andrewmusselman opened a new issue, #788:
URL: https://github.com/apache/tooling-trusted-releases/issues/788
**ASVS:** 3.2.1 · **CWE:** CWE-79, CWE-200 · **Files:** `atr/web.py` (lines
200–206), `atr/post/tokens.py` (lines 34–38)
### Description
Two response types serve sensitive or executable content without
`Content-Disposition: attachment`:
1. **ShellResponse** (`atr/web.py`) — serves shell scripts with
`text/x-shellscript` MIME type but no Content-Disposition, so a browser may
attempt to render rather than download.
2. **JWT endpoint** (`atr/post/tokens.py`) — returns a raw JWT as
`text/plain` without Content-Disposition or `Cache-Control: no-store`, risking
browser caching of authentication tokens.
Standard file downloads (`atr/get/download.py`) correctly use
`as_attachment=True`.
### Recommended fix
```python
# ShellResponse
class ShellResponse(quart.Response):
def __init__(self, text: str, filename: str = "script.sh", status: int =
200) -> None:
headers = {"Content-Disposition": f'attachment;
filename="{filename}"'}
super().__init__(text, status=status, headers=headers,
mimetype="text/x-shellscript")
# JWT endpoint
async def jwt_post(session: web.Committer) -> web.QuartResponse:
jwt_token = jwtoken.issue(session.uid)
response = web.TextResponse(jwt_token)
response.headers["Content-Disposition"] = "attachment"
response.headers["Cache-Control"] = "no-store, no-cache, must-revalidate"
return response
```
- Add `audit_guidance` comment explaining we know we are using the shell in
a unique way, on purpose
- Add cache control no-store, and no-cache
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
