potiuk commented on PR #61: URL: https://github.com/apache/tapestry-5/pull/61#issuecomment-4763058324
Thanks @benweidig — that's a thorough set of answers, folded into `THREAT_MODEL.md` (pushed). What changed: - **HMAC passphrase when unset (Q1)** — corrected my "fail-closed" assumption: it's currently a **loud error** (logged + an AlertManager client-side alert), *not* a hard startup failure. Noted the planned prod-mode startup-failure ([TAP5-2834](https://issues.apache.org/jira/browse/TAP5-2834)) in §5a/§8.1/§9. - **Output escaping (Q2)** — confirmed escaped-by-default; raw is explicit opt-in via `MarkupWriter.writeRaw`/`OutputRaw`, and I added your point that any *unchecked* internal-component passthrough should be treated as a bug. §8.2. - **Asset traversal (Q3)** — captured the "container normalization + Tapestry's own sensitive-extension exclusions, could be improved" framing. §8.3. - **Whitelist + secure-link (Q4)** — `LocalhostOnly` default; `@Secure`-driven HTTPS, prod-default, `tapestry.secure-enabled` toggle. Also noted the over-restrictive shortened-IPv6 bug ([TAP5-2832](https://issues.apache.org/jira/browse/TAP5-2832)) as a correctness (not bypass) issue. §8.4/§8.5. - **CSRF (Q5)** — added a clear §9 disclaimer: **no built-in CSRF**; HMAC guards invalid requests but valid-request CSRF is the app's responsibility until a built-in lands, with the porscheinformatik prior-art link. Still open for the PMC when you have a moment: the §11a non-findings list (wave 3, Q6/Q7) — happy to refine it from whatever scanners most often mis-report against Tapestry. (@thiagohp — your test-scope answer is already folded into §3/§11a.) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
