Copilot commented on code in PR #497: URL: https://github.com/apache/jspwiki/pull/497#discussion_r3340902920
########## THREAT_MODEL.md: ########## @@ -0,0 +1,377 @@ +<!-- +SPDX-License-Identifier: Apache-2.0 + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + https://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +--> + +# Threat Model — Apache JSPWiki + +## §1 Header + +- **Project:** Apache JSPWiki — a feature-rich, WikiWiki-style engine built on + standard Java/Jakarta EE components (servlet container), with page content + authored in JSPWiki markup (or Markdown), server-side plugins and filters, file + attachments, and JAAS-based authentication plus per-page access control lists. +- **Modelled against:** `apache/jspwiki` `master` (HEAD at time of writing, 2026-05-31). +- **Status:** **DRAFT — v0, not yet reviewed by the JSPWiki PMC.** Produced by the ASF + Security team via the `threat-model-producer` rubric + (<https://gist.github.com/potiuk/da14a826283038ddfe38cc9fe6310573>) for the PMC to + react to — confirm, correct, or strike each claim. +- **Version binding:** This model is versioned alongside the project. A report against + release *N* is triaged against the model as it stood at *N*, not at HEAD. +- **Reporting cross-reference:** Findings that violate a §8 property should be reported + privately per `SECURITY.md` / the ASF process (<https://www.apache.org/security/>). + Findings that fall under §3 or §9 will be closed citing this document. +- **Provenance legend:** *(documented)* = stated in JSPWiki's own docs/README/source; + *(maintainer)* = confirmed by a JSPWiki PMC member; *(inferred)* = reasoned from code + structure or wiki-engine domain norms, **not yet confirmed** — every *(inferred)* claim + has a matching question in §14. +- **Draft confidence:** ~14 documented / 0 maintainer / ~58 inferred. This is a v0 written + from public artifacts; most claims await PMC ratification. + +JSPWiki is deployed as a web application (a WAR) inside a servlet container. Anonymous and +authenticated web users read and edit pages whose content is rendered from wiki markup to +HTML, may upload and download attachments, and may invoke server-side plugins and filters +embedded in page markup. Who may do what to which page is governed by per-page ACLs, wiki +groups, and a JAAS-backed authentication layer; the deploying operator controls the JVM +security policy (`WEB-INF/jspwiki.policy`), which plugin JARs are installed, and the page / +attachment / user-database storage backends. + +## §2 Scope and intended use + +Primary intended use *(documented)*: a self-hosted collaborative wiki served from a Java +servlet container, with page content collaboratively authored over HTTP, "very detailed +access control and security integration using JAAS" *(documented — README)*, and content +persisted via pluggable page/attachment providers (default: filesystem; +`jspwiki.fileSystemProvider.pageDir`, `jspwiki.basicAttachmentProvider.storageDir`) +*(documented — README)*. + +Caller roles (a web app has no single "caller"): + +- **Anonymous client** — untrusted; whatever an unauthenticated HTTP request can reach. +- **Asserted identity** — a user who supplied a name via cookie but did **not** authenticate + *(inferred)*; trusted only as a convenience label, not as an identity. +- **Authenticated user** — logged in via JAAS; trusted up to the permissions their roles/ACLs grant. +- **Wiki admin** — holds the `Admin` role / `AllPermission`-class grants; trusted for the instance. +- **Operator / deployer** — controls the WAR, `jspwiki.properties`, `jspwiki.policy`, installed + plugin JARs, and storage backends. Fully trusted; **out of model** as an adversary (§3). + +**Component-family table:** + +| Family | Representative entry point | Touches outside process | In model? | +| --- | --- | --- | --- | +| Wiki engine core (page CRUD, references) | `Edit.jsp` / `WikiEngine`, `jspwiki-main` | filesystem (pages) | **Yes** | +| Markup render → HTML | `jspwiki-main` render, `jspwiki-markdown` | no (CPU) | **Yes** | Review Comment: The tables use `||` at the start of each row, which creates an extra empty column in GitHub-flavored Markdown and typically renders misaligned/broken tables. Use a single leading `|` per row (e.g., `| Family | ... |`) consistently across all tables in this document (e.g., §2, §5a, §6, §13). ########## THREAT_MODEL.md: ########## @@ -0,0 +1,377 @@ +<!-- +SPDX-License-Identifier: Apache-2.0 + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + https://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +--> + +# Threat Model — Apache JSPWiki + +## §1 Header + +- **Project:** Apache JSPWiki — a feature-rich, WikiWiki-style engine built on + standard Java/Jakarta EE components (servlet container), with page content + authored in JSPWiki markup (or Markdown), server-side plugins and filters, file + attachments, and JAAS-based authentication plus per-page access control lists. +- **Modelled against:** `apache/jspwiki` `master` (HEAD at time of writing, 2026-05-31). Review Comment: This repository appears to use `main` (per the diff headers), but the threat model says it’s modeled against `master`. To avoid confusion for reviewers/triagers, update the referenced default branch name to match the repo (or phrase it branch-agnostically, e.g., 'default branch / HEAD'). -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
