Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Section titles in V12 #2066

Closed
elarlang opened this issue Sep 5, 2024 · 4 comments
Closed

Section titles in V12 #2066

elarlang opened this issue Sep 5, 2024 · 4 comments
Labels
1) Discussion ongoing Issue is opened and assigned but no clear proposal yet next meeting Filter for leaders V12 _5.0 - prep This needs to be addressed to prepare 5.0

Comments

@elarlang
Copy link
Collaborator

elarlang commented Sep 5, 2024

Spin-off from #1390 (comment)

Some section titles are from end-user perspective, but ASVS should be written from the application perspective

  • File upload - the application does not upload the file, but accepting it
  • File download - the application does not download the file, but serving it

There is another topic to be opened in the future for the "File execution" title, but let the related requirements fall to place first.
@elarlang elarlang added the V12 label Sep 5, 2024
@elarlang elarlang mentioned this issue Sep 5, 2024
Closed
@jmanico
Copy link
Member

jmanico commented Sep 5, 2024
edited
Loading

The problem is that these requirements often fit into both catagories. So unless you want duplication I do not think this is possible.

For example, untrusted filenames driving file upload or download from user data can cause problems.

For example, filenames on download:

image

Or filenames on upload:

image

@elarlang
Copy link
Collaborator Author

elarlang commented Sep 5, 2024

Given examples are both "using untrusted input for file operation" problem and it is topic for issue #1427

If you look into the mentioned sections, then it clear file serving or accepting files issues. Path traversal etc topics are currently in "File execution".

@jmanico
Copy link
Member

jmanico commented Sep 5, 2024

Fair enough. Looking over these requirements in v12 I am certain we can have a file upload and download section. That's a fair ask @elarlang and I'll think about it some and get back to you.

@tghosth tghosth added 1) Discussion ongoing Issue is opened and assigned but no clear proposal yet _5.0 - prep This needs to be addressed to prepare 5.0 labels Sep 8, 2024
@elarlang elarlang added the next meeting Filter for leaders label Sep 9, 2024
@tghosth
Copy link
Collaborator

tghosth commented Sep 12, 2024

Whilst I understand the concept of talking from the application's perspective I think having a section for "how the application provides file upload functionality" and "how the application provides file download functionality" is still understandable by all users of ASVS. I would prefer to leave the titles as they are.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
1) Discussion ongoing Issue is opened and assigned but no clear proposal yet next meeting Filter for leaders V12 _5.0 - prep This needs to be addressed to prepare 5.0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jmanico @tghosth @elarlang