This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ws-xmlschema.git
The following commit(s) were added to refs/heads/master by this push:
new 62236c59 Reviewed threat model, removed draft (#110)
62236c59 is described below
commit 62236c597cdbc55aa368bdc8ed5298fa5152e5e4
Author: Colm O hEigeartaigh <[email protected]>
AuthorDate: Fri Jul 10 12:21:22 2026 +0100
Reviewed threat model, removed draft (#110)
---
draft-THREAT-MODEL.md => THREAT-MODEL.md | 34 +++++++++++++++++++++++++-------
1 file changed, 27 insertions(+), 7 deletions(-)
diff --git a/draft-THREAT-MODEL.md b/THREAT-MODEL.md
similarity index 96%
rename from draft-THREAT-MODEL.md
rename to THREAT-MODEL.md
index ee675a41..40ae0ce8 100644
--- a/draft-THREAT-MODEL.md
+++ b/THREAT-MODEL.md
@@ -17,7 +17,7 @@
under the License.
-->
-# Apache XMLSchema Security Threat Model (draft)
+# Apache XMLSchema Security Threat Model
## §1 Header
@@ -25,29 +25,29 @@
that can be used to manipulate and generate XML schema
representations"* *(documented: `README.txt`)*.
- **Repository**: `apache/ws-xmlschema`.
-- **Version / commit**: this model is drafted against the default branch
+- **Version / commit**: this model is based on the default branch
at clone time. A report against project release *N* should be triaged
against the model as it stood at *N*, not at HEAD. Latest release
documented in `RELEASE-NOTE.txt`: 2.3.0.
- **Date**: 2026-05-30.
-- **Authors**: ASF Security team draft, awaiting XMLSchema / Webservices
+- **Authors**: ASF Security team, awaiting XMLSchema / Webservices
PMC review.
-- **Status**: draft — under maintainer review.
+- **Status**: under maintainer review.
- **Reporting**: vulnerabilities that fall under §8 (claimed
properties) should be reported per the Apache Security Team disclosure
channel (<https://www.apache.org/security/>); reports that fall under
§3 (out of scope) or §9 (properties not provided) will be closed by
XMLSchema triagers citing this document. The project does not ship
- an in-repo `SECURITY.md` at draft time *(inferred — §14 Q1)*.
+ an in-repo `SECURITY.md` at assessment time *(inferred — §14 Q1)*.
- **Provenance legend** —
*(documented)* = drawn from in-repo docs / source comments / project
website with citation;
*(maintainer)* = stated by an XMLSchema maintainer in response to this
- draft;
+ threat model;
*(inferred)* = synthesized by the producer from code structure or
domain knowledge, awaiting PMC ratification (every *(inferred)* tag has
a matching §14 question).
-- **Draft confidence**: 21 documented / 0 maintainer / 24 inferred.
+- **Model confidence**: 21 documented / 0 maintainer / 24 inferred.
XMLSchema is a Java library that parses, models, walks, and serializes
W3C XML Schema documents (`.xsd` files). It is *not* a document
@@ -472,6 +472,26 @@ The embedding Java application **must**:
7. Run on a release-supported branch (currently 2.3.0 line)
*(documented: `RELEASE-NOTE.txt`)*.
+The embedding Java application **should** additionally implement these
+defense-in-depth controls:
+
+1. Enforce URL scheme and destination restrictions in the resolver:
+ allow only `https://` to approved hosts; deny `file://`, `jar:`,
+ loopback, link-local, and RFC1918/private address ranges.
+2. Set explicit XML parser anti-XXE features in addition to
+ `FEATURE_SECURE_PROCESSING=true`: `disallow-doctype-decl=true`,
+ `external-general-entities=false`, and
+ `external-parameter-entities=false`.
+3. Apply import-fetch budgets at the caller boundary: maximum import
+ depth, total imported bytes, and total import count per top-level
+ parse.
+4. Use connect/read timeouts for import fetches and fail closed on
+ timeout or policy-check errors.
+5. Log import-resolution decisions (requested URI, normalized target,
+ allow/deny result, reason) for incident response and triage.
+6. Prefer integrity-controlled schema sources (pinned internal mirror
+ or checksum-verified artifacts) instead of live internet fetches.
+
## §11 Known misuse patterns
- **Passing an attacker-controlled `.xsd` to