milamberspace commented on PR #6709: URL: https://github.com/apache/jmeter/pull/6709#issuecomment-4607505222
**Q5 (hostile SUT) — confirmed out of model** Agreed — no in-model carve-out needed. The trust boundary is clear: an operator tests only systems they own or are authorised to test. Parser robustness against a hostile SUT (XXE on XPath Extractor, ReDoS on regex patterns, unbounded response sizes) is desirable hardening, but classifying it as a claimed security property would essentially mean saying "JMeter is safe to point at attacker-controlled infrastructure" — which is not the intended use case and would be an untenable claim. Classification: **VALID-HARDENING** (internal audit track, not an in-model threat). §9 "safe response handling — UNSPECIFIED / best-effort" is the right framing. The current v1 wording works well. §14 wave 2 can be fully marked answered. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
