potiuk commented on PR #6709: URL: https://github.com/apache/jmeter/pull/6709#issuecomment-4618269128
Thanks @milamberspace and @vlsi — pushed a revision addressing the review: - **Security Manager:** dropped the recommendation; reframed as removed on JDK 24+ (JEP 486), not a forward defense, with the JDK 17 / 18–23 / 24 table. OS-level isolation (container / systemd / dedicated user) is the replacement story. - **Hostile-SUT responses (§6–§8 contradiction):** resolved — a hostile system-under-test's responses (XXE/ReDoS) are out-of-model (`VALID-HARDENING` at most), now consistent across §3/§6/§7/§8/§9/§11a. - **Opening vs running (§14 Q4):** formalized — opening a `.jmx` is safe *iff* you trust the existing classes in the distribution (deserialization → existing-class init); new-class instantiation / unanticipated execution is a vuln. Marked answered. - **HTTPS recording proxy:** added ProxyControl as a modeled surface (CA-key boundary, `proxy.cert.validity` default, operator duties, proxy-port non-finding). - Added five §11a known-non-findings (Runtime.exec, reflection, proxy port, `changeit`, XXE) and folded your §14 Wave-1/2 answers in as *(maintainer)*; corrected the jmeter-server bind story (not loopback-restricted by default). Two items I left as §14 questions rather than guess: the exact XStream allowlist mechanism (a static `org.apache.jmeter.**` would break third-party plugins — classloader vs manifest vs denylist), and the `security.html` backlink / reference Dockerfile (separate-file follow-ups). WDYT? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
