nist.gov/vuln/detail/CVE-2026-44307
• https://github.com/advisories/GHSA-2h4p-vjrc-8xpq

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.