Skip to content

Commit 98fd4cf

Browse files
committed
[COMMONSSITE-187] docs: document security model
As discussed earlier in private in the thread at https://lists.apache.org/thread/w130p74rx0y60ytlz81h7fx9h7td6vnj and proposed publicly in https://issues.apache.org/jira/browse/COMMONSSITE-187
1 parent 50e1a63 commit 98fd4cf

1 file changed

Lines changed: 20 additions & 0 deletions

File tree

src/site/xdoc/security.xml

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -31,6 +31,26 @@
3131
of the Commons project</a>.</p>
3232
</section>
3333

34+
<section name="Security Model">
35+
<p>Commons Compress may be used to process untrusted input data.
36+
This should not trigger network access, unbounded deserialization
37+
or code execution. It may require processing power proportional to
38+
the size of the input. An input causing an OutOfMemoryError,
39+
StackOverflowError, or another Error may be considered a DoS
40+
vulnerability when it is unexpected based on the size of the input
41+
and the resources (RAM, disk, etc) allocated to the process.</p>
42+
43+
<p>Input causing any other RuntimeException is expected and not a
44+
vulnerability, but may be a regular bug when a more appropriate
45+
Exception is available</p>
46+
47+
<p>Regular API parameters are typically designed to work with input
48+
that is either trusted or validated/sanitized by the application
49+
using the library unless otherwise specified, in accordance with
50+
the general <a href="https://commons.apache.org/security.html#Security_Model">
51+
Apache Commons Security Model</a>.</p>
52+
</section>
53+
3454
<section name="Apache Commons Compress Security Vulnerabilities">
3555
<p>This page lists all security vulnerabilities fixed in
3656
released versions of Apache Commons Compress. Each

0 commit comments

Comments
 (0)