FossilRepo
| 4ce269c… | ragelink | 1 | # Security Policy |
| 4ce269c… | ragelink | 2 | |
| 4ce269c… | ragelink | 3 | ## Reporting a Vulnerability |
| 4ce269c… | ragelink | 4 | |
| 4ce269c… | ragelink | 5 | If you discover a security vulnerability in Fossilrepo, please report it responsibly. |
| 4ce269c… | ragelink | 6 | |
| 4ce269c… | ragelink | 7 | **Do not open a public issue.** |
| 4ce269c… | ragelink | 8 | |
| c588255… | ragelink | 9 | Email **[email protected]** with: |
| 4ce269c… | ragelink | 10 | |
| 4ce269c… | ragelink | 11 | - Description of the vulnerability |
| 4ce269c… | ragelink | 12 | - Steps to reproduce |
| 4ce269c… | ragelink | 13 | - Potential impact |
| 4ce269c… | ragelink | 14 | - Suggested fix (if any) |
| 4ce269c… | ragelink | 15 | |
| 4ce269c… | ragelink | 16 | We will acknowledge your report within 48 hours and aim to release a fix within 7 days for critical issues. |
| 4ce269c… | ragelink | 17 | |
| 4ce269c… | ragelink | 18 | ## Supported Versions |
| 4ce269c… | ragelink | 19 | |
| 4ce269c… | ragelink | 20 | | Version | Supported | |
| 4ce269c… | ragelink | 21 | | ------- | --------- | |
| 4ce269c… | ragelink | 22 | | latest | Yes | |
| 4ce269c… | ragelink | 23 | |
| c588255… | ragelink | 24 | ## Security Model |
| c588255… | ragelink | 25 | |
| c588255… | ragelink | 26 | ### Authentication |
| c588255… | ragelink | 27 | |
| c588255… | ragelink | 28 | - Session-based authentication with httpOnly, secure cookies |
| c588255… | ragelink | 29 | - CSRF protection on all forms (HTMX includes token via `htmx:configRequest`) |
| c588255… | ragelink | 30 | - Rate limiting on login (10 attempts/minute per IP) |
| c588255… | ragelink | 31 | - Password validation enforced (Django's built-in validators) |
| c588255… | ragelink | 32 | |
| c588255… | ragelink | 33 | ### Authorization |
| c588255… | ragelink | 34 | |
| c588255… | ragelink | 35 | - Group-based permissions via `P` enum (`core/permissions.py`) |
| c588255… | ragelink | 36 | - Project-level RBAC: read, write, admin roles via team membership |
| c588255… | ragelink | 37 | - Project visibility: public (anonymous read), internal (authenticated), private (team members only) |
| c588255… | ragelink | 38 | - All views enforce permission checks before data access |
| c588255… | ragelink | 39 | |
| c588255… | ragelink | 40 | ### Data Protection |
| c588255… | ragelink | 41 | |
| c588255… | ragelink | 42 | - SSH keys and OAuth tokens encrypted at rest (Fernet/AES-128-CBC, keyed from `SECRET_KEY`) |
| c588255… | ragelink | 43 | - No plaintext credentials stored in the database |
| c588255… | ragelink | 44 | - Fossil sync uses `--localauth` only for authenticated users with write access |
| c588255… | ragelink | 45 | - Anonymous users get pull-only access on public repos (no `--localauth`) |
| c588255… | ragelink | 46 | |
| c588255… | ragelink | 47 | ### Deployment |
| c588255… | ragelink | 48 | |
| c588255… | ragelink | 49 | When deploying Fossilrepo in production: |
| c588255… | ragelink | 50 | |
| c588255… | ragelink | 51 | - Set a strong, unique `DJANGO_SECRET_KEY` (the app refuses to start without one when `DEBUG=False`) |
| c588255… | ragelink | 52 | - Change all default database credentials |
| c588255… | ragelink | 53 | - Enable HTTPS (`SECURE_SSL_REDIRECT`, `SESSION_COOKIE_SECURE`, `CSRF_COOKIE_SECURE` are automatic when `DEBUG=False`) |
| c588255… | ragelink | 54 | - Set `DJANGO_ALLOWED_HOSTS` to your domain only |
| c588255… | ragelink | 55 | - Set `CORS_ALLOWED_ORIGINS` and `CSRF_TRUSTED_ORIGINS` to your domain |
| c588255… | ragelink | 56 | - Review Constance settings in Django admin (OAuth secrets, S3 credentials) |
| c588255… | ragelink | 57 | - Use a reverse proxy (Caddy/nginx) for SSL termination |
| c588255… | ragelink | 58 | - Keep the Fossil binary updated (compiled from source in the Docker image) |