Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update: Authorization_Cheat_Sheet.md #1563

Open
brandonaltermatt opened this issue Dec 18, 2024 · 2 comments
Open

Update: Authorization_Cheat_Sheet.md #1563

brandonaltermatt opened this issue Dec 18, 2024 · 2 comments
Assignees
@brandonaltermatt
Labels
ACK_OBTAINED Issue acknowledged from core team so work can be done to fix it. UPDATE_CS Issue about the update/refactoring of a existing cheat sheet.

Comments

@brandonaltermatt
Copy link
Contributor

What is missing or needs to be updated?

The section in the authorization cheat sheet that discusses access control error handling should be supplemented with a warning not to surface sensitive information in error messages. This is a relatively common vulnerability, and it belongs in a high-level description of proper error handling for authorization failures.

How should this be resolved?

A single bullet point addressing this vulnerability with a link to the CWE (here) would be enough to bring this to the attention of readers. E.g:
@brandonaltermatt brandonaltermatt added ACK_WAITING Issue waiting acknowledgement from core team before to start the work to fix it. HELP_WANTED Issue for which help is wanted to do the job. UPDATE_CS Issue about the update/refactoring of a existing cheat sheet. labels Dec 18, 2024
@jmanico
Copy link
Member

jmanico commented Dec 19, 2024

+1 I like this idea. Do you want to PR for us?

@brandonaltermatt
Copy link
Contributor Author

Sure thing, I can put out a PR shortly.

@mackowski mackowski added ACK_OBTAINED Issue acknowledged from core team so work can be done to fix it. and removed ACK_WAITING Issue waiting acknowledgement from core team before to start the work to fix it. HELP_WANTED Issue for which help is wanted to do the job. labels Dec 19, 2024
@brandonaltermatt brandonaltermatt mentioned this issue Dec 19, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@brandonaltermatt brandonaltermatt

Labels
ACK_OBTAINED Issue acknowledged from core team so work can be done to fix it. UPDATE_CS Issue about the update/refactoring of a existing cheat sheet.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jmanico @brandonaltermatt @mackowski