proposal: merge duplicate parameter-binding requirement from C9.7.2 into C9.2.2#442
Merged
ottosulin merged 4 commits intoOWASP:mainfrom Mar 26, 2026
Conversation
ottosulin
requested changes
Mar 24, 2026
Collaborator
ottosulin
left a comment
ottosulin
left a comment
There was a problem hiding this comment.
Good catch on the duplication! I think your assessment is correct: C9.2.2 and C9.7.2 were describing the same control mechanism just from two different angles.
I think this proposal combines the properties correctly into one requirement. The "explicit user intent confirmation" aspect from old C9.7.2 is not lost because C9.2.1 already mandates "explicit human-in-loop approval" for privileged/irreversible actions.
Regarding compound requirements: the merged text has three verifiable properties: (1) present exact parameters, (2) integrity-protect & bind, (3) expire quickly. These are tightly coupled and they all describe properties of a single approval event. An auditor would in practice check one mechanism, not three separate systems. So this is acceptable coupling.
A suggestion for minor rewording:
Verify that approval requests present the exact action parameters (diff/command/recipient/amount/scope), that the resulting approval is integrity-protected and bound to those parameters, and that approvals expire after a short time window to prevent stale or substituted approvals.
The change:
- "expire quickly" -> "expire after a short time window" (slightly more testable/auditable than word "quickly" which is more subjective, whereas "short time window" implies a configurable TTL an auditor can check exists.
- Also removed the double phrasing at the end ("approve one thing, execute another" + "stale or substituted approvals" was redundant; one explanation suffices).
RicoKomenda
force-pushed
the
discuss/dedup-c9-approval-parameter-binding
branch
from
1e27fa7 to
556e68c
Compare
jmanico
reviewed
Mar 24, 2026
| | :--: | --- | :---: | :--: | | ||
| | **9.2.1** | **Verify that** privileged or irreversible actions (e.g., code merges/deploys, financial transfers, user access changes, destructive deletes, external notifications) require explicit human-in-loop approval. | 1 | D/V | | ||
| | **9.2.2** | **Verify that** approval requests present the exact action parameters (diff/command/recipient/amount/scope) and bind approvals to those parameters to prevent "approve one thing, execute another." | 2 | D/V | | ||
| | **9.2.2** | **Verify that** approval requests present the exact action parameters (diff/command/recipient/amount/scope), that the resulting approval is integrity-protected and bound to those parameters, and that approvals expire after a short time window to prevent stale or substituted approvals. | 2 | D/V | |
Member
There was a problem hiding this comment.
This looks like 4 different requirements:
- Verify that approval requests display canonicalized and complete action parameters (diff, command, recipient, amount, scope) without truncation or transformation.
- Verify that approvals are cryptographically bound (e.g., signed or MACed) to the exact action parameters, requester identity, and execution context.
- Verify that approvals include a unique nonce and are single-use to prevent replay or substitution.
- Verify that approvals expire within a defined maximum time-to-live (TTL) and are rejected after expiration.
| | **9.7.2** | **Verify that** high-impact actions require explicit user intent confirmation that is integrity-protected and bound to the exact action parameters (and expires quickly) to prevent stale or substituted approvals. | 2 | D/V | | ||
| | **9.7.3** | **Verify that** post-condition checks confirm the intended outcome and detect unintended side effects; any mismatch triggers containment (and compensating actions where supported). | 2 | V | | ||
| | **9.7.4** | **Verify that** prompt templates and agent policy configurations are integrity-verified at load time against their approved versions (e.g., via hashes or signatures). | 3 | D/V | | ||
| | **9.7.2** | **Verify that** post-condition checks confirm the intended outcome and detect unintended side effects; any mismatch triggers containment (and compensating actions where supported). | 2 | V | |
Member
There was a problem hiding this comment.
This looks like maybe three requirements.
- Verify that post-execution checks confirm the intended outcome.
- Verify that post-execution checks detect unintended side effects.
- Verify that any mismatch between intended outcome and actual results triggers containment and, where supported, compensating actions.
I'm not sure what the best level of reduction is, but breaking these up into smaller requirements make them more actionable and easier to test!
…nto C9.2.2 C9.2.2 and C9.7.2 both addressed the same attack — binding approvals to exact action parameters to prevent "approve one thing, execute another" / substituted approvals. The core requirement was duplicated across two sections (C9.2 HITL approval gates, C9.7 intent verification). Resolution: - Enrich C9.2.2 with the unique aspects of C9.7.2 (integrity-protection of the approval itself, expiry) so all three properties live together: present parameters → integrity-protect the approval → bind to params → expire - Remove old C9.7.2 (now covered by C9.2.2) - Renumber C9.7.3 → C9.7.2 and C9.7.4 → C9.7.3 This is a PROPOSAL for discussion — please review whether the merged wording captures the full intent of both original controls before merging.
- 'expire quickly' → 'expire after a short time window' (more auditable;
implies a configurable TTL an auditor can verify exists)
- removed redundant double phrasing at end ('approve one thing, execute
another' + 'stale or substituted approvals'); one explanation suffices
…anico review on PR OWASP#442 - 9.2.2 display of canonicalized parameters (was merged with binding, nonce, TTL) - 9.2.3 cryptographic binding of approval to parameters, identity, context - 9.2.4 unique nonce + single-use to prevent replay/substitution - 9.2.5 TTL expiry — approvals rejected after expiration - 9.2.6 rollback / compensating actions (renumbered from 9.2.3) - 9.7.2 post-execution: confirm intended outcome - 9.7.3 post-execution: detect unintended side effects - 9.7.4 mismatch triggers containment + compensating actions - 9.7.5 prompt template integrity (renumbered from 9.7.3)
RicoKomenda
force-pushed
the
discuss/dedup-c9-approval-parameter-binding
branch
from
556e68c to
60dc829
Compare
ottosulin
requested changes
Mar 25, 2026
| | **9.7.2** | **Verify that** post-execution checks confirm the intended outcome was achieved. | 2 | V | | ||
| | **9.7.3** | **Verify that** post-execution checks detect unintended side effects. | 2 | V | | ||
| | **9.7.4** | **Verify that** any mismatch between intended outcome and actual results triggers containment and, where supported, compensating actions. | 2 | V | | ||
| | **9.7.5** | **Verify that** prompt templates and agent policy configurations are integrity-verified at load time against their approved versions (e.g., via hashes or signatures). | 3 | D/V | |
Collaborator
There was a problem hiding this comment.
I would add to the end ".. if retrieved from a remote source"
Prompt templates can be included in the source code, no need to check in that case.
… on PR OWASP#442 Prompt templates included in source code do not require load-time integrity verification against an approved version — only those retrieved from a remote source do.
ottosulin
approved these changes
Mar 26, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
C9.2.2 and C9.7.2 both addressed the same attack - binding approvals to exact action parameters to prevent "approve one thing, execute another" / substituted approvals. The core requirement was duplicated across two sections (C9.2 HITL approval gates, C9.7 intent verification).
Resolution:
This is a PROPOSAL for discussion - please review whether the merged wording captures the full intent of both original controls before merging.