You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: asvs.md
+6-6Lines changed: 6 additions & 6 deletions
Original file line number
Diff line number
Diff line change
@@ -311,7 +311,7 @@ This is a placeholder for future architectural requirements.
311
311
| :---: | :--- | :---- | :---: | :---: |
312
312
|**5.1.1**| Verify that the application has defenses against HTTP parameter pollution attacks, particularly if the application framework makes no distinction about the source of request parameters (GET, POST, cookies, headers, or environment variables). || 2024-12-18 | ✅ |
313
313
|**5.1.2**| Verify that frameworks protect against mass parameter assignment attacks, or that the application has countermeasures to protect against unsafe parameter assignment, such as marking fields private or similar. ([C5](https://owasp.org/www-project-proactive-controls/#div-numbering)) | Checked by Sonar rule [S4684](https://rules.sonarsource.com/java/RSPEC-4684/) for Java programs. But not applicable to Python script nodes anyways.| 2024-12-18 | ✅ |
314
-
|**5.1.3**| Verify that all input (HTML form fields, REST requests, URL parameters, HTTP headers, cookies, batch files, RSS feeds, etc) is validated using positive validation (allow lists). ([C5](https://owasp.org/www-project-proactive-controls/#div-numbering)) | The script (which can be input via flow variable) is not restricted via an allow-list because it is supposed to be flexible. Table inputs are safe, but (pickled) port objects could be read from unsafe sources if the workflow builder does so explicitly. Opened https://knime-com.atlassian.net/browse/AP-23768 for node column parameter input validation. | 2024-12-18 ||
314
+
|**5.1.3**| Verify that all input (HTML form fields, REST requests, URL parameters, HTTP headers, cookies, batch files, RSS feeds, etc) is validated using positive validation (allow lists). ([C5](https://owasp.org/www-project-proactive-controls/#div-numbering)) | The script (which can be input via flow variable) is not restricted via an allow-list because it is supposed to be flexible. Table inputs are safe, but (pickled) port objects could be read from unsafe sources if the workflow builder does so explicitly. Improved node column parameter input validation. | 2024-12-18 ||
315
315
|**5.1.4**| Verify that structured data is strongly typed and validated against a defined schema including allowed characters, length and pattern (e.g. credit card numbers, e-mail addresses, telephone numbers, or validating that two related fields are reasonable, such as checking that suburb and zip/postcode match). ([C5](https://owasp.org/www-project-proactive-controls/#div-numbering)) | Structured data types known to KNIME are typed and validated by KNIME, structured types not known to KNIME need to be represented as unstructured data anyways. | 2024-12-18 | ✅ |
316
316
|**5.1.5**| Verify that URL redirects and forwards only allow destinations which appear on an allow list, or show a warning when redirecting to potentially untrusted content. | Checked by Sonar rule [S5146](https://rules.sonarsource.com/java/RSPEC-5146/) for Java. Download redirects are all generated by S3 SDK. Other redirects use list of allowed hosts. Our Python framework doesn't access URLs, if the user does so in scripts, they need to verify their redirects themselves. | 2024-12-18 | ✅ |
317
317
@@ -323,10 +323,10 @@ This is a placeholder for future architectural requirements.
