Copilot commented on code in PR #497: URL: https://github.com/apache/jspwiki/pull/497#discussion_r3353026852
########## THREAT_MODEL.md: ########## @@ -0,0 +1,421 @@ +<!-- +SPDX-License-Identifier: Apache-2.0 + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + https://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +--> + +# Threat Model — Apache JSPWiki + +## §1 Header + +- **Project:** Apache JSPWiki — a feature-rich, WikiWiki-style engine built on + standard Java/Jakarta EE components (servlet container), with page content + authored in JSPWiki markup (or Markdown), server-side plugins and filters, file + attachments, and JAAS-based authentication plus per-page access control lists. +- **Modelled against:** `apache/jspwiki` default branch `master` (HEAD at time of writing, + 2026-05-31). Where a property differs between the `master` and `master-2.x` release lines, + the difference is called out inline; this document is intended to bind on both branches (§14.14). +- **Status:** **DRAFT — v0, maintainer-reviewed.** Produced by the ASF Security team via the + `threat-model-producer` rubric + (<https://gist.github.com/potiuk/da14a826283038ddfe38cc9fe6310573>) and revised to fold in the + JSPWiki PMC's §14 answers (PR review by `@juanpablo-santos`). Remaining *(inferred)* claims await + PMC ratification. +- **Version binding:** This model is versioned alongside the project. A report against + release *N* is triaged against the model as it stood at *N*, not at HEAD. +- **Reporting cross-reference:** Findings that violate a §8 property should be reported + privately per `SECURITY.md` / the ASF process (<https://www.apache.org/security/>). + Findings that fall under §3 or §9 will be closed citing this document. +- **Provenance legend:** *(documented)* = stated in JSPWiki's own docs/README/source; + *(maintainer)* = confirmed by a JSPWiki PMC member; *(inferred)* = reasoned from code + structure or wiki-engine domain norms, **not yet confirmed** — every *(inferred)* claim + has a matching question in §14. +- **Draft confidence:** ~14 documented / ~16 maintainer / ~31 inferred. Wave-1 and most of + wave-2/3 §14 questions have been answered by the PMC; the residual *(inferred)* claims are + lower-leverage specifics still awaiting confirmation. + +JSPWiki is deployed as a web application (a WAR) inside a servlet container. Anonymous and +authenticated web users read and edit pages whose content is rendered from wiki markup to +HTML, may upload and download attachments, and may invoke server-side plugins and filters +embedded in page markup. Who may do what to which page is governed by per-page ACLs, wiki +groups, and a JAAS-backed authentication layer; the deploying operator controls the JVM +security policy (`WEB-INF/jspwiki.policy`), which plugin JARs are installed, and the page / +attachment / user-database storage backends. + +## §2 Scope and intended use + +Primary intended use *(documented)*: a self-hosted collaborative wiki served from a Java +servlet container, with page content collaboratively authored over HTTP, "very detailed +access control and security integration using JAAS" *(documented — README)*, and content +persisted via pluggable page/attachment providers (default: filesystem; +`jspwiki.fileSystemProvider.pageDir`, `jspwiki.basicAttachmentProvider.storageDir`) +*(documented — README)*. + +Caller roles (a web app has no single "caller") *(maintainer — role taxonomy confirmed)*: + +- **Anonymous client** — untrusted; whatever an unauthenticated HTTP request can reach. +- **Asserted identity** — a user who supplied a name via cookie but did **not** authenticate; + **asserted ≠ authenticated** *(maintainer)* — trusted only as a convenience label, never as an + identity for a security decision. +- **Authenticated user** — logged in via JAAS; trusted up to the permissions their roles/ACLs grant. +- **Wiki admin** — holds the `Admin` role / `AllPermission`-class grants; trusted for the instance. +- **Operator / deployer** — controls the WAR, `jspwiki.properties`, `jspwiki.policy`, installed + plugin JARs, and storage backends. Fully trusted; **out of model** as an adversary (§3). + +**Component-family table:** + +| Family | Representative entry point | Touches outside process | In model? | +| --- | --- | --- | --- | +| Wiki engine core (page CRUD, references) | `Edit.jsp` / `WikiEngine`, `jspwiki-main` | filesystem (pages) | **Yes** | +| Markup render → HTML | `jspwiki-main` render, `jspwiki-markdown` | no (CPU) | **Yes** | +| Plugins & filters (server-side, invoked from markup) | `[{Plugin}]`, `jspwiki-plugins`, filter chain | varies per plugin (net/fs) | **Yes** (invocation surface) | +| Attachments (upload/download/store) | `Attach.jsp`, `BasicAttachmentProvider` | filesystem | **Yes** | +| AuthN / AuthZ (JAAS, ACLs, groups, user DB) | `auth/*`, `Acl`, `UserManager` | user DB (XML/JDBC), JAAS | **Yes** | +| HTTP / session / UI (JSPs, forms) | `jspwiki-http`, `jspwiki-war` | network | **Yes** | +| Remote APIs (XML-RPC, RSS/Atom feeds) | `jspwiki-xmlrpc` | network | **Yes** on `master-2.x`; XML-RPC **removed** on `master` (§5a) *(maintainer)* | +| Search + content extraction | `jspwiki-tika-searchprovider`, `jspwiki-kendra-searchprovider` | filesystem; Tika parsers; (Kendra → AWS) | **Yes** (parser surface, when enabled) | +| WYSIWYG editor (client-side) | `jspwiki-wysiwyg` | browser only | No → §3 | Review Comment: These tables use a leading `||` which creates an empty first column in GitHub-flavored Markdown and can render misaligned. Consider switching to standard GFM table syntax (single leading `|` per row, without the extra empty column) to ensure consistent rendering across viewers. (This pattern appears in multiple tables in the document.) ########## SECURITY.md: ########## @@ -0,0 +1,35 @@ +<!-- +SPDX-License-Identifier: Apache-2.0 + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + https://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +--> + +# Security Policy + +## Reporting a Vulnerability + +Apache JSPWiki follows the [Apache Software Foundation security process](https://www.apache.org/security/). +Please report suspected vulnerabilities **privately** to `[email protected]` (the JSPWiki PMC is +reachable at `[email protected]`). Do **not** open public GitHub issues or pull requests for +security reports. Review Comment: Please double-check that `[email protected]` is the intended mailbox for JSPWiki vulnerability reports. Many ASF projects use a project-specific `security@<project>.apache.org` list; if JSPWiki has one, directing reports to the general ASF address may delay triage or misroute sensitive details. ########## THREAT_MODEL.md: ########## @@ -0,0 +1,421 @@ +<!-- +SPDX-License-Identifier: Apache-2.0 + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + https://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +--> + +# Threat Model — Apache JSPWiki + +## §1 Header + +- **Project:** Apache JSPWiki — a feature-rich, WikiWiki-style engine built on + standard Java/Jakarta EE components (servlet container), with page content + authored in JSPWiki markup (or Markdown), server-side plugins and filters, file + attachments, and JAAS-based authentication plus per-page access control lists. +- **Modelled against:** `apache/jspwiki` default branch `master` (HEAD at time of writing, + 2026-05-31). Where a property differs between the `master` and `master-2.x` release lines, + the difference is called out inline; this document is intended to bind on both branches (§14.14). Review Comment: The document hard-codes the default branch name as `master`, but this PR is being applied against a `main` baseline (per the diff base). To avoid the doc becoming wrong/outdated, consider wording this as “default branch” (without naming it) or update to the actual default branch name used in this repository. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
