Skip to content

Commit f18e61b

Browse files
committed
[COMMONSSITE-187] docs: document security model
As discussed earlier in private in the thread at https://lists.apache.org/thread/w130p74rx0y60ytlz81h7fx9h7td6vnj and proposed publicly in https://issues.apache.org/jira/browse/COMMONSSITE-187
1 parent 50e1a63 commit f18e61b

1 file changed

Lines changed: 22 additions & 0 deletions

File tree

src/site/xdoc/security.xml

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -31,6 +31,28 @@
3131
of the Commons project</a>.</p>
3232
</section>
3333

34+
<section name="Security Model">
35+
<p>Commons Compress may be used to process untrusted input data.
36+
Input may be read from the network when this is explicitly requested,
37+
but the processing of the compressed payload should not trigger
38+
additional network access, unbounded deserialization
39+
or code execution. It may require processing power proportional to
40+
the size of the input. An input causing an OutOfMemoryError,
41+
StackOverflowError, or another Error may be considered a DoS
42+
vulnerability when it is unexpected based on the size of the input
43+
and the resources (RAM, disk, etc) allocated to the process.</p>
44+
45+
<p>Input causing any other RuntimeException is expected and not a
46+
vulnerability, but may be a regular bug when a more appropriate
47+
Exception is available</p>
48+
49+
<p>Regular API parameters are typically designed to work with input
50+
that is either trusted or validated/sanitized by the application
51+
using the library unless otherwise specified, in accordance with
52+
the general <a href="https://commons.apache.org/security.html#Security_Model">
53+
Apache Commons Security Model</a>.</p>
54+
</section>
55+
3456
<section name="Apache Commons Compress Security Vulnerabilities">
3557
<p>This page lists all security vulnerabilities fixed in
3658
released versions of Apache Commons Compress. Each

0 commit comments

Comments
 (0)