[ 
https://issues.apache.org/jira/browse/RAT-558?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18093701#comment-18093701
 ] 

ASF subversion and git services commented on RAT-558:
-----------------------------------------------------

Commit 47624aa3874c4428fb472e4bd335ec11a5654080 in creadur-rat's branch 
refs/heads/make-license-collections-unmodifiable from Jarek Potiuk
[ https://gitbox.apache.org/repos/asf?p=creadur-rat.git;h=47624aa3 ]

RAT-558: Add security threat model (THREAT_MODEL.md + SECURITY.md + AGENTS.md) 
(#677)

* Add THREAT_MODEL.md and wire AGENTS.md/SECURITY.md to it

Rebased onto current master, which already added AGENTS.md and SECURITY.md. 
Keeps both maintainer files and adds the detailed THREAT_MODEL.md plus the 
AGENTS.md -> SECURITY.md -> THREAT_MODEL.md pointers.

Generated-by: Claude Opus 4.8 (1M context)

> Explain XXE-warnings in RAT code and add security guidelines to webpage and 
> agents config to RAT repo
> -----------------------------------------------------------------------------------------------------
>
>                 Key: RAT-558
>                 URL: https://issues.apache.org/jira/browse/RAT-558
>             Project: Apache RAT
>          Issue Type: Improvement
>    Affects Versions: 0.18
>            Reporter: Philipp Ottlinger
>            Assignee: Philipp Ottlinger
>            Priority: Major
>             Fix For: 1.0.0
>
>
> Following the current XXE-warnings in GitHub it makes sense to document these 
> for RAT's users:
> * add SECURITY.md - example: 
> https://github.com/kubernetes/examples/blob/master/SECURITY.md
> * add security information to webpage and explain why we disable certain 
> warnings in SonarCloud's static XXE detection (XXE_DOCUMENT)
> h1. Claude's initial proposal taken from the mailing list: SECURITY.md
>   - Configuration files and XSLT documents passed to RAT are
> operator-controlled configuration, not request input. Reports claiming SSRF
> / path traversal via these resolvers,  on the assumption that the resource
> name is attacker-controlled, are out of scope under the documented threat
> model: xml and xslt authorship and resource configuration are privileged
> operations.
>    - Applications that thread untrusted input into XML configuration or
> XSLT documents should validate that input before passing it to RAT; the
> responsibility for that validation rests with the application, not with RAT.
> h1. Agents.md taken from https://agentsmd.io/templates



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to