[
https://issues.apache.org/jira/browse/RAT-558?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18092348#comment-18092348
]
ASF subversion and git services commented on RAT-558:
-----------------------------------------------------
Commit 47624aa3874c4428fb472e4bd335ec11a5654080 in creadur-rat's branch
refs/heads/RAT-541_create-testhelper_data-package from Jarek Potiuk
[ https://gitbox.apache.org/repos/asf?p=creadur-rat.git;h=47624aa3 ]
RAT-558: Add security threat model (THREAT_MODEL.md + SECURITY.md + AGENTS.md)
(#677)
* Add THREAT_MODEL.md and wire AGENTS.md/SECURITY.md to it
Rebased onto current master, which already added AGENTS.md and SECURITY.md.
Keeps both maintainer files and adds the detailed THREAT_MODEL.md plus the
AGENTS.md -> SECURITY.md -> THREAT_MODEL.md pointers.
Generated-by: Claude Opus 4.8 (1M context)
> Explain XXE-warnings in RAT code and add security guidelines to webpage and
> agents config to RAT repo
> -----------------------------------------------------------------------------------------------------
>
> Key: RAT-558
> URL: https://issues.apache.org/jira/browse/RAT-558
> Project: Apache RAT
> Issue Type: Improvement
> Affects Versions: 0.18
> Reporter: Philipp Ottlinger
> Assignee: Philipp Ottlinger
> Priority: Major
> Fix For: 1.0.0
>
>
> Following the current XXE-warnings in GitHub it makes sense to document these
> for RAT's users:
> * add SECURITY.md - example:
> https://github.com/kubernetes/examples/blob/master/SECURITY.md
> * add security information to webpage and explain why we disable certain
> warnings in SonarCloud's static XXE detection (XXE_DOCUMENT)
> h1. Claude's initial proposal taken from the mailing list: SECURITY.md
> - Configuration files and XSLT documents passed to RAT are
> operator-controlled configuration, not request input. Reports claiming SSRF
> / path traversal via these resolvers, on the assumption that the resource
> name is attacker-controlled, are out of scope under the documented threat
> model: xml and xslt authorship and resource configuration are privileged
> operations.
> - Applications that thread untrusted input into XML configuration or
> XSLT documents should validate that input before passing it to RAT; the
> responsibility for that validation rests with the application, not with RAT.
> h1. Agents.md taken from https://agentsmd.io/templates
--
This message was sent by Atlassian Jira
(v8.20.10#820010)