Closed tghosth closed 1 week ago
I tried to remember the logic how to put requirement to different subcategories. We can put them all together, but maybe there is better way and before we do those changes, let's look the options.
Simplified file upload process.
First step - file upload, file reached to the server and now the actions before going to check file actual content
2nd step - Is it expected file by content (format)?
3rd step - now, file is expected type and content - do it contain something malicious + can server handle it?
Now the question is - do we put them all together or is there good and easy to understand naming to keep them separately?
Overall, I think it is easier to split into sections wherever possible. (Please remember to use the Chapter > Section > Requirement terminology, I know I am terrible at remembering this as well 🙃)
I would separate them as follows:
file reached to the server and now the actions before going to check file actual content
Is it expected file by content (format)?
3rd step - now, file is expected type and content - do it contain something malicious + can server handle it?
We could make these 3 sections or maybe we should combine the first two into 1 section as they both relate to general expectations about uploaded files as opposed to malicious content
Let's put "V12.3 File execution" in to the game. Entire this section needs work (https://github.com/OWASP/ASVS/issues/1427), but there we have requirement, like zip slip (12.3.7).
If we protect the application, then pixel flood requirement belongs here.
So the outcome from this issue should be - which sections we have and what are the criterias for requirements to belong to some section.
Hmm, @elarlang do you think we have enough different V12 issues that we should defer to the rework stage?
I think I can not understand the question.
First priority should be to get requirements in, then we can see what are the needs or possibility for making sections out of those.
I mean, is this issue now affecting pretty much the whole chapter and therefore best left to when we are working on the whole chapter together at the rework stage?
Yes, this issue is not priority and is logical outcome when we get more requirements in.
First priority should be to get requirements in, then we can see what are the needs or possibility for making sections out of those.
... and I start hating the phrase "rework stage" already :)
... and I start hating the phrase "rework stage" already :)
I hear that but I think it helps us come to some sort of conclusion on issues and set ourselves up for the actual rewrite.
This comment thread is getting a little wild.
I agree that we should change 12.2 from "File Integrity" to "File Integrity and Content" and I'd like to close this out.
I think 12.1 File Upload should focus on the mechanics around file upload and 12.2 File Integrity should be renamed to "File Integrity and Content" and focus on file type related requirements.
12.1.2 and 12.1.4 should then be moved to 12.2.
This is following a discussion here: https://github.com/OWASP/ASVS/issues/1740#issuecomment-1775145602
@elarlang do you agree?