ppkarwasz commented on code in PR #22: URL: https://github.com/apache/commons-xml/pull/22#discussion_r3552372386
########## src/site/markdown/threat_model.md: ########## @@ -78,21 +78,20 @@ listed below. Which hardening recipe applies depends on the JAXP implementation **System properties that modify behavior** -When a factory or parser is created, the library reads the following JDK system properties and pins each value on every -recognized parser, including bundled ones that ignore `jdk.xml.*` on their own. If a property is unset, the fixed value -shown applies (matching the JDK 25 secure default), regardless of the JDK in use. These properties are trusted -deployment configuration: an operator may set one to tighten (or loosen) a limit globally, but loosening through one is -reconfiguration, treated like loosening any other reserved setting (see [What is out of scope](#what-is-out-of-scope)). - -- `jdk.xml.elementAttributeLimit`: `200` -- `jdk.xml.entityExpansionLimit`: `2500` -- `jdk.xml.entityReplacementLimit`: `100000` -- `jdk.xml.maxElementDepth`: `100` -- `jdk.xml.maxGeneralEntitySizeLimit`: `100000` -- `jdk.xml.maxOccurLimit`: `5000` -- `jdk.xml.maxParameterEntitySizeLimit`: `15000` -- `jdk.xml.maxXMLNameLimit`: `1000` -- `jdk.xml.totalEntitySizeLimit`: `100000` +The library reads no system property of its own. It enables secure processing (`FEATURE_SECURE_PROCESSING`) on every +recognized parser and leaves the resulting processing limits (entity expansion, element depth, attribute count, and +similar) at the implementation's own secure default. Those defaults differ by implementation, and on the stock JDK by +JDK version and the standard `jdk.xml.*` limit properties the JDK itself reads: Review Comment: Fixed in https://github.com/apache/commons-xml/pull/22/commits/67353b1dc2b70376183c6c917b5a17e580db1cd1 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
