mattrpav commented on PR #4924: URL: https://github.com/apache/activemq-artemis/pull/4924#issuecomment-2101343221
I agree w/ @cshannon here. There should be a setting to support honoring a valid list of package names -- there could even be an out-of-the-box default end-users could use to avoid having to change the allowed package name configuration.. "org.apache.activemq.artemis.divert.transform.custom", etc. At a minimum, this cuts out attack vectors that leverage using problematic classes from 3rd party dependencies. I think this is one of those "cover our bases" type situation where there needs to be a configuration to prevent it in the event of a security event -- even if it is always the end-user's fault. The first question isn't going to be a rational discussion about the facts around what the end-user may have misconfigured, it is going to be -- "Why didn't Artemis have a config to prevent this?" -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
