[jira] [Commented] (RAT-558) Explain XXE-warnings in RAT code and add security guidelines to webpage and agents config to RAT repo

Mon, 01 Jun 2026 12:48:11 -0700 


    [ 
https://issues.apache.org/jira/browse/RAT-558?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18085296#comment-18085296
 ] 

ASF subversion and git services commented on RAT-558:
-----------------------------------------------------

Commit 334dcc9307d5b83f5599a4cf0cef51865b316046 in creadur-rat's branch 
refs/heads/feature/RAT-558 from Philipp Ottlinger
[ https://gitbox.apache.org/repos/asf?p=creadur-rat.git;h=334dcc93 ]

RAT-558: Add AGENTS.md as a starting point


> Explain XXE-warnings in RAT code and add security guidelines to webpage and 
> agents config to RAT repo
> -----------------------------------------------------------------------------------------------------
>
>                 Key: RAT-558
>                 URL: https://issues.apache.org/jira/browse/RAT-558
>             Project: Apache RAT
>          Issue Type: Improvement
>    Affects Versions: 0.18
>            Reporter: Philipp Ottlinger
>            Priority: Major
>             Fix For: 1.0.0
>
>
> Following the current XXE-warnings in GitHub it makes sense to document these 
> for RAT's users:
> * add SECURITY.md - example: 
> https://github.com/kubernetes/examples/blob/master/SECURITY.md
> * add security information to webpage and explain why we disable certain 
> warnings in SonarCloud's static XXE detection (XXE_DOCUMENT)
> h1. Claude's initial proposal taken from the mailing list: SECURITY.md
>   - Configuration files and XSLT documents passed to RAT are
> operator-controlled configuration, not request input. Reports claiming SSRF
> / path traversal via these resolvers,  on the assumption that the resource
> name is attacker-controlled, are out of scope under the documented threat
> model: xml and xslt authorship and resource configuration are privileged
> operations.
>    - Applications that thread untrusted input into XML configuration or
> XSLT documents should validate that input before passing it to RAT; the
> responsibility for that validation rests with the application, not with RAT.
> h1. Agents.md taken from https://agentsmd.io/templates



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to