asf-tooling opened a new issue, #1077:
URL: https://github.com/apache/tooling-trusted-releases/issues/1077
**ASVS Level(s):** L1
**Description:**
### Summary
The ShellResponse class serves `text/x-shellscript` content without
`Content-Disposition: attachment` header. While an `audit_guidance` comment
indicates this is an intentional design decision with multiple compensating
controls, ASVS 3.2.1 best practices recommend attachment header for executable
content as defense-in-depth. Practical risk is negligible due to CSP,
X-Content-Type-Options, and explicit Content-Type headers.
### Details
The issue exists in `atr/web.py` around lines 209-211. An audit_guidance
comment already exists indicating this is an intentional design decision with
compensating controls.
### Recommended Remediation
**Option 1 (Add filename parameter and always set attachment):**
```python
class ShellResponse:
def __init__(self, content: str, filename: str = "script.sh", **kwargs):
"""Create shell script response with Content-Disposition:
attachment."""
if 'headers' not in kwargs:
kwargs['headers'] = {}
kwargs['headers']['Content-Disposition'] = f'attachment;
filename="{filename}"'
kwargs['headers']['Content-Type'] = 'text/x-shellscript'
# ... rest of initialization
```
**Option 2 (Add as_attachment flag):**
```python
class ShellResponse:
def __init__(self, content: str, filename: str = "script.sh",
as_attachment: bool = True, **kwargs):
"""Create shell script response with optional attachment
disposition."""
if 'headers' not in kwargs:
kwargs['headers'] = {}
if as_attachment:
kwargs['headers']['Content-Disposition'] = f'attachment;
filename="{filename}"'
kwargs['headers']['Content-Type'] = 'text/x-shellscript'
# ... rest of initialization
```
**Option 3 (Risk acceptance with updated audit_guidance):**
```python
# audit_guidance: ASVS 3.2.1 LOW-003 reviewed 2024-01-15
# Content-Disposition: attachment intentionally not set for shell scripts
# Compensating controls:
# - CSP default-src 'self' prevents inline execution
# - X-Content-Type-Options: nosniff prevents MIME sniffing
# - Explicit Content-Type: text/x-shellscript
# - Browsers do not execute text/x-shellscript inline
# Risk accepted: Negligible due to multiple defense layers
```
### Acceptance Criteria
- [ ] Content-Disposition: attachment added (Option 1 or 2)
- [ ] OR: Risk acceptance documented with updated audit_guidance (Option 3)
- [ ] Unit tests verify header behavior
- [ ] Integration tests verify shell script responses
- [ ] Code review confirms defense-in-depth approach
- [ ] Documentation updated with design decision
### References
- Source reports: L1:3.2.1.md
- Related findings: FINDING-220
- ASVS sections: 3.2.1
- CWE: CWE-430
### Priority
Low
---
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
