milamberspace commented on code in PR #6709: URL: https://github.com/apache/jmeter/pull/6709#discussion_r3344845340
########## THREAT_MODEL.md: ########## @@ -0,0 +1,174 @@ +# Apache JMeter — Threat Model (v1 draft) + +> Built on Apache JMeter's existing security policy at +> <https://jmeter.apache.org/security.html>. That page's "Security Model" +> statements are lifted here verbatim as the *(documented)* core; this +> document adds the threat-model structure around them (adversary model, +> in/out scope, properties, known non-findings, triage dispositions). + +## §1 Header + +- **Project:** Apache JMeter (`apache/jmeter`), `master`, against which this draft was written. +- **Date:** 2026-06-02 (v0); **revised 2026-06-03** incorporating JMeter PMC review (vlsi, milamberspace). **Status:** draft v1 — Wave-1/2 questions ratified by the PMC; remaining items flagged below. **Author:** ASF Security team (drafted via the Scovetta threat-model rubric, building on JMeter's `security.html`), for PMC ratification. +- **Version binding:** versioned with the project; a report against version *N* is triaged against the model as it stood at *N*. +- **Reporting cross-reference:** §8-property violations → report privately per ASF process (`[email protected]` → `[email protected]`); §3/§9 findings are closed citing this document and `security.html`. +- **Provenance legend:** *(documented)* = JMeter's own docs/`security.html`/repo; *(maintainer)* = confirmed by a JMeter PMC member through this process; *(inferred)* = reasoned from architecture, not yet confirmed — each has a matching §14 open question. +- **Coexistence:** this model is a strict superset of `security.html`; nothing there is weakened. `security.html` stays the canonical reporting/policy page and should link here for the expanded model. +- **Draft confidence:** ~10 documented / ~12 maintainer / ~14 inferred (RMI-SSL posture, the open-vs-run line, Security-Manager status, and the SUT scope were confirmed from JMeter source by the PMC on 2026-06-03). +- **What JMeter is:** Apache JMeter is a Java load-/performance-testing tool. A user builds a **test plan** (a `.jmx` file) in the GUI or by hand, then runs it — in the GUI, in non-GUI/CLI mode, or distributed across a controller and remote engines — to drive load at a *system under test* and collect results. Test plans may contain scripting (JSR223/Groovy/BeanShell) and therefore arbitrary code. *(documented — README, security.html)* + +## §2 Scope and intended use + +- **Primary use:** a **user-run tool** — the person running JMeter authors (or obtains) the `.jmx`, points it at a target they are authorised to test, and runs it locally or across machines they control. *(documented — security.html)* Review Comment: **§2 — Suggested addition: authorized penetration testing as a recognized use case** JMeter is widely used — and distributed in penetration testing toolkits — as a tool for **authorized security assessments**, in addition to its primary load/performance testing purpose. Its scripting capabilities (JSR223/Groovy/BeanShell), parameterized datasets (CSV Dataset Config), and broad protocol support (HTTP, JDBC, LDAP, JMS, …) make it naturally suited for this work. This does **not** change the trust model: whether the operator is a performance engineer or an authorized pentester, they are the trusted party running a `.jmx` they control against a target they are authorized to test. **Suggested addition to §2** (after the "Primary use" bullet): > **Secondary / dual-use:** JMeter is used by security professionals as a tool for authorized penetration testing and security assessments — rate-limit testing, parameterized enumeration, fuzzing, and custom scenarios via scripting. This is a recognized legitimate use; the operator-trust model is unchanged. Conducting such tests against systems **without authorization** is a legal and ethical violation, already covered by §11. **Why it matters for triage:** without this acknowledgment, a report such as *"JMeter can be used to enumerate endpoints / perform credential stuffing / stress-test authentication"* might be filed as a vulnerability. With this addition, the triage answer is immediate: `BY-DESIGN / OUT-OF-MODEL: trusted-input` for authorized pentesting; §11 misuse for unauthorized use. **Note:** §11 already carries *"Load-testing a third party's system without authorisation (also a legal issue)"* (line 123). The suggested §2 addition is the positive counterpart — acknowledging the legitimate use case that makes §11's boundary meaningful. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
