Open tghosth opened 2 hours ago
5.2.6 "URL operations" vs 12.3.1 "file operations" (if file operation does not have required protection it may lead to SSRF that is equal to not protected URL operation)
5.5.5 is about parsers and is a bit different topic.
For me, everything works as those are (it does not mean those can not be improved)
Do you agree with my 5.2.6 change?
What is the meaning of "checking" here? What is the action and what is the outcome? I think the previous "validation or sanitizing" was more precise.
The rest of the requirement is probably just moving things around.
So maybe matching rather than checking, I don't like validating as it sounds like input validation and I don't like sanitization as I don't think it is exactly what is being done
Let's go other way - what is the problem with current 5.2.6 you try to solve?
Two problems with 5.2.6:
The term I typically use is “allowlist validation”. It’s definitely a form of validation, IMO.
So does it need to move into the input validation section?
We currently have the following requirements which refer to SSRF:
I think that requirements 5.5.5 and 12.3.1 are referring to specific protection mechanisms which are required which have the potential side effect of SSRF as such, I think they are ok as they are.
I think that 5.2.6 needs to be very slightly clarified to focus on the risk of putting input directly into a URL being accessed.
I would say:
Thoughts @jmanico @elarlang