raboof commented on PR #540: URL: https://github.com/apache/commons-configuration/pull/540#issuecomment-2646141665
> > For Commons Configuration 2.x, loading untrusted configuration files or performing operations > > on them should not allow code execution, and should not cause any denial of service situations. > > What I understand here is that even if you allow external users to supply configuration files and you process them through Commons Configuration, no DoS or code execution will be triggered. Yes, that was my assumption - I could of course very well be wrong about that, I'm by no means a Commons Configuration expert. > This is IMHO impossible to guarantee and we will have to publish CVEs like the recent one in Logback: [CVE-2024-12798](https://www.cve.org/CVERecord?id=CVE-2024-12798). AFAICT we *do* publish CVEs like that for Commons Configuration (e.g. https://www.cve.org/CVERecord?id=CVE-2022-33980 ). Are you aware of any places where Commons Configuration allows triggering code execution or DoS 'by design'? FWIW: I don't have a strong opinion on whether we 'should' consider configuration trusted or allow untrusted input - we should just clearly document the expectations ;) . -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@commons.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
