Comments (9)
Thinking more about it, I think the word "list" is a bit misleading here - it kind of suggests to have a list of accepted values, but in reality, it also means patterns.
My proposal:
Verify that all input is validated using positive validation, using an allowed list of values or patterns.
Also, we need to change the CWE-20 "Improper Input Validation" as it's a class/folder and Vulnerability Mapping: DISCOURAGED
from asvs.
There's a lot to discuss here but in essence, I agree with your thoughts around moving it into an architecture requirement (because fundamentally it is right, you have to know what you expect and what is known good before you design the feature/function)
I'd see 5.1.3 reading something like
Verify that all input is validated using positive validation (allow lists).
I'm not a fan of specifically calling out HTML here, that is 100% sanitisation and doesn't belong in this and should be elsewhere
from asvs.
I agree with @danielcuthbert and but I would expand this requirement slightly as we are seeing it was an architectural requirement.
Verify that the application is designed with a centralized input validation capability based on the documented rules which uses positive validation (allow lists).
from asvs.
Oh please no.
- centralized - it is a completely different requirement and removes focus away from the goal
- documentation in implementation requirement, it must be covered in 1.5.1 (#1552 (comment))
The only point it should carry is the allow-list vs deny-list validation.
from asvs.
from asvs.
Thinking more about it, I think the word "list" is a bit misleading here - it kind of suggests to have a list of accepted values, but in reality, it also means patterns.
My proposal: Verify that all input is validated using positive validation, using an allowed list of values or patterns.
Also, we need to change the CWE-20 "Improper Input Validation" as it's a class/folder and Vulnerability Mapping: DISCOURAGED
ok I can accept the wording @elarlang
I wouldn't bother with a CWE for now.
Are we moving this to 5.6?
from asvs.
My idea to move it to 5.6 was with a "precondition" to combine the allow-list attitude with sanitiation and then it's over two-chapter requirement and fits to 5.6.
But at the moment it's clearly input validation. For me both solutions are ok.
from asvs.
Ok so I think we leave it where it is for now
from asvs.
@elarlang I added some info to the explanatory text at the beginning. What do you think?
Changes:
4644b8e
from asvs.
Related Issues (20)
- Proposal: the application must belong/covered to the HSTS preload list (probably level 3) HOT 43
- Do we want V7.4 to get moved to V10? HOT 3
- Minor V7 changes HOT 2
- Italian Translation HOT 1
- V11 rework by @jmanico HOT 16
- update 50.2.1 (v4.0.3-14.4.3) and/or split requirement for content-security-policy HOT 13
- move or merge 8.3.5 to V7 HOT 3
- URL Safety HOT 23
- proposal/discussion: OAuth - disallow web application to be OAuth public client (and to have direct communication with OAuth token endpoint)
- proposal/discussion: OAuth - (for 1st party usage) only used (by the client) communication options must be allowed by authorization server HOT 3
- proposal/discussion: OAuth - separate requirement for redirect_uri string-match registration and handling HOT 6
- discussion: OAuth - using OAuth just for authentication HOT 4
- proposal/discussion: JWT - 3.5.6 add "type", and rephrase it to describe the goal HOT 6
- proposal/discussion: OAuth: requirement for refresh_token lifetime
- V51: Additional OAuth/OIDC proposals HOT 6
- discussion OAuth/OIDC: accepted flows and grants HOT 6
- 4.3.1 and 4.3.3 HOT 6
- Password Storage Algorithms 2.4.1 revisited HOT 3
- Make 2.1.14 easier and more simplified HOT 7
- Implement Requirement for Anomalous Behavior Detection HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from asvs.