Skip to content

Commit

Permalink
Split out metadata and source control folders to resolve #2633 (#2647)
Browse files Browse the repository at this point in the history 
* Split out metadata and source control folders to resolve #2633

* Clarify source control metadata requirement

* Remove extra line
  • Loading branch information
@tghosth
tghosth authored Feb 24, 2025
1 parent 6f1031e commit 922c369
Show file tree
Hide file tree
Showing 3 changed files with 7 additions and 7 deletions.
2 changes: 1 addition & 1 deletion 5.0/en/0x12-V4-Access-Control.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,7 @@ Additional considerations for access control, particularly for administrative in
| # | Description | Level | CWE |
| :---: | :--- | :---: | :---: |
| **4.3.1** | [MODIFIED, LEVEL L1 > L3] Verify that access to administrative interfaces incorporates multiple layers of security, including continuous consumer identity verification, device security posture assessment, and contextual risk analysis, ensuring that network location or trusted endpoints are not the sole factors for authorization even though they may reduce the likelihood of unauthorized access. | 3 | 419 |
| **4.3.2** | [SPLIT TO 14.3.4, 14.3.5] | | |
| **4.3.2** | [SPLIT TO 14.1.6, 14.1.11, 14.3.4] | | |
| **4.3.3** | [MOVED TO 14.7.3] | | |
| **4.3.4** | [ADDED] Verify that multi-tenant applications use cross-tenant controls to ensure consumer operations will never affect tenants with which they do not have permissions to interact. | 1 | 283 |

Expand Down
2 changes: 1 addition & 1 deletion 5.0/en/0x20-V12-Files-Resources.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,7 @@ User-submitted filenames should be validated or ignored in the Content-Dispositi

| # | Description | Level | CWE |
| :---: | :--- | :---: | :---: |
| **12.5.1** | [MOVED TO 14.3.6] | | |
| **12.5.1** | [MOVED TO 14.3.5] | | |
| **12.5.2** | [MOVED TO 50.6.1] | | |
| **12.5.3** | [MODIFIED, MOVED FROM 12.3.4] Verify that the application validates or ignores user-submitted filenames, including in a JSON, JSONP, or URL parameter and specifies a filename in the Content-Disposition header field in the response. | 1 | 641 |
| **12.5.4** | [ADDED] Verify that file names served (e.g., in HTTP response header fields or email attachments) are encoded or sanitized (e.g., following RFC 6266) to preserve document structure and prevent injection attacks. | 1 | |
Expand Down
10 changes: 5 additions & 5 deletions 5.0/en/0x22-V14-Config.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,11 +38,12 @@ Compliance with this section requires an automated build system, and access to b
| **14.1.3** | [MODIFIED] Verify that configuration hardening is performed on all third-party products, libraries, frameworks and services as per their individual recommendations. | 2 | 16 |
| **14.1.4** | [DELETED, NOT IN SCOPE] | | |
| **14.1.5** | [MODIFIED] Verify that deployed environments are short lived and frequently redeployed to a "known good" but updated state. Alternatively, long lived environments should use some form of "drift prevention" to ensure that deployed configurations are not changed to an insecure state. | 3 | |
| **14.1.6** | [MOVED FROM 14.2.2] Verify that all unneeded features, documentation, sample applications and configurations are removed. | 1 | 1002 |
| **14.1.6** | [MOVED FROM 14.2.2, SPLIT FROM 4.3.2] Verify that all unneeded features, documentation, sample applications, configurations, and file or directory metadata (such as Thumbs.db, .DS_Store) are removed. | 1 | 1002 |
| **14.1.7** | [ADDED] Verify that production environment does not include test code. | 2 | 489 |
| **14.1.8** | [ADDED] Verify that data, state information, and server instances related to the build and deployment process do not persist after the process has ended. (Ephemerality). | 3 | |
| **14.1.9** | [ADDED] Verify that application code or functionality can only be changed via the standard update or build process and not directly in production through application functionality or some other direct modification mechanism. | 2 | |
| **14.1.10** | [MODIFIED, MOVED FROM 2.5.4] Verify that default user accounts (e.g., "root", "admin", or "sa") are not present in the application or are disabled. | 1 | 798 |
| **14.1.11** | [ADDED, SPLIT FROM 4.3.2] Verify that the application is deployed either without any source control metadata including the .git or .svn folders or in a way that these folders are inaccessible both externally and to the application itself. | 1 | |

## V14.2 Dependency

Expand All @@ -67,9 +68,8 @@ For example, hiding the version of server-side components does not fix the need
| **14.3.2** | [MODIFIED] Verify that debug modes are disabled in production environments for every component to prevent exposure of debug features and unintended information leakage. | 1 | 497 |
| **14.3.3** | [MODIFIED] Verify that the application does not expose detailed version information of server-side components. | 1 | 200 |
| **14.3.4** | [ADDED, SPLIT FROM 4.3.2] Verify that directory browsing is disabled unless deliberately desired. | 1 | 548 |
| **14.3.5** | [ADDED, SPLIT FROM 4.3.2] Verify that the application does not allow discovery or disclosure of file or directory metadata, such as Thumbs.db, .DS_Store, .git or .svn folders. | 1 | |
| **14.3.6** | [GRAMMAR, MOVED FROM 12.5.1] Verify that the web tier is configured to serve only files with specific file extensions to prevent unintentional information and source code leakage. For example, backup files (.bak), temporary working files (.swp), compressed files (.zip, .tar.gz) and other extensions commonly used by editors should be blocked unless required. | 1 | 552 |
| **14.3.7** | [ADDED, SPLIT FROM 14.5.1] Verify that the HTTP TRACE method is disabled to avoid potential information leakage. | 1 | 749 |
| **14.3.5** | [GRAMMAR, MOVED FROM 12.5.1] Verify that the web tier is configured to serve only files with specific file extensions to prevent unintentional information and source code leakage. For example, backup files (.bak), temporary working files (.swp), compressed files (.zip, .tar.gz) and other extensions commonly used by editors should be blocked unless required. | 1 | 552 |
| **14.3.6** | [ADDED, SPLIT FROM 14.5.1] Verify that the HTTP TRACE method is disabled to avoid potential information leakage. | 1 | 749 |

## V14.4 HTTP Security Headers

Expand All @@ -87,7 +87,7 @@ For example, hiding the version of server-side components does not fix the need

| # | Description | Level | CWE |
| :---: | :--- | :---: | :---: |
| **14.5.1** | [SPLIT TO 13.6.1, 14.3.7] | | |
| **14.5.1** | [SPLIT TO 13.6.1, 14.3.6] | | |
| **14.5.2** | [DELETED, COVERED BY 4.2.3] | | |
| **14.5.3** | [SPLIT TO 50.3.6, 50.4.3] | | |
| **14.5.4** | [DELETED, INCORRECT] | | |
Expand Down

0 comments on commit 922c369

Please sign in to comment.