323
323
|**5.2.1**| Verify that all untrusted HTML input from WYSIWYG editors or similar is properly sanitized with an HTML sanitizer library or framework feature. ([C5](https://owasp.org/www-project-proactive-controls/#div-numbering)) || 2024-12-18 | ✅ |
324
324
|**5.2.2**| Verify that unstructured data is sanitized to enforce safety measures such as allowed characters and length. || 2024-12-18 | ✅ |
325
325
|**5.2.3**| Verify that the application sanitizes user input before passing to mail systems to protect against SMTP or IMAP injection. || 2024-12-18 | ✅ |
326
-
|**5.2.4**| Verify that the application avoids the use of eval() or other dynamic code execution features. Where there is no alternative, any user input being included must be sanitized or sandboxed before being executed.<br>_Scripting nodes in workflows are exempted because we don't have control over the output._| Checked by Sonar rule [S5334](https://rules.sonarsource.com/java/RSPEC-5334/) for Java programs. Python script execution could be sandboxed on executors, see https://knime-com.atlassian.net/browse/AP-23770.| 2024-12-18 ||
326
+
|**5.2.4**| Verify that the application avoids the use of eval() or other dynamic code execution features. Where there is no alternative, any user input being included must be sanitized or sandboxed before being executed.<br>_Scripting nodes in workflows are exempted because we don't have control over the output._| Checked by Sonar rule [S5334](https://rules.sonarsource.com/java/RSPEC-5334/) for Java programs. In the long run, Python script execution should be sandboxed on executors. | 2024-12-18 ||
327
327
|**5.2.5**| Verify that the application protects against template injection attacks by ensuring that any user input being included is sanitized or sandboxed. | Currently no templating in place. | 2024-12-18 ||
328
328
|**5.2.6**| Verify that the application protects against SSRF attacks, by validating or sanitizing untrusted data or HTTP file metadata, such as filenames and URL input fields, and uses allow lists of protocols, domains, paths and ports. || 2024-12-18 | ✅ |
329
-
|**5.2.7**| Verify that the application sanitizes, disables, or sandboxes user-supplied Scalable Vector Graphics (SVG) scriptable content, especially as they relate to XSS resulting from inline scripts, and foreignObject. |TODO: put SVGs in PythonView into "img" tag https://knime-com.atlassian.net/browse/AP-23772| 2024-12-18 ||
329
+
|**5.2.7**| Verify that the application sanitizes, disables, or sandboxes user-supplied Scalable Vector Graphics (SVG) scriptable content, especially as they relate to XSS resulting from inline scripts, and foreignObject. |Improved Python View| 2024-12-18 ||
330
330
|**5.2.8**| Verify that the application sanitizes, disables, or sandboxes user-supplied scriptable or expression template language content, such as Markdown, CSS or XSL stylesheets, BBCode, or similar. | We do sanitize user-supplied Markdown for node and parameter descriptions and disallow HTML. | 2024-12-18 ||
331
331
332
332
## V5.3 Output Encoding and Injection Prevention
@@ -335,10 +335,10 @@ This is a placeholder for future architectural requirements.
335
335
| :---: | :--- | :---- | :---: | :---: |
336
336
|**5.3.1**| Verify that output encoding is relevant for the interpreter and context required. For example, use encoders specifically for HTML values, HTML attributes, JavaScript, URL parameters, HTTP headers, SMTP, and others as the context requires, especially from untrusted inputs (e.g. names with Unicode or apostrophes, such as ãÂÂã“ or O'Hara). ([C4](https://owasp.org/www-project-proactive-controls/#div-numbering)) || 2024-12-18 ||
337
337
|**5.3.2**| Verify that output encoding preserves the user's chosen character set and locale, such that any Unicode character point is valid and safely handled. ([C4](https://owasp.org/www-project-proactive-controls/#div-numbering)) | The user can write files from scripts, but it's their responsibility to set the encoding. Otherwise not applicable as we do not provide output files. | 2024-12-18 ||
338
-
