- Security Overview
- Threat Model
- Security Features
- Known Limitations
- Best Practices
- Vulnerability Reporting
Todo CLI is designed with a security-first mindset for local, single-user task management. The application follows the principle of least privilege and maintains an air-gapped architecture with no network communication.
Core Security Principles:
- π Local-First: All data stays on the user's machine
- π« No Network: Zero external communication
- β Input Validation: All user inputs are validated and sanitized
- π File Permissions: Appropriate Unix permissions on data files (0644)
- π¦ Minimal Dependencies: Limited attack surface (4 direct dependencies)
- π Transparency: Open source for security audits
graph TB
subgraph "Protected β
"
A[Path Traversal]
B[Command Injection]
C[SQL Injection]
D[Network Attacks]
end
subgraph "Partial Protection β οΈ"
E[Data at Rest]
F[Physical Access]
G[Memory Dumps]
end
subgraph "User Responsibility β"
H[Malicious Binary]
I[Compromised OS]
J[Backup Security]
end
style A fill:#4caf50
style B fill:#4caf50
style C fill:#4caf50
style D fill:#4caf50
style E fill:#ff9800
style F fill:#ff9800
style G fill:#ff9800
style H fill:#ef5350
style I fill:#ef5350
style J fill:#ef5350
| Threat Category | Status | Mitigation |
|---|---|---|
| Path Traversal | β Protected | Input validation prevents ../ in paths |
| Command Injection | β Protected | No shell command execution |
| SQL Injection | β Protected | File-based storage, no SQL |
| Network Attacks | β Protected | No network communication |
| Data at Rest | Use OS-level full-disk encryption | |
| Physical Access | Lock workstation, use strong passwords | |
| Malicious Binary | β User | Verify checksums, build from source |
| Compromised OS | β User | Keep system updated, use antivirus |
Zero Network Communication - The application never makes network calls, eliminating entire classes of vulnerabilities:
- β No data exfiltration risk
- β No remote code execution
- β No dependency on external services
- β Works completely offline
All user inputs are validated before processing:
| Input Type | Validation Applied |
|---|---|
| Task Title | Max 200 chars, no control characters |
| File Paths | Absolute paths only, no ../, within home directory |
| Dates | Validated format, reasonable range (2000-2100) |
| Priority/Status | Enum whitelist validation |
| Tags/Projects | Alphanumeric + symbols, length limits |
Example Validation:
func validateTitle(title string) error {
if strings.TrimSpace(title) == "" {
return errors.New("title cannot be empty")
}
if len(title) > 200 {
return errors.New("title too long")
}
// Check for control characters
for _, r := range title {
if unicode.IsControl(r) && r != '\n' && r != '\t' {
return errors.New("invalid characters")
}
}
return nil
}Secure Defaults:
# Data directory permissions
~/.todo-cli/ # drwxr-xr-x (0755)
tasks.json # -rw-r--r-- (0644)
backups/ # drwxr-xr-x (0755)
backup_*.json # -rw-r--r-- (0644)Path Sanitization:
- All paths resolved to absolute
- Restricted to
~/.todo-cli/directory - No path traversal allowed
- Atomic file writes for data integrity
Only 4 direct dependencies from trusted sources:
spf13/cobra- CLI framework (used by kubectl, Hugo)fatih/color- Terminal colorsmanifoldco/promptui- Interactive promptsgopkg.in/yaml.v3- YAML parser
All dependencies are version-pinned in go.mod with checksums in go.sum.
| Limitation | Impact | Mitigation |
|---|---|---|
| Unencrypted Data at Rest | Medium | Use OS full-disk encryption (FileVault/BitLocker/LUKS) |
| Terminal History Exposure | Low | Use export HISTIGNORE="todo*" or leading space in commands |
| No Access Logging | Low | Single-user design; use OS-level auditing if needed |
| Memory Dumps | Low | Avoid running on untrusted/shared systems |
| No Multi-User Support | N/A | Designed for single-user use |
Recommended Mitigations:
# Enable full-disk encryption
# macOS: sudo fdesetup enable
# Linux: Use LUKS during installation
# Windows: Enable BitLocker
# Prevent command history leakage
export HISTIGNORE="todo*"
# Restrict data directory access
chmod 700 ~/.todo-cliData Security:
# Restrict access to data directory
chmod 700 ~/.todo-cli
# Encrypt backups for external storage
tar czf - ~/.todo-cli/backups | \
gpg -c > todo-backups-$(date +%Y%m%d).tar.gz.gpgTask Content:
- β Use code names for sensitive projects
- β Be mindful when sharing screen
- β Don't store passwords or API keys
- β Avoid highly sensitive personal data without encryption
Secure Coding Checklist:
- All user inputs validated
- File paths sanitized
- No shell command execution
- Errors don't leak sensitive info
- Dependencies kept up to date
- Appropriate file permissions set
Security Testing:
# Static analysis
go vet ./...
staticcheck ./...
# Dependency vulnerabilities
go list -json -m all | nancy sleuth
# Build with security flags
go build -race -buildmode=pieIf you discover a security vulnerability:
- DO NOT open a public GitHub issue
- Email: gouranga.samrat@gmail.com
- Include:
- Description of vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
Response Timeline:
- 24 hours: Initial acknowledgment
- 72 hours: Preliminary assessment
- 7 days: Detailed response with timeline
- 30 days: Fix released (critical issues)
We follow responsible disclosure - vulnerabilities are fixed privately before public disclosure.
Todo CLI Security Strengths:
- β Air-gapped (no network)
- β Input validation throughout
- β Minimal dependencies
- β Secure file permissions
- β Open source & auditable
User Responsibilities:
- Enable OS-level encryption
- Secure backup storage
- Keep dependencies updated
- Follow security best practices
Remember: Security is a shared responsibility between the application and its users.
Last Updated: 2024-03-12 Security Contact: gouranga.samrat@com