search

OWASP / wstg

The Web Security Testing Guide is a comprehensive Open Source guide to testing the security of web applications and web services.
https://owasp.org/www-project-web-security-testing-guide/
Creative Commons Attribution Share Alike 4.0 International
6.93k stars 1.29k forks source link

Add tests for Archive Directory Traversal #1138

Closed doverh closed 2 months ago

doverh commented 2 months ago

This PR fixes #845

What did this PR accomplish?

Thank you for your contribution!

github-actions[bot] commented 2 months ago

The following issues were identified: document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md:97:1 MD009/no-trailing-spaces Trailing spaces [Expected: 0 or 2; Actual: 1] document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md:100:257 MD009/no-trailing-spaces Trailing spaces [Expected: 0 or 2; Actual: 1] document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md:116:67 MD011/no-reversed-links Reversed link syntax [(patched for this vulnerability)[https://github.com/snyk/zip-slip-vulnerability#affected-libraries]] document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md:117:90 MD009/no-trailing-spaces Trailing spaces [Expected: 0 or 2; Actual: 1] document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md:194:118 MD047/single-trailing-newline Files should end with a single newline character

github-actions[bot] commented 2 months ago

The following links are broken: FILE:document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md [✖] https://www.eicar.org/?page_id=3950 → Status: 404

github-actions[bot] commented 2 months ago

The following mistakes were identified:

/home/runner/work/wstg/wstg/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md 94:47 ✖ Incorrect usage of the term: “Zip”, use “ZIP” instead terminology 94:190 ✖ Incorrect usage of the term: “zip”, use “ZIP” instead terminology 114:22 ✖ Incorrect usage of the term: “zip”, use “ZIP” instead terminology 129:6 ✖ Incorrect usage of the term: “Zip”, use “ZIP” instead terminology 131:4 ✖ Incorrect usage of the term: “Zip”, use “ZIP” instead terminology 131:319 ✖ Incorrect usage of the term: “Zip”, use “ZIP” instead terminology 133:26 ✖ Incorrect usage of the term: “Zip”, use “ZIP” instead terminology 139:146 ✖ Incorrect usage of the term: “Zip”, use “ZIP” instead terminology 141:14 ✖ Incorrect usage of the term: “Zip”, use “ZIP” instead terminology 194:4 ✖ Incorrect usage of the term: “Zip”, use “ZIP” instead terminology 78:35 ✖ Incorrect usage of the term: “nginx”, use “Nginx” instead terminology

kingthorin commented 2 months ago

Please address the bot's feedback. (Yes we know some of it might be pre-existing.)

github-actions[bot] commented 2 months ago

The following links are broken: FILE:document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md [✖] https://www.bamsoftware.com/hacks/ZIPbomb/ → Status: 404 [✖] https://research.swtch.com/ZIP → Status: 404

github-actions[bot] commented 2 months ago

The following mistakes were identified:

/home/runner/work/wstg/wstg/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md 78:35 ✖ Incorrect usage of the term: “nginx”, use “Nginx” instead terminology

doverh commented 2 months ago

@kingthorin checks passing now. Let me know if I need to revert any of those zip --> ZIP changes.

kingthorin commented 2 months ago

That stuff looks good to me. There are a few parts that read a bit awkwardly but I"ll do a review tomorrow and point them out or suggest alternative wording.

doverh commented 2 months ago

@kingthorin the text was indeed awkward. I sent a new version trying to bring it closer to the wstg style guide.

github-actions[bot] commented 2 months ago

The following issues were identified: document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md:25:1 MD007/ul-indent Unordered list indentation [Expected: 4; Actual: 2]

github-actions[bot] commented 2 months ago

The following mistakes were identified:

/home/runner/work/wstg/wstg/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md 192:4 ✖ Incorrect usage of the term: “Zip”, use “ZIP” instead terminology

github-actions[bot] commented 2 months ago

The following issues were identified: document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md:25:1 MD007/ul-indent Unordered list indentation [Expected: 4; Actual: 2]

doverh commented 2 months ago

@kingthorin I sent a new update based on your previous comments.

kingthorin commented 2 months ago

Thanks, sorry I wasn't able to tackle it over the weekend. Will try to get it knocked off later today.

github-actions[bot] commented 2 months ago

The following issues were identified: document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md:124:32 MD033/no-inline-html Inline HTML [Element: directory] document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md:124:16 MD033/no-inline-html Inline HTML [Element: zip] document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md:126:18 MD033/no-inline-html Inline HTML [Element: zip] document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md:197:111 MD047/single-trailing-newline Files should end with a single newline character

github-actions[bot] commented 2 months ago

The following mistakes were identified:

/home/runner/work/wstg/wstg/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md 123:19 ✖ Incorrect usage of the term: “zip”, use “ZIP” instead terminology 124:9 ✖ Incorrect usage of the term: “zip”, use “ZIP” instead terminology 127:18 ✖ Incorrect usage of the term: “zip”, use “ZIP” instead terminology

github-actions[bot] commented 2 months ago

The following issues were identified: document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md:197:111 MD047/single-trailing-newline Files should end with a single newline character

github-actions[bot] commented 2 months ago

The following mistakes were identified:

/home/runner/work/wstg/wstg/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md 123:19 ✖ Incorrect usage of the term: “zip”, use “ZIP” instead terminology 124:9 ✖ Incorrect usage of the term: “zip”, use “ZIP” instead terminology 124:17 ✖ Incorrect usage of the term: “zip”, use “ZIP” instead terminology 124:21 ✖ Incorrect usage of the term: “file name”, use “filename” instead terminology 126:19 ✖ Incorrect usage of the term: “zip”, use “ZIP” instead terminology 126:23 ✖ Incorrect usage of the term: “file name”, use “filename” instead terminology 127:18 ✖ Incorrect usage of the term: “zip”, use “ZIP” instead terminology

github-actions[bot] commented 2 months ago

The following issues were identified: document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md:197:111 MD047/single-trailing-newline Files should end with a single newline character

github-actions[bot] commented 2 months ago

The following issues were identified: document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md:25:1 MD007/ul-indent Unordered list indentation [Expected: 4; Actual: 2] document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md:115:16 MD033/no-inline-html Inline HTML [Element: zip] document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md:124:32 MD033/no-inline-html Inline HTML [Element: directory] document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md:124:17 MD033/no-inline-html Inline HTML [Element: zip] document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md:126:19 MD033/no-inline-html Inline HTML [Element: zip]

github-actions[bot] commented 2 months ago

The following mistakes were identified:

/home/runner/work/wstg/wstg/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md 124:10 ✖ Incorrect usage of the term: “zip”, use “ZIP” instead terminology

github-actions[bot] commented 2 months ago

The following issues were identified: document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md:25:1 MD007/ul-indent Unordered list indentation [Expected: 4; Actual: 2]

github-actions[bot] commented 2 months ago

The following mistakes were identified:

/home/runner/work/wstg/wstg/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md 124:10 ✖ Incorrect usage of the term: “zip”, use “ZIP” instead terminology

github-actions[bot] commented 2 months ago

The following mistakes were identified:

/home/runner/work/wstg/wstg/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md 124:10 ✖ Incorrect usage of the term: “zip”, use “ZIP” instead terminology

github-actions[bot] commented 2 months ago

The following mistakes were identified:

/home/runner/work/wstg/wstg/document/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.md 124:10 ✖ Incorrect usage of the term: “zip”, use “ZIP” instead terminology