new category - code review

[elarlang]

We have some opened issues with requirement proposals which are not clearly input validation (but it's related).

The question is - where and with what name to create category for those

• Incomplete Regular Expression for Hostnames: Unescaped Dot Character #1600
• Missing Prototype Pollution Check in ASVS #1563
• Request for Adding Regular Expression Denial of Service Check to ASVS #1562
• Missing Type Juggling Vulnerability Checks in ASVS  #1539

Currently labeled as "tmp code-review": https://github.com/OWASP/ASVS/labels/tmp%20code-review

[tghosth]

Sanitization

Honestly, I think the first 3 would all be considered "Sanitization"

• Incomplete Regular Expression for Hostnames: Unescaped Dot Character #1600

  Add escape characters to regex

• Missing Prototype Pollution Check in ASVS #1563

  Sanitize input when dangerous objects are provided

• Request for Adding Regular Expression Denial of Service Check to ASVS #1562

  Sanitize input to avoid dangerous patterns are provided

Other

This last one I think is a different

• Missing Type Juggling Vulnerability Checks in ASVS  #1539

I would be inclined towards input validation because it is an input validation mechanism but they need to be performing the validation securely.

@elarlang, any other comments?

[elarlang]

If we consider "everything application uses is user input" we can fit everything to 5.* categories.

[tghosth]

Do you agree with my suggestion for the first 3?

(I am moving discussion on 4 back to the dedicated issue).

[tghosth]

Do you agree with my suggestion for the first 3?

@elarlang what do you think?

[elarlang]

I can see that 3 first ones have found their place in other categories and the last one is closed. Anyway, as there is not enought content for this category at the moment, I close it now. We can recall the idea any time when we need it.