Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

duplicates: 1.5.2 and 5.5.3 #1084

Closed
elarlang opened this issue Oct 21, 2021 · 4 comments
Closed

duplicates: 1.5.2 and 5.5.3 #1084

elarlang opened this issue Oct 21, 2021 · 4 comments
Assignees
@jmanico @tghosth @elarlang
Labels
1) Discussion ongoing Issue is opened and assigned but no clear proposal yet 5) awaiting PR A proposal hs been accepted and reviewed and we are now waiting for a PR

Comments

@elarlang
Copy link
Collaborator

elarlang commented Oct 21, 2021
edited
Loading

V1.5.2 Verify that serialization is not used when communicating with untrusted clients. If this is not possible, ensure that deserialization is performed safely, for example by only allowing a white-list of object types or not allowing the client to define the object type to deserialize to, in order to prevent deserialization attacks.

V5.5.3 Verify that deserialization of untrusted data is avoided or is protected by filtering incoming deserialization data.

  • Levels: 1, 2, 3
  • CWE: 502

First recommendation is that we drop 1.5.2 and if needed, content update 5.5.3.

If 1.5.2 need to stay, then:

  • "Verify that serialization is not used" > "Verify that deserialization is not used" ?
  • replace white-list with something like allow-list
@elarlang elarlang added the 1) Discussion ongoing Issue is opened and assigned but no clear proposal yet label Oct 21, 2021
@jmanico
Copy link
Member

jmanico commented Oct 22, 2021

"Verify that serialization is not used"

You're right this should be deserialization and I prefer the term allow-list.

I like deleting the duplicate, too.

This is a good issue, thanks Elar. I think we are (at least close) to a PR.

@elarlang elarlang added the 5) awaiting PR A proposal hs been accepted and reviewed and we are now waiting for a PR label Oct 22, 2021
jmanico added a commit that referenced this issue Oct 24, 2021
@jmanico
https://github.com/OWASP/ASVS/issues/1084
0f714f0 
fixing #1084
@jmanico jmanico mentioned this issue Oct 24, 2021
Merged
jmanico added a commit that referenced this issue Oct 24, 2021
@jmanico
Merge pull request #1095 from OWASP/deserialization
95cda2a 
#1084
@jmanico
Copy link
Member

jmanico commented Oct 24, 2021

#1095

@jmanico jmanico closed this as completed Oct 24, 2021
@elarlang
Copy link
Collaborator Author

So changes - 1.5.2 got moved to 5.5.3 and replaced it.
0f714f0

Still contains "white-list"

@elarlang elarlang reopened this Oct 24, 2021
elarlang pushed a commit to elarlang/ASVS that referenced this issue Oct 24, 2021
label corrections, OWASP#1084, OWASP#1010
3b4890e
@elarlang elarlang mentioned this issue Oct 24, 2021
Closed
@jmanico
Copy link
Member

jmanico commented Oct 24, 2021

Fixed d1e2cf4

@jmanico jmanico closed this as completed Oct 24, 2021
@elarlang elarlang mentioned this issue Jan 1, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jmanico jmanico

@tghosth tghosth

@elarlang elarlang

Labels
1) Discussion ongoing Issue is opened and assigned but no clear proposal yet 5) awaiting PR A proposal hs been accepted and reviewed and we are now waiting for a PR
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jmanico @tghosth @elarlang