|
1
|
# Security Policy |
|
2
|
|
|
3
|
## Reporting a Vulnerability |
|
4
|
|
|
5
|
If you discover a security vulnerability in Fossilrepo, please report it responsibly. |
|
6
|
|
|
7
|
**Do not open a public issue.** |
|
8
|
|
|
9
|
Email **[email protected]** with: |
|
10
|
|
|
11
|
- Description of the vulnerability |
|
12
|
- Steps to reproduce |
|
13
|
- Potential impact |
|
14
|
- Suggested fix (if any) |
|
15
|
|
|
16
|
We will acknowledge your report within 48 hours and aim to release a fix within 7 days for critical issues. |
|
17
|
|
|
18
|
## Supported Versions |
|
19
|
|
|
20
|
| Version | Supported | |
|
21
|
| ------- | --------- | |
|
22
|
| latest | Yes | |
|
23
|
|
|
24
|
## Security Model |
|
25
|
|
|
26
|
### Authentication |
|
27
|
|
|
28
|
- Session-based authentication with httpOnly, secure cookies |
|
29
|
- CSRF protection on all forms (HTMX includes token via `htmx:configRequest`) |
|
30
|
- Rate limiting on login (10 attempts/minute per IP) |
|
31
|
- Password validation enforced (Django's built-in validators) |
|
32
|
|
|
33
|
### Authorization |
|
34
|
|
|
35
|
- Group-based permissions via `P` enum (`core/permissions.py`) |
|
36
|
- Project-level RBAC: read, write, admin roles via team membership |
|
37
|
- Project visibility: public (anonymous read), internal (authenticated), private (team members only) |
|
38
|
- All views enforce permission checks before data access |
|
39
|
|
|
40
|
### Data Protection |
|
41
|
|
|
42
|
- SSH keys and OAuth tokens encrypted at rest (Fernet/AES-128-CBC, keyed from `SECRET_KEY`) |
|
43
|
- No plaintext credentials stored in the database |
|
44
|
- Fossil sync uses `--localauth` only for authenticated users with write access |
|
45
|
- Anonymous users get pull-only access on public repos (no `--localauth`) |
|
46
|
|
|
47
|
### Deployment |
|
48
|
|
|
49
|
When deploying Fossilrepo in production: |
|
50
|
|
|
51
|
- Set a strong, unique `DJANGO_SECRET_KEY` (the app refuses to start without one when `DEBUG=False`) |
|
52
|
- Change all default database credentials |
|
53
|
- Enable HTTPS (`SECURE_SSL_REDIRECT`, `SESSION_COOKIE_SECURE`, `CSRF_COOKIE_SECURE` are automatic when `DEBUG=False`) |
|
54
|
- Set `DJANGO_ALLOWED_HOSTS` to your domain only |
|
55
|
- Set `CORS_ALLOWED_ORIGINS` and `CSRF_TRUSTED_ORIGINS` to your domain |
|
56
|
- Review Constance settings in Django admin (OAuth secrets, S3 credentials) |
|
57
|
- Use a reverse proxy (Caddy/nginx) for SSL termination |
|
58
|
- Keep the Fossil binary updated (compiled from source in the Docker image) |
|
59
|
|