andrewmusselman opened a new issue, #714:
URL: https://github.com/apache/tooling-trusted-releases/issues/714
**ASVS Requirement:** 4.1.1 — Verify that every HTTP response with a message
body contains a Content-Type header field that matches the actual content,
including the charset parameter
**Severity:** Low
**CWE:** CWE-436 (Interpretation Conflict)
### Description
The `_download_or_list()` function in `atr/get/download.py` (lines 127–130)
serves all downloaded files with a hardcoded `application/octet-stream`
mimetype, regardless of the actual file type. While this is safe as a fallback,
ASVS 4.1.1 requires that Content-Type match the actual content.
### Current Code
```python
return await quart.send_file(
full_path,
as_attachment=True,
attachment_filename=validated_path.name,
mimetype="application/octet-stream"
)
```
### Impact
- Clients and downstream tools cannot determine the actual file type from
the HTTP headers without inspecting the file extension or content.
- While `as_attachment=True` mitigates browser rendering risks, accurate
Content-Type is a compliance requirement and helps tools that process downloads
programmatically.
### Recommended Fix
Add an `audit_guidance` comment explaining we are doing this on purpose so
that the linked content downloads from the browser instead of trying to open it
in a new tab or whatever it normally would do.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
