Files and Resources V12 - Sanity Check Comments/Suggestions for v.5.0 #2593
Labels
1) Discussion ongoing
Issue is opened and assigned but no clear proposal yet
V12
_5.0 - prep
This needs to be addressed to prepare 5.0
Comments
This is like a static variable that an attacker cannot modify, as opposed to user input. |
tghosth
added
1) Discussion ongoing
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Chapter V12 - Files and Resources
Here are a few things I observed reviewing this chapter for v.5.0 for sanity check related to #2582:
Question 1: In requirement,
12.3.1 [MODIFIED, MERGED FROM 12.3.2, 12.3.3, 5.3.9] Verify that file operations avoid using user-submitted filenames or file metadata when creating file paths to protect against path traversal, local or remote file inclusion (LFI, RFI), and server-side request forgery (SSRF) attacks. Instead, use internal, trusted data for file I/O. If user-submitted filenames or file metadata must be used, strict validation and sanitization must be applied.,What do we mean by "use internal, trusted data for file I/O."? Is this referring to the data inside the file, thus not pertaining to metadata? Or internal, trusted data in the application that means it will just ignore anything coming from the files, but what about file name and others? I guess maybe it wasn't clear as to what it was referring to and it might be confusing the way I read it.
The text was updated successfully, but these errors were encountered: