[
https://issues.apache.org/jira/browse/RAT-558?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18085297#comment-18085297
]
ASF subversion and git services commented on RAT-558:
-----------------------------------------------------
Commit 18166cb9b264585b905212f64e07d13ae853df31 in creadur-rat's branch
refs/heads/feature/RAT-558 from Philipp Ottlinger
[ https://gitbox.apache.org/repos/asf?p=creadur-rat.git;h=18166cb9 ]
RAT-558: Exclude MD from RAT scans
> Explain XXE-warnings in RAT code and add security guidelines to webpage and
> agents config to RAT repo
> -----------------------------------------------------------------------------------------------------
>
> Key: RAT-558
> URL: https://issues.apache.org/jira/browse/RAT-558
> Project: Apache RAT
> Issue Type: Improvement
> Affects Versions: 0.18
> Reporter: Philipp Ottlinger
> Priority: Major
> Fix For: 1.0.0
>
>
> Following the current XXE-warnings in GitHub it makes sense to document these
> for RAT's users:
> * add SECURITY.md - example:
> https://github.com/kubernetes/examples/blob/master/SECURITY.md
> * add security information to webpage and explain why we disable certain
> warnings in SonarCloud's static XXE detection (XXE_DOCUMENT)
> h1. Claude's initial proposal taken from the mailing list: SECURITY.md
> - Configuration files and XSLT documents passed to RAT are
> operator-controlled configuration, not request input. Reports claiming SSRF
> / path traversal via these resolvers, on the assumption that the resource
> name is attacker-controlled, are out of scope under the documented threat
> model: xml and xslt authorship and resource configuration are privileged
> operations.
> - Applications that thread untrusted input into XML configuration or
> XSLT documents should validate that input before passing it to RAT; the
> responsibility for that validation rests with the application, not with RAT.
> h1. Agents.md taken from https://agentsmd.io/templates
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
