potiuk opened a new pull request, #4522: URL: https://github.com/apache/solr/pull/4522
## What Adds a **threat model** for Apache Solr, drafted at the Solr PMC's request (the GLASSWING / Mythos scan pre-flight needs a discoverable threat model): - **`THREAT_MODEL.md`** — the model ([rubric](https://gist.github.com/potiuk/da14a826283038ddfe38cc9fe6310573)). - **`SECURITY.md`** — new (ASF disclosure pointer + threat-model reference). - **`AGENTS.md`** — your existing coding-agent file, **preserved**, with a `## Security` section appended wiring `AGENTS.md -> SECURITY.md -> THREAT_MODEL.md`. ## The model in brief Built around Solr's deployment contract: a **search server meant to run in a trusted environment with authentication + authorization enabled** — **never exposed unauthenticated to an untrusted network**. The admin/config/package APIs are powerful-by-design and must be authz-restricted; SSRF via `shards`/streaming is bounded by operator network controls; code-execution-adjacent features (Velocity/scripting, remote streaming) are off-by-default. So scanner/AI reports against "the admin API can change config / unauthenticated instance is dangerous / SSRF via shards" route to the right disposition rather than churning. ## DRAFT — you own and merge it The *(inferred)* trust assumptions are gathered as **open questions in section 14**; the load-bearing ones are **Q-trustenv** (confirm the trusted-environment posture so unauthenticated-exposure findings are out-of-model) and **Q-features** (which risky toggles, when enabled, keep a finding `VALID` vs make it `non-default-build`). Please edit freely. **Scope note:** modelled for `apache/solr`; `solr-sandbox` placed out of scope (experimental); `solr-operator` / `solr-mcp` flagged for a scope confirmation (section 14 Q-scope). Generated by the ASF Security team's threat-model tooling (Claude Opus); reviewed before opening. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
