-
-
Notifications
You must be signed in to change notification settings - Fork 662
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Deduplicate SSRF requirements #2115
Comments
5.2.6 "URL operations" vs 12.3.1 "file operations" (if file operation does not have required protection it may lead to SSRF that is equal to not protected URL operation) 5.5.5 is about parsers and is a bit different topic. For me, everything works as those are (it does not mean those can not be improved) |
Do you agree with my 5.2.6 change? |
What is the meaning of "checking" here? What is the action and what is the outcome? I think the previous "validation or sanitizing" was more precise. The rest of the requirement is probably just moving things around. |
So maybe matching rather than checking, I don't like validating as it sounds like input validation and I don't like sanitization as I don't think it is exactly what is being done |
Let's go other way - what is the problem with current 5.2.6 you try to solve? |
Two problems with 5.2.6:
|
The term I typically use is “allowlist validation”. It’s definitely a form of validation, IMO.
|
So does it need to move into the input validation section? |
Possibly, but if I was trying to fix SSRF I wish I had one section that referenced all SSRF controls.
I think in general some of the categorization we are doing makes consuming ASVS tough. I would suggest that if we put this into the input validation section, we still point to it from a dedicated SSRF section - and do this cross referencing for all of ASVS so its consumable per topic without jumping around.
This is a big ask, I know.
|
Ultimately this is doing both validation and sanitization so we can probably leave it in the section where it is and I will PR using "validation" instead of "checking". @set-reminder 2 days @tghosth to open a PR |
⏰ Reminder
|
We currently have the following requirements which refer to SSRF:
I think that requirements 5.5.5 and 12.3.1 are referring to specific protection mechanisms which are required which have the potential side effect of SSRF as such, I think they are ok as they are.
I think that 5.2.6 needs to be very slightly clarified to focus on the risk of putting input directly into a URL being accessed.
I would say:
Thoughts @jmanico @elarlang
The text was updated successfully, but these errors were encountered: