markt-asf commented on PR #25: URL: https://github.com/apache/commons-jxpath/pull/25#issuecomment-1282259720
Please note it is highly likely that all the CVEs issued by Google / oss-fuzz for JXPath without consultation with the ASF and in breach of the rules for CNAs will be resolved as invalid. Separately, if JXPath opts to provide a feature or features to support users who wish to process untrusted input without validation or sanitisation then a deny list would never be acceptable. A possible approach would be an allow list that defaults to everything that users could then narrow if they wish. For the avoidance of doubt, my current position is that JXPath is intended to be used with trusted input. I haven't performed an in-depth review of JXPath, so if anyone is aware of reasons why JXPath should be expected to handle untrusted input safely, please speak up. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
