| Version | Supported |
|---|---|
| 0.5.x | Yes |
| 0.3.x | Security fixes only |
| < 0.3 | No |
If you discover a security vulnerability in viznoir, please report it responsibly:
- Do NOT open a public issue.
- Email [email protected] with:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- You will receive an acknowledgment within 48 hours.
- A fix will be developed and released within 7 days for critical issues.
- Path traversal prevention:
VIZNOIR_DATA_DIRrestricts file access to a configured directory - Dependency auditing:
pip-auditruns weekly via CI and on every PR - Static analysis: CodeQL scans on every push and weekly schedule
- Dependency review: License and vulnerability checks on all PRs
- No arbitrary code execution: Pipeline DSL compiles to VTK API calls only (
ProgrammableFilterdisabled by default, requiresVIZNOIR_ALLOW_PROGRAMMABLE=1) - ffmpeg injection prevention:
compose_assetsvideo export uses--separator to prevent output path injection - Asset path validation:
compose_assetsvalidates all file paths againstVIZNOIR_DATA_DIRandVIZNOIR_OUTPUT_DIRboundaries
The following are in scope for security reports:
- Path traversal bypasses in
_validate_file_path - Arbitrary file read/write outside
VIZNOIR_DATA_DIR - Denial of service via crafted input files
- Dependency vulnerabilities in production dependencies
Out of scope:
- Issues in development-only dependencies
- Issues requiring physical access to the server
- Social engineering attacks