Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

proposal: merge 12.3.6 to 10.3.2 #1471

Closed
elarlang opened this issue Dec 22, 2022 · 12 comments
Closed

proposal: merge 12.3.6 to 10.3.2 #1471

elarlang opened this issue Dec 22, 2022 · 12 comments
Assignees
@tghosth
Labels
5) awaiting PR A proposal hs been accepted and reviewed and we are now waiting for a PR V10 V12 _5.0 - prep This needs to be addressed to prepare 5.0

Comments

@elarlang
Copy link
Collaborator

Related requirements:

# Description L1 L2 L3 CWE
12.3.6 Verify that the application does not include and execute functionality from untrusted sources, such as unverified content distribution networks, JavaScript libraries, node npm libraries, or server-side DLLs. 829
10.3.2 [MODIFIED] Verify that the application only loads or executes code, modules, content or plugins from sources not under the application's direct control/protection if it employs integrity protections, such as code signing. 829

Proposal: merge 12.3.6 to 10.3.2
@elarlang elarlang added 1) Discussion ongoing Issue is opened and assigned but no clear proposal yet _5.0 - prep This needs to be addressed to prepare 5.0 labels Dec 22, 2022
@elarlang elarlang mentioned this issue Dec 22, 2022
Closed
@jmanico
Copy link
Member

jmanico commented Dec 23, 2022

Agreed

@elarlang elarlang mentioned this issue Dec 23, 2022
Closed
@tghosth
Copy link
Collaborator

tghosth commented Dec 28, 2022

Waiting for #1427

@tghosth
Copy link
Collaborator

tghosth commented Dec 28, 2022

@set-reminder 3 weeks @tghosth to look at this

@octo-reminder
Copy link

octo-reminder bot commented Dec 28, 2022

Reminder
Wednesday, January 18, 2023 12:00 AM (GMT+01:00)

@tghosth to look at this

@elarlang elarlang added the 4a) Waiting for another This issue is waiting for another issue to be resolved label Jan 1, 2023
@octo-reminder
Copy link

octo-reminder bot commented Jan 17, 2023

🔔 @tghosth

@tghosth to look at this

@tghosth tghosth added 4b Major-rework These issues need to be part of a full chapter rework V12 labels May 23, 2023
@elarlang elarlang added the V10 label Nov 2, 2024
@jmanico
Copy link
Member

jmanico commented Nov 4, 2024
edited
Loading

For 12.3.6, we often need to load javascript from different domains in browser-based apps for page load performance. Sub-resource Integrity can help this be done safely. So if we don't have it already, I'd suggest we add it as an exception for 12.3.6 - as is 12.3.6 is too strict.

@randomstuff
Copy link
Contributor

[MODIFIED] Verify that the application only loads or executes code, modules, content or plugins from sources not under the application's direct control/protection if it employs integrity protections, such as code signing.

Would it be clearer to say:

[MODIFIED] Verify that the application employs integrity protections, such as code signing when it loads or executes code, modules, content or plugins from sources not under the application's direct control/protection.

@jmanico
Copy link
Member

jmanico commented Nov 4, 2024

I propose we kill them both. Third party library issues covers this, and the SRI requirement covers external JS libraries.

@jmanico
Copy link
Member

jmanico commented Nov 4, 2024
edited
Loading

And just so we keep some of this I suggest we modify 10.6.2 a little to include transitive dependencies.

10.6.2 [MODIFIED] Verify that third party components and all of their transitive dependencies are being included from the expected repository, whether that is internally owned or an external source, and that there is no risk of a dependency confusion attack. 427

@elarlang elarlang added the 4) proposal for review Issue contains clear proposal for add/change something label Nov 4, 2024
@jmanico
Copy link
Member

jmanico commented Nov 5, 2024
edited
Loading

It looks like we are going to PR.

12.3.6 is already covered by 50.6.1 so 12.3.6 can go away.
10.3.2 can also go away, and just to make sure we preserve that knowledge we are going to make a small change to 10.6.2 to include transitive dependencies.

@ImanSharaf
Copy link
Collaborator

We have 50.6.1 and we can remove 12.3.6

# Description L1 L2 L3 CWE
50.6.1 [MODIFIED, MOVED FROM 14.2.3] Verify that if client-side assets, such as JavaScript libraries, CSS or web fonts, are hosted externally on a Content Delivery Network (CDN) or external provider, Subresource Integrity (SRI) is used to validate the integrity of the asset. 829

@tghosth
Copy link
Collaborator

tghosth commented Nov 5, 2024
edited
Loading

For the PR:

12.3.6 deleted as duplicate of 50.6.1.

10.3.2 deleted merged into 10.6.2.

10.6.2 make the relevant change.

@ImanSharaf

@tghosth tghosth added 6) PR awaiting review and removed 1) Discussion ongoing Issue is opened and assigned but no clear proposal yet 4) proposal for review Issue contains clear proposal for add/change something 4a) Waiting for another This issue is waiting for another issue to be resolved 4b Major-rework These issues need to be part of a full chapter rework 6) PR awaiting review labels Nov 5, 2024
@tghosth tghosth added the 5) awaiting PR A proposal hs been accepted and reviewed and we are now waiting for a PR label Nov 5, 2024
ImanSharaf added a commit to ImanSharaf/ASVS that referenced this issue Nov 5, 2024
@ImanSharaf
Update 0x20-V12-Files-Resources.md
657b845 
Issue OWASP#1471
ImanSharaf added a commit to ImanSharaf/ASVS that referenced this issue Nov 5, 2024
@ImanSharaf
Update 0x18-V10-Coding.md
fd3e4b1 
Issue OWASP#1471
ImanSharaf added a commit to ImanSharaf/ASVS that referenced this issue Nov 5, 2024
@ImanSharaf
Update 0x18-V10-Coding.md
21c5bbb 
Issue OWASP#1471
ImanSharaf added a commit to ImanSharaf/ASVS that referenced this issue Nov 5, 2024
@ImanSharaf
Update 0x18-V10-Coding.md
9bc650b 
OWASP#1471
@ImanSharaf ImanSharaf mentioned this issue Nov 5, 2024
Merged
ImanSharaf added a commit to ImanSharaf/ASVS that referenced this issue Nov 5, 2024
@ImanSharaf
Update 0x20-V12-Files-Resources.md
767a77c 
Issue OWASP#1471
ImanSharaf added a commit to ImanSharaf/ASVS that referenced this issue Nov 5, 2024
@ImanSharaf
Update 0x20-V12-Files-Resources.md
e3ca597 
Issue OWASP#1471
@ImanSharaf ImanSharaf mentioned this issue Nov 5, 2024
Merged
tghosth added a commit that referenced this issue Nov 5, 2024
@ImanSharaf @jmanico @tghosth
Resolves part of #1471 by clarifying req on external code
6bf91be 
* Update 0x18-V10-Coding.md

#1471

* Update 0x18-V10-Coding.md

Small change

* Update 0x18-V10-Coding.md

* Update 0x18-V10-Coding.md

* wqd

---------

Co-authored-by: Jim Manico <[email protected]>
Co-authored-by: Josh Grossman <[email protected]>
tghosth pushed a commit that referenced this issue Nov 5, 2024
@ImanSharaf
Resolves part of #1471 by removing duplicate req
e1c5a64 
Issue #1471
@jmanico jmanico closed this as completed Nov 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tghosth tghosth

Labels
5) awaiting PR A proposal hs been accepted and reviewed and we are now waiting for a PR V10 V12 _5.0 - prep This needs to be addressed to prepare 5.0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@jmanico @randomstuff @tghosth @elarlang @ImanSharaf