raboof commented on PR #162: URL: https://github.com/apache/maven-scm/pull/162#issuecomment-1246413289
Hi @JLLeitschuh, First of all, thanks for providing this PR and pointing out this potential issue. While as you know we generally prefer security issues to be reported privately to secur...@apache.org (or a project-specific security list), I can totally see how this might not be practical when mass-submitting issues found though static source code analysis. I respect that you only have so much time in a day, and appreciate you don't intend to overwhelm already over-taxed maintainers. Nonetheless, mass-creating issues is still putting the burden of doing the work needed to determine whether this is a legitimate security issue or a false positive on the maintainers. For reports on outdated dependencies with open CVE's, we don't accept such reports as security reports anymore, and ask reporters to either (a) do additional analysis, or (b) provide a public (non-security) issue/PR to update the version. We might apply the same logic to static code analysis tool output (though those can of course be more sophisticated) - so I'm happy to see you indeed provided this report in the form of a PR. I couldn't resist having a bit of a look, and at first glance it looks like a false positive from a security perspective: it's not obvious how `files` would contain any files in 'sibling' directories, and even if it did, it's unclear how that would lead to a problem. Still, possibly using `Path.startsWith` would be nice in general, and be a form of 'hardening' and avoiding unintended behavior that might be worth it regardless of security impact. In this particular case, however, it would likely require additional changes to the code to make sense, so I think rejecting the PR was a reasonable decision. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
