Add security threat model (THREAT_MODEL.md + SECURITY.md + AGENTS.md security section)#4522
Open
potiuk wants to merge 2 commits into
Open
Add security threat model (THREAT_MODEL.md + SECURITY.md + AGENTS.md security section)#4522potiuk wants to merge 2 commits into
potiuk wants to merge 2 commits into
Conversation
Adds a threat model for Apache Solr, drafted at the Solr PMC's request following the Apache Security team's threat-model rubric. Adds THREAT_MODEL.md and a new SECURITY.md (ASF disclosure pointer), and appends a ## Security section to the existing AGENTS.md wiring AGENTS.md -> SECURITY.md -> THREAT_MODEL.md (the rest of AGENTS.md is preserved). The model is built around Solr's deployment contract — a search server meant to run in a trusted environment with auth+authz enabled, never exposed unauthenticated to an untrusted network. It treats the admin/config/package APIs as powerful-by-design (authz-restricted), bounds SSRF via shards/streaming by operator network controls, and keeps code-execution-adjacent features as off-by-default. DRAFT for PMC review: section 14 carries open questions (notably the trusted-environment ruling and the risky-feature toggles). Scope: apache/solr; solr-sandbox out of scope; solr-operator/solr-mcp pending a scope confirmation. Generated-by: Claude Opus 4.8 (1M context)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Adds a threat model for Apache Solr, drafted at the Solr PMC's request (the GLASSWING / Mythos scan pre-flight needs a discoverable threat model):
THREAT_MODEL.md— the model (rubric).SECURITY.md— new (ASF disclosure pointer + threat-model reference).AGENTS.md— your existing coding-agent file, preserved, with a## Securitysection appended wiringAGENTS.md -> SECURITY.md -> THREAT_MODEL.md.The model in brief
Built around Solr's deployment contract: a search server meant to run in a trusted environment with authentication + authorization enabled — never exposed unauthenticated to an untrusted network. The admin/config/package APIs are powerful-by-design and must be authz-restricted; SSRF via
shards/streaming is bounded by operator network controls; code-execution-adjacent features (Velocity/scripting, remote streaming) are off-by-default. So scanner/AI reports against "the admin API can change config / unauthenticated instance is dangerous / SSRF via shards" route to the right disposition rather than churning.DRAFT — you own and merge it
The (inferred) trust assumptions are gathered as open questions in section 14; the load-bearing ones are Q-trustenv (confirm the trusted-environment posture so unauthenticated-exposure findings are out-of-model) and Q-features (which risky toggles, when enabled, keep a finding
VALIDvs make itnon-default-build). Please edit freely.Scope note: modelled for
apache/solr;solr-sandboxplaced out of scope (experimental);solr-operator/solr-mcpflagged for a scope confirmation (section 14 Q-scope).Generated by the ASF Security team's threat-model tooling (Claude Opus); reviewed before opening.