RAT is a development tool. As such we expect our users to properly sanitize any XML and XSLT input.
On another project I work on Security recently suggested they add a statement in the SECURITY.md file to explicitly call out this expectation. I think we should do the same. I believe that our text should read something like. - Configuration files and XSLT documents passed to RAT are operator-controlled configuration, not request input. Reports claiming SSRF / path traversal via these resolvers, on the assumption that the resource name is attacker-controlled, are out of scope under the documented threat model: xml and xslt authorship and resource configuration are privileged operations. - Applications that thread untrusted input into XML configuration or XSLT documents should validate that input before passing it to RAT; the responsibility for that validation rests with the application, not with RAT. I think that if we add a security file with the above statments we can disable the XXE_DOCUMENT issue in spotbugs. Claude -- LinkedIn: http://www.linkedin.com/in/claudewarren
