Skip to content

[Repo Assist] docs: add SECURITY.md with vulnerability reporting policy and security model #127

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
github-actions wants to merge 1 commit into
base: master
Choose a base branch
from
Draft

[Repo Assist] docs: add SECURITY.md with vulnerability reporting policy and security model #127

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 28 additions & 0 deletions SECURITY.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
# Security Policy

## Supported Versions

| Version | Supported |
| ------- | ------------------ |
| 0.0.9 | ✅ Current release |
| < 0.0.9 | ❌ No longer supported |

## Reporting a Vulnerability

If you discover a security vulnerability in this extension, please report it responsibly by opening a [GitHub issue](https://github.com/soderlind/vscode-phpcbf/issues/new) with the title prefixed `[Security]`. For particularly sensitive vulnerabilities you can instead contact the maintainer directly via GitHub.

We aim to acknowledge reports within **3 business days** and provide a fix or mitigation within **30 days** for confirmed vulnerabilities.

## Security Model

This extension spawns the external `phpcbf` binary as a child process to format PHP files. Its security properties:

- **Process spawning**: The executable path is taken from the VS Code setting `phpcbf.executablePath`. Only the maintainer/administrator who controls workspace settings can alter this path. An attacker who can write to your workspace's `.vscode/settings.json` can point `executablePath` at an arbitrary executable — treat that file accordingly.

- **Temporary files**: The extension writes each formatted document to a randomly-named temp file (in `os.tmpdir()`), runs phpcbf on it, reads the result back, and immediately deletes the temp file. No file content is sent over a network.

- **No network access**: The extension itself makes no outbound network connections. All processing is local.

- **Standard path**: The `phpcbf.standard` and `phpcbf.configSearch` settings control which coding standard phpcbf uses. A malicious `phpcs.xml` file in the workspace could potentially influence phpcbf's behaviour; the same caution applies as with any project-level tool configuration.

In summary, the extension's attack surface is limited to local files and process execution; it has no credentials, no secrets, and no network communication of its own.