On Tue, 15 Oct 2019 at 11:03, Claude Warren <cla...@xenei.com> wrote: > > If the style is to rely on external code to do input validation, then I > think that should be in the javadocs as well as on the page you mention.
Perhaps I phrased it wrong. What I meant was that the code generally does what it is told to do. e.g. a delete_tree(path) method is not going to prevent you from using path='/' Commons cannot in general validate such parameters. > Claude > > On Tue, Oct 15, 2019 at 10:59 AM sebb <seb...@gmail.com> wrote: > > > It might be useful to add a note to the commons security page about > > automated vulnerability checkers. > > > > These tend to produce a lot of false positives and may report items > > which could never be a security issue (e.g. poor code style, dead > > code). > > > > Even if the issue is potentially a vulnerability, it often depends on > > the context. > > This is particularly true of Commons - the code generally relies on > > the application to do validation of input parameters. > > > > Thoughts? > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > > For additional commands, e-mail: dev-h...@commons.apache.org > > > > > > -- > I like: Like Like - The likeliest place on the web > <http://like-like.xenei.com> > LinkedIn: http://www.linkedin.com/in/claudewarren --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
