rm5248 commented on code in PR #30: URL: https://github.com/apache/logging-site/pull/30#discussion_r3252847727
########## src/site/antora/modules/ROOT/pages/_threat-model-common.adoc: ########## @@ -69,6 +69,33 @@ No particular input validation for log messages is necessary. * They **do not** trust the string representation of log parameters. * The logging frameworks do not trust neither the keys nor the values in the thread context. +[#threat-common-adversary] +== Adversary capabilities + +The threats listed below are evaluated against an adversary with a well-defined and limited set of capabilities. +Defining these capabilities clarifies which reports are in scope: a report that requires a capability not listed here is **not** considered a vulnerability. + +In-scope adversary:: ++ +An in-scope adversary is any party whose data reaches the logging framework **exclusively** through the untrusted sources described above. +Such an adversary is assumed to be able to: ++ +* Submit arbitrary byte sequences, including malformed text encodings and control characters (such as `CR`, `LF` and `NUL`), through log messages, the string representation of log parameters, and the keys and values of the thread context. +* Submit excessively long inputs, within whatever limits the calling application enforces. +* Submit input that resembles the framework's own interpolation or lookup syntax, including input that triggers recursive interpolation. + +Out-of-scope adversary:: ++ +The following adversaries are explicitly **out of scope**; a report relying on any of these capabilities will not be accepted: ++ +* An adversary able to modify environment variables, configuration properties, or configuration files: these are trusted sources (see <<threat-common-sources>>). +* An adversary able to execute code in the same process as the logging framework, including through plugins or other extensions added to the application. +* An adversary able to cause a self-referential or otherwise non-terminating object structure to be passed to a log statement. Review Comment: As stated here, this sounds like it might exclude log4shell, although line 85 seems to accept it. do you have a good example to show for this? I wonder if we should add something like "this is treated as a normal bug, and hardening suggestions/PRs are welcome" -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
