Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

5.3.10 need more beef #1556

Closed
jmanico opened this issue Feb 17, 2023 · 9 comments
Closed

5.3.10 need more beef #1556

jmanico opened this issue Feb 17, 2023 · 9 comments
Assignees
@jmanico @twright-0x1 @elarlang
Labels
7) PR in non-master branch V5 Temporary label for grouping input validation, sanitization, encoding, escaping related requirements _5.0 - prep This needs to be addressed to prepare 5.0

Comments

@jmanico
Copy link
Member

jmanico commented Feb 17, 2023
edited
Loading

5.3.10 does not explain the "how". Perhaps change:

5.3.10 | Verify that the application protects against XPath injection or XML injection attacks. (C4) | ✓ | ✓ | ✓ | 643

to:

5.3.10 | Verify that the application protects against XPath injection or XML injection attacks with XML-specific encoding. (C4) | ✓ | ✓ | ✓ | 643
@elarlang
Copy link
Collaborator

5.3.9
Jim, please search for opened issues before opening new ones - 5.3.9 will be deleted as it is #1470

Proposal can go to #1427

@jmanico jmanico changed the title 5.3.9 and 5.3.10 need more beef 5.3.10 need more beef Feb 17, 2023
@jmanico
Copy link
Member Author

jmanico commented Feb 17, 2023
edited
Loading

5.3.9 Jim, please search for opened issues before opening new ones - 5.3.9 will be deleted as it is #1470

Proposal can go to #1427

Gotchya, I changed this to only impact 5.3.10 and moved the other suggestion to #1427

@elarlang
Copy link
Collaborator

it's quite close to 5.3.1. One option is to put XML to the list there.

# Description L1 L2 L3 CWE
5.3.1 [MODIFIED] Verify that output encoding is relevant for the interpreter and context required. For example, use encoders specifically for HTML values, HTML attributes, JavaScript, CSS, URL parameters, HTTP headers, SMTP, and others as the context requires, especially from untrusted inputs (e.g. names with Unicode or apostrophes, such as ねこ or O'Hara). (C4) 116

@elarlang
Copy link
Collaborator

elarlang commented Mar 9, 2023

Some ideas:

  • XML injection - classical encoding issue for output document generation, can be part of of 5.3.1
  • XPath injection - is query technique (and not output document generation). Naturally does not belong to 5.3.1 list.

So, maybe we need to kind of split the requirement and have separate way for XPath injection with parameterized or encoded and sanitized recommendations?

@elarlang elarlang self-assigned this Mar 9, 2023
@elarlang elarlang added the 1) Discussion ongoing Issue is opened and assigned but no clear proposal yet label Mar 9, 2023
@elarlang elarlang mentioned this issue Mar 23, 2023
Closed
@elarlang elarlang added the V5 Temporary label for grouping input validation, sanitization, encoding, escaping related requirements label Apr 5, 2023
@elarlang
Copy link
Collaborator

elarlang commented Apr 5, 2023

The issue requires outcome from #1589

@elarlang elarlang added the 4a) Waiting for another This issue is waiting for another issue to be resolved label Apr 5, 2023
@tghosth tghosth added 4b Major-rework These issues need to be part of a full chapter rework _5.0 - prep This needs to be addressed to prepare 5.0 and removed 1) Discussion ongoing Issue is opened and assigned but no clear proposal yet 4a) Waiting for another This issue is waiting for another issue to be resolved labels Jul 9, 2023
@tghosth
Copy link
Collaborator

tghosth commented Aug 12, 2024

Ok so I think XML injection should be covered by the current 5.3.1 text:

# Description L1 L2 L3 CWE
5.3.1 [MODIFIED] Verify that output encoding for an HTTP response/HTML document/XML document is relevant for the context required, such as encoding the relevant characters for HTML elements, HTML attributes, HTML comments, JavaScript, CSS, or HTTP headers, to avoid changing the message or document structure. 116

As such, I propose we focus this down to XPath injection:

# Description L1 L2 L3 CWE
5.3.10 [MODIFIED] Verify that the application is protected against XPath injection attacks by using query parameterization or precompiled queries, or sanitization if there is no other alternative. 643

@elarlang

@elarlang
Copy link
Collaborator

Yes, it is aligned with my idea (#1556 (comment)). Just no slahes to 5.3.1.

tghosth added a commit that referenced this issue Aug 12, 2024
@tghosth
Focus and better explain 5.3.10 to resolve #1556
93b3a35
@tghosth tghosth mentioned this issue Aug 12, 2024
Merged
@tghosth
Copy link
Collaborator

tghosth commented Aug 12, 2024

I will fix 5.3.1 here: ca4ced9

Opened #2016 Please either approve or let me know if there are any objections or concerns :) @elarlang

@tghosth tghosth added 6) PR awaiting review and removed 4b Major-rework These issues need to be part of a full chapter rework labels Aug 12, 2024
@jmanico
Copy link
Member Author

jmanico commented Aug 13, 2024

I suggest dropping "or sanitization if there is no other alternative" - we do not want to encourage it and it's not necessary.

tghosth added a commit that referenced this issue Aug 14, 2024
@tghosth
Focus and better explain 5.3.10 to resolve #1556 (#2016)
4c1ee29
@tghosth tghosth closed this as completed in c62454a Sep 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jmanico jmanico

@twright-0x1 twright-0x1

@elarlang elarlang

Labels
7) PR in non-master branch V5 Temporary label for grouping input validation, sanitization, encoding, escaping related requirements _5.0 - prep This needs to be addressed to prepare 5.0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jmanico @tghosth @twright-0x1 @elarlang