|**5.3.3**| Verify that context-aware, preferably automated - or at worst, manual - output escaping protects against reflected, stored, and DOM based XSS. ([C4](https://owasp.org/www-project-proactive-controls/#div-numbering)) | This was an issue of Python Views at some point, but was fixed by sandboxinghttps://knime-com.atlassian.net/browse/UIEXT-1729.| 2024-12-18 ||
338
+
|**5.3.3**| Verify that context-aware, preferably automated - or at worst, manual - output escaping protects against reflected, stored, and DOM based XSS. ([C4](https://owasp.org/www-project-proactive-controls/#div-numbering)) | This was an issue of Python Views at some point, but was fixed by sandboxing. | 2024-12-18 ||
339
339
|**5.3.4**| Verify that data selection or database queries (e.g. SQL, HQL, ORM, NoSQL) use parameterized queries, ORMs, entity frameworks, or are otherwise protected from database injection attacks. ([C3](https://owasp.org/www-project-proactive-controls/#div-numbering)) | Checked by Sonar rules [S3649](https://rules.sonarsource.com/java/RSPEC-3649/) and [S2077](https://rules.sonarsource.com/java/RSPEC-2077/) for Java programs. | 2024-12-18 | ✅ |
340
-
|**5.3.5**| Verify that where parameterized or safer mechanisms are not present, context-specific output encoding is used to protect against injection attacks, such as the use of SQL escaping to protect against SQL injection. ([C3, C4](https://owasp.org/www-project-proactive-controls/#div-numbering)) | Users have access to raw unsanitized input strings in columns and flow variables. If they use these when constructing an HTML view, they need to be aware that e.g. strings can contain (malicious) HTML code.https://knime-com.atlassian.net/browse/AP-23774| 2024-12-18 ||
341
-
|**5.3.6**| Verify that the application protects against JSON injection attacks, JSON eval attacks, and JavaScript expression evaluation. ([C4](https://owasp.org/www-project-proactive-controls/#div-numbering)) | Checked by Sonar rules [S6398](https://rules.sonarsource.com/java/RSPEC-6398/) for Java programs. JSON handling in Python is mostly performed via dictionaries and not prone to injection attacks. For all other cases we set up the ticket https://knime-com.atlassian.net/browse/AP-23775.| 2024-12-18 ||
340
+
|**5.3.5**| Verify that where parameterized or safer mechanisms are not present, context-specific output encoding is used to protect against injection attacks, such as the use of SQL escaping to protect against SQL injection. ([C3, C4](https://owasp.org/www-project-proactive-controls/#div-numbering)) | Users have access to raw unsanitized input strings in columns and flow variables. If they use these when constructing an HTML view, we document that they need to be aware that e.g. strings can contain HTML code. | 2024-12-18 ||
341
+
|**5.3.6**| Verify that the application protects against JSON injection attacks, JSON eval attacks, and JavaScript expression evaluation. ([C4](https://owasp.org/www-project-proactive-controls/#div-numbering)) | Checked by Sonar rules [S6398](https://rules.sonarsource.com/java/RSPEC-6398/) for Java programs. JSON handling in Python is mostly performed via dictionaries and not prone to injection attacks. | 2024-12-18 ||
342
342
|**5.3.7**| Verify that the application protects against LDAP injection vulnerabilities, or that specific security controls to prevent LDAP injection have been implemented. ([C4](https://owasp.org/www-project-proactive-controls/#div-numbering)) | Checked by Sonar rules [2078](https://rules.sonarsource.com/java/RSPEC-2078/) for Java programs. | 2024-12-18 | ✅ |
343
343
|**5.3.8**| Verify that the application protects against OS command injection and that operating system calls use parameterized OS queries or use contextual command line output encoding. ([C4](https://owasp.org/www-project-proactive-controls/#div-numbering)) | Checked by Sonar rules [S2076](https://rules.sonarsource.com/java/RSPEC-2076/), [S5883](https://rules.sonarsource.com/java/RSPEC-5883/), and [S6350](https://rules.sonarsource.com/java/RSPEC-6350/) for Java programs. No subprocess or system calls in Python. | 2024-12-18 ||
344
344
|**5.3.9**| Verify that the application protects against Local File Inclusion (LFI) or Remote File Inclusion (RFI) attacks. | Checked by Sonar rules [2083](https://rules.sonarsource.com/java/RSPEC-2083/) for Java programs. | 2024-12-18 ||
0 commit comments