On Thu, Dec 14, 2023 at 6:09 AM Arnout Engelen <enge...@apache.org> wrote: > > Hello Commons developers, > > I'd like to discuss what our security ambitions are for components like > Commons Imaging, Compress, Codec and IO: > > Generally for Commons, we say that unless otherwise specified it is up to > the user of the library to make sure any input is either trusted or > correctly validated/sanitized (https://commons.apache.org/security.html). > > For these modules it might make sense to be a little more nuanced: > https://commons.apache.org/proper/commons-imaging/ already explicitly says > it intends to be "more secure against corrupt/malicious images", and while > the others don't seem to say it explicitly AFAICS in practice we consider > it OK to decompress/decode/... untrusted input at least to some degree. > > So what does that mean? > > * I'd say parsing/decompression/decoding should never allow malicious input > to trigger arbitrary code execution(?)
Do any of these products include native libraries/C code? To the extent it's pure Java, arbitrary code execution indicates a bug in the JDK. Beyond that, I do not think Apache Commons (or anyone else) should expect *any* input to be correctly validated/sanitized. All products should be robust against arbitrary byte streams. Malformed input should be detected and an appropriate exception thrown. Excessive resource usage is a separate question since it can be triggered by valid input without escaping the VM protections. Proper input validation protects against some but not all resource exhaustion attacks. -- Elliotte Rusty Harold elh...@ibiblio.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org