potiuk commented on PR #677: URL: https://github.com/apache/creadur-rat/pull/677#issuecomment-4725079762
Thanks `Claudenw` and `ottlinger` — folded your review into the draft and pushed (THREAT_MODEL.md, +53/-21): - **Archive handling (your Q on OOM):** confirmed as a gap. The unbounded in-memory extraction via Commons Compress `ArchiveStreamFactory` is now §9 (not a provided property), with the matching §10 downstream responsibility (sandbox / resource-limit RAT runs over untrusted archives) and a VALID-HARDENING disposition. Marked maintainer-confirmed. - **XML/DOCTYPE (your "there is a PR to ensure we have this covered"):** I read that as the XXE-hardening question (§14 Q3). I've noted a hardening PR is in flight but left §8 #2 tentative pending the link — could you drop the PR number here so I can cite it? Once it lands I'll flip XXE to a provided property. - **`ottlinger` — write mode:** good catch. RAT's `--addLicense` / editor mode *writes* headers into the audited tree; I've documented it explicitly in §2/§3 as operator-invoked on the operator's own (trusted) sources → it's OUT-OF-MODEL: trusted-input, but now stated rather than silent. - **`ottlinger` — generated front-ends:** added a §2 note that CLI/Ant/Maven are generated from a common option core, so a security property (or gap) in the core transfers to all three UIs. - **`ottlinger` — SECURITY.md / #671:** thanks, fixed the stale §15 line — it now reflects that #671 added SECURITY.md and this PR just appends the AGENTS.md -> SECURITY.md -> THREAT_MODEL.md pointer. Still open if you have a moment (one line each is plenty): Q1 (confirm the untrusted-input case is the one to model), Q2 (RAT makes no network connections), Q5 (Whisker/Tentacles share the profile), and Q6 (want us to add the same pointer files to creadur-whisker/-tentacles, or will you?). One note on CI: the failing "Build and analyze" (CodeQL) check is unrelated to this PR — it's a docs-only change (three .md files), so it isn't introducing or affected by that build job; looks pre-existing/flaky on the branch. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
