GitHub user FreeAndNil added a comment to the discussion: Threat model: how should Thread Context (MDC) keys be classified (trusted structural or untrusted content)?
My position is that keys should be classified as untrusted content, on the same level as values. The intended use - developer-chosen constants - is not the actual use. Dumping HTTP headers into the MDC is common, and developers doing so are often unaware of the trust implications. A threat model should reflect how the API is actually used. The cost argument also favors this: appenders already sanitize values in structured layouts. Extending that to keys is a small and natural addition. Documenting "do not populate keys from untrusted input" as a developer responsibility would be cleaner in theory, but shifts the burden onto developers who are demonstrably already unaware of the risk. GitHub link: https://github.com/apache/logging-log4j2/discussions/4132#discussioncomment-17126257 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected]
