Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add new allowlist only resolver for loading models, instances, and dynamic model generation #183

Open
6 tasks
Tracked by #719
aj-stein-gsa opened this issue Oct 10, 2024 · 0 comments
Open
6 tasks
Tracked by #719

Add new allowlist only resolver for loading models, instances, and dynamic model generation #183

aj-stein-gsa opened this issue Oct 10, 2024 · 0 comments
Labels
enhancement New feature or request java Pull requests that update Java code
Milestone
v3.0.0

Comments

@aj-stein-gsa
Copy link
Contributor

User Story

As a developer of Metaschema-based tooling, in order to deploy a more robust service implemented with this library, I want a resolver subsystem that restricts access to an allowlist of certain directories and subdirectories relative to a configuration and/or allowlist for specific remote HTTP services (to prevent access to other local services on the host or local file inclusion attack vectors).

Goals

  • Establish a secure-by-default input resolver
  • Limit access to local filesystem resources that are not part of the use cases and threat model of this library
  • Limit access to HTTP resources that are not part of the use cases and threat model of this library

Dependencies

N/A

Acceptance Criteria

  • All website and readme documentation affected by the changes in this issue have been updated.
  • A Pull Request (PR) is submitted that fully addresses the goals of this User Story. This issue is referenced in the PR.
  • The CI-CD build process runs without any reported errors on the PR. This can be confirmed by reviewing that all checks have passed in the PR.

Revisions

No response
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request java Pull requests that update Java code
Projects
Spec and Tooling Work Board
Status: Backlog
Milestone
v3.0.0
Development

No branches or pull requests
2 participants
@david-waltermire @aj-stein-gsa