The GitHub Actions job "Java CI" on commons-xml.git/feature/resolver-floor has 
failed.
Run started by GitHub user ppkarwasz (triggered by ppkarwasz).

Head commit for run:
66c18ffe4f19143d081acb744170ca2d0deb99d5 / Piotr P. Karwasz 
<[email protected]>
Document the resolver floor in the threat model

Installing a resolver no longer removes the hardening: the floor wraps
the caller's resolver instead of being replaced. Reflect that across the
threat model.

Add a "Resolvers" entry under the settings a caller may modify, listing
the typed set*Resolver methods, the DefaultHandler passed to
SAXParser.parse, and the StAX resolver properties (javax.xml.stream.resolver
and the com.ctc.wstx.*Resolver keys), with the caveat that the installed
resolver must resolve every resource the caller needs, since the floor
denies or ignores whatever it leaves unresolved.

Move the Woodstox resolver properties out of the reserved list, correct
the reserved-section note that previously called installing a resolver a
loosening, and reframe the out-of-scope entry to the remaining caller
responsibility: a resolver that resolves an untrusted resource fetches
it. The raw Xerces internal entity-resolver property stays reserved, as
the typed setter override does not wrap it.

Assisted-By: Claude Opus 4.8 (1M context) <[email protected]>

Report URL: https://github.com/apache/commons-xml/actions/runs/28849559294

With regards,
GitHub Actions via GitBox

Reply via email to