potiuk commented on PR #677: URL: https://github.com/apache/creadur-rat/pull/677#issuecomment-4763029948
Thanks @ottlinger and @Claudenw — that's everything we needed. I've folded all your answers into `THREAT_MODEL.md` (pushed). Summary of what changed: - **Trust posture (Q1)** — confirmed and now `(maintainer)`: RAT config (XSLT, config files, license defs, custom matchers) is operator-trusted; the *scanned files* are the untrusted surface. §2/§7. - **No network (Q2)** — confirmed `(maintainer)`. Added your XSLT `xsl:include` nuance: the one operator-reachable way out is a remote `xsl:include`, and since stylesheets are trusted config that's `OUT-OF-MODEL`. §5/§8 #3. - **XXE (Q3)** — external entities are **disabled**, so §8 #2 is now a **provided** property (was tentative); noted PR #679 as the DOCTYPE-hardening follow-up, and the JAXP-system-properties configurability. §5/§5a/§8. - **Archive bound (Q4)** — kept as a disclaimed §9 gap (no bound, OOM not guarded). - **Path handling** — corrected a phantom risk: since RAT reads entries into memory and **never extracts to disk**, there's no zip-slip / path-traversal-on-write surface. An entry label like `bar/baz.zip#/junk.txt` is just a report string. §6/§9. - **Whisker/Tentacles (Q5/Q6)** — scoped this PR to `creadur-rat` per your preference; the sibling pointer files are a deferred follow-up. With every §14 question answered, the model is ready to ratify whenever the PMC's happy with it. (The red check is the CodeQL "Build and analyze" job, which is unrelated to these doc-only changes — all 13 build/test matrix jobs pass.) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
