getphred/Eyrie-Templates
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity
Eyrie-Templates/SECURITY.md
Funky Waddle c137333ead Initial commit
2026-01-06 17:29:10 -06:00

2.3 KiB
Raw Permalink Blame History

Security Policy (Draft)

Supported versions

  • Until first stable release, only the latest minor/patch is supported.
  • Post1.0: last two minor versions receive security fixes.

Reporting a vulnerability

  • Please email security reports to: security@your-domain.example (replace with your contact)
  • Provide a minimal reproduction, affected version, environment details, and impact if possible.
  • We aim to acknowledge within 3 business days and provide a timeline after triage.

Disclosure process

  1. Private triage and fix development.
  2. Coordinated disclosure with reporter; optional CVE request if applicable.
  3. Security release notes summarizing impact, severity, and upgrade guidance.

Secure development guidelines

  • Autoescape by default; minimize usage of safe and review all instances.
  • No dynamic eval; no templatedriven file/network access.
  • Validate and normalize template names; prohibit .. traversal and absolute paths unless namespaced.
  • Keep clear separation: helpers/filters are whitelisted and reviewed.
  • Enforce depth/iteration/time and size limits with safe defaults.
  • Prefer exceptions with sanitized messages over warnings or silent failures.
  • Components:
    • Register components explicitly; unregistered components must not be invokable.
    • Treat component props as untrusted input; validate types and ranges before use.
    • Components must not perform filesystem/network access by default and must not mutate outer template context.
    • Cap component recursion/nesting depth to avoid DoS.

Secrets and sensitive data

  • Do not pass secrets (tokens, passwords) through template contexts unless absolutely necessary; prefer redacted representations.
  • Ensure logs and error messages do not include raw context values in production.

Dependencies and updates

  • Target PHP 8.1+ (finalize at release); use supported versions only.
  • Pin constraints to secure versions; audit dependencies regularly (e.g., composer audit).
  • Security fixes are backported per Supported versions policy.

Hardening recommendations for deployers

  • Place cache directory outside web root with perms 0700.
  • Run PHP under leastprivilege account; restrict template directories to readonly for the runtime.
  • Disable display of errors in production; enable structured logging.