asf-tooling opened a new issue, #1076:
URL: https://github.com/apache/tooling-trusted-releases/issues/1076
**ASVS Level(s):** L1
**Description:**
### Summary
The ZipResponse class in `atr/web.py` does not automatically enforce
`Content-Disposition: attachment` header, relying on callers to provide it.
This is a defense-in-depth gap - ASVS 3.2.1 explicitly recommends the
attachment disposition for downloadable content to prevent browser rendering
and unintended content interpretation.
### Details
The issue exists in `atr/web.py` around lines 218-226. The ZipResponse class
does not automatically set the Content-Disposition header.
### Recommended Remediation
Enforce Content-Disposition: attachment in ZipResponse constructor as
defense-in-depth:
**Option 1 (Add if missing):**
```python
class ZipResponse:
def __init__(self, filename: str = "archive.zip", **kwargs):
"""Create ZIP response with Content-Disposition: attachment."""
# Ensure Content-Disposition is set
if 'headers' not in kwargs:
kwargs['headers'] = {}
if 'Content-Disposition' not in kwargs['headers']:
kwargs['headers']['Content-Disposition'] = f'attachment;
filename="{filename}"'
# ... rest of initialization
```
**Option 2 (Always enforce):**
```python
class ZipResponse:
def __init__(self, filename: str = "archive.zip", **kwargs):
"""Create ZIP response with enforced Content-Disposition:
attachment."""
# Always set Content-Disposition (override caller if provided)
if 'headers' not in kwargs:
kwargs['headers'] = {}
kwargs['headers']['Content-Disposition'] = f'attachment;
filename="{filename}"'
# ... rest of initialization
```
### Acceptance Criteria
- [ ] Content-Disposition: attachment header enforced in ZipResponse
- [ ] Filename parameter added to constructor
- [ ] Unit tests verify header is present
- [ ] Unit tests verify filename is properly escaped
- [ ] Integration tests verify ZIP downloads have attachment disposition
- [ ] Code review confirms defense-in-depth approach
### References
- Source reports: L1:3.2.1.md
- Related findings: FINDING-221
- ASVS sections: 3.2.1
- CWE: CWE-430
### Priority
Low
---
---
**Triage notes:** if VOTE is completed then do not allow additional votes on
POST
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
