[
https://issues.apache.org/jira/browse/RAT-558?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Philipp Ottlinger updated RAT-558:
----------------------------------
Description:
Following the current XXE-warnings in GitHub it makes sense to document these
for RAT's users:
* add SECURITY.md - example:
https://github.com/kubernetes/examples/blob/master/SECURITY.md
* add security information to webpage and explain why we disable certain
warnings in SonarCloud's static XXE detection (XXE_DOCUMENT)
h1. Claude's initial proposal taken from the mailing list: SECURITY.md
- Configuration files and XSLT documents passed to RAT are
operator-controlled configuration, not request input. Reports claiming SSRF
/ path traversal via these resolvers, on the assumption that the resource
name is attacker-controlled, are out of scope under the documented threat
model: xml and xslt authorship and resource configuration are privileged
operations.
- Applications that thread untrusted input into XML configuration or
XSLT documents should validate that input before passing it to RAT; the
responsibility for that validation rests with the application, not with RAT.
was:
Following the current XXE-warnings in GitHub it makes sense to document these
for RAT's users:
* add SECURITY.md - example:
https://github.com/kubernetes/examples/blob/master/SECURITY.md
* add security information to webpage and explain why we disable certain
warnings in SonarCloud's static XXE detection (XXE_DOCUMENT)
> Explain XXE-warnings in RAT code and add security guidelines to webpage and
> RAT repo
> ------------------------------------------------------------------------------------
>
> Key: RAT-558
> URL: https://issues.apache.org/jira/browse/RAT-558
> Project: Apache RAT
> Issue Type: Improvement
> Affects Versions: 0.18
> Reporter: Philipp Ottlinger
> Priority: Major
> Fix For: 1.0.0
>
>
> Following the current XXE-warnings in GitHub it makes sense to document these
> for RAT's users:
> * add SECURITY.md - example:
> https://github.com/kubernetes/examples/blob/master/SECURITY.md
> * add security information to webpage and explain why we disable certain
> warnings in SonarCloud's static XXE detection (XXE_DOCUMENT)
> h1. Claude's initial proposal taken from the mailing list: SECURITY.md
> - Configuration files and XSLT documents passed to RAT are
> operator-controlled configuration, not request input. Reports claiming SSRF
> / path traversal via these resolvers, on the assumption that the resource
> name is attacker-controlled, are out of scope under the documented threat
> model: xml and xslt authorship and resource configuration are privileged
> operations.
> - Applications that thread untrusted input into XML configuration or
> XSLT documents should validate that input before passing it to RAT; the
> responsibility for that validation rests with the application, not with RAT.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
