asf-tooling opened a new issue, #1096:
URL: https://github.com/apache/tooling-trusted-releases/issues/1096
**ASVS Level(s):** L2
**Description:**
### Summary
Neither vhost configuration includes an explicit `<Directory>` block for the
docroot `/x1/dist/` with `Options -Indexes`. If the global Apache configuration
does not explicitly set `Options -Indexes` (the Apache default is `Options All`
which includes `Indexes`), and if any URL path is not matched by the
`ProxyPass` rules or Alias directives, the docroot could expose a directory
listing. Current proxy rules cover `/` (proxied to backend) and `/downloads/`
(aliased), minimizing practical risk. However, defense-in-depth dictates
explicitly disabling indexes on the docroot.
### Details
In `tooling-vm-ec2-de.apache.org.yaml`, no explicit directory block exists
for the docroot with Options -Indexes.
### Recommended Remediation
Add an explicit directory block for the docroot:
```yaml
<Directory /x1/dist/>
Options -Indexes +FollowSymLinks
Require all denied
</Directory>
```
### Acceptance Criteria
- [ ] Directory block added for docroot
- [ ] Directory listing explicitly disabled
- [ ] Defense-in-depth protection complete
- [ ] Unit tests verify no directory listing
### References
- Source reports: L2:13.4.3.md
- Related findings: None
- ASVS sections: 13.4.3
### Priority
Low
---
---
**Triage notes:** janitorial services
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
