Section titles in V12

Question

Section titles in V12

elarlang opened this issue 2 months ago · 4 comments

Some section titles are from end-user perspective, but ASVS should be written from the application perspective

File upload - the application does not upload the file, but accepting it
File download - the application does not download the file, but serving it

There is another topic to be opened in the future for the "File execution" title, but let the related requirements fall to place first.

Answer 1 · 2024-09-05T11:45:36.000Z

The problem is that these requirements often fit into both catagories. So unless you want duplication I do not think this is possible.

For example, untrusted filenames driving file upload or download from user data can cause problems.

For example, filenames on download:

Or filenames on upload:

Answer 2 · 2024-09-05T11:52:18.000Z

Given examples are both "using untrusted input for file operation" problem and it is topic for issue #1427

If you look into the mentioned sections, then it clear file serving or accepting files issues. Path traversal etc topics are currently in "File execution".

Answer 3 · 2024-09-05T11:58:19.000Z

Fair enough. Looking over these requirements in v12 I am certain we can have a file upload and download section. That's a fair ask @elarlang and I'll think about it some and get back to you.

Answer 4 · 2024-09-12T13:44:46.000Z

Whilst I understand the concept of talking from the application's perspective I think having a section for "how the application provides file upload functionality" and "how the application provides file download functionality" is still understandable by all users of ASVS. I would prefer to leave the titles as they are.