ppkarwasz opened a new pull request, #30: URL: https://github.com/apache/logging-site/pull/30
Extend the common threat model with two new sections: * "Adversary capabilities" defines the in-scope adversary and the capabilities it is assumed to have, and enumerates the out-of-scope adversaries whose reports will not be accepted. * "Revising this threat model" lists the conditions under which the document must be revisited. Self-referential and deeply nested object structures are explicitly placed out of scope. To keep disabled log statements cheap we call `toString()` on the passed parameters ourselves, so the safety of that call ultimately rests with the caller. This follows the CVE-2017-18640 precedent: SnakeYAML did not hang while _reading_ a "billion laughs" document, but it built a deeply nested map from it, and SnakeYAML, not the code that later operated on that map, was held responsible. Note that SnakeYAML still allows the creation of recursive maps by default. Open questions left for discussion: * The revision section does not yet define the process for modifying the threat model. This should likely require a public discussion followed by a public PMC vote. * Retroactivity: changes should apply only to versions published *after* the modification, not retroactively. If we adopt that, we should keep all previously published versions of this document available on the website. Assisted-By: Claude Opus 4.7 (1M context) <[email protected]> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
