This document outlines security practices and guidelines for developing and maintaining the ContextShare VS Code extension.
- Multiple layers of security controls
- Input validation at all boundaries
- Principle of least privilege
- Fail securely by default
- Security considerations integrated from the start
- Threat modeling for new features
- Regular security reviews
- Automated security testing
Input Validation:
- Validate all user inputs (file paths, URLs, configuration)
- Sanitize filenames and paths to prevent directory traversal
- Validate remote URLs are HTTPS-only for catalog sources
- Use path normalization functions consistently
Output Encoding:
- Sanitize data before display in VS Code UI
- Escape special characters in generated files
- Use parameterized queries if database access is added
Error Handling:
- Don't expose internal paths or sensitive info in error messages
- Log security events appropriately
- Handle exceptions gracefully without information disclosure
Path Traversal Prevention:
// Good: Validate paths are within expected directories
const safePath = path.resolve(baseDir, userInput);
if (!safePath.startsWith(path.resolve(baseDir))) {
throw new Error('Invalid path');
}
// Bad: Direct user input to file system
fs.readFile(userInput); // Vulnerable to ../../../etc/passwdSafe File Operations:
- Always use absolute paths for file operations
- Validate file extensions and MIME types
- Set appropriate file permissions
- Clean up temporary files
HTTPS-Only Policy:
- All remote catalog sources must use HTTPS
- Reject HTTP URLs in configuration
- Validate SSL certificates
Content Validation:
- Validate JSON structure of remote catalogs
- Sanitize remote content before processing
- Implement size limits for remote content
- Cache with TTL to limit remote requests
- API keys, tokens, passwords
- Database connection strings
- Private keys or certificates
- Internal URLs or service endpoints
- Personal information
// Good: Environment-based configuration
const apiKey = process.env.API_KEY;
if (!apiKey) {
throw new Error('API_KEY environment variable required');
}
// Bad: Hardcoded secrets
const apiKey = 'sk-1234567890abcdef'; // Never do this!- Use .env files for local development (add to .gitignore)
- Use VS Code settings for non-sensitive configuration
- Document required environment variables in README
# Run security audit
npm run security:audit
# Check for secrets
npm run security:scan
# License compliance
npm run license:check
# Full compliance check
npm run compliance:check- Input validation for all user-controlled data
- Path traversal prevention
- HTTPS enforcement for remote sources
- No hardcoded secrets or credentials
- Proper error handling without information disclosure
- File permissions and cleanup
- Dependencies are up-to-date and secure
- Keep dependencies updated regularly
- Monitor for security advisories
- Use
npm auditto identify vulnerabilities - Review dependency licenses for compliance
// package.json security configurations
{
"engines": {
"node": ">=18.0.0",
"vscode": "^1.90.0"
},
"scripts": {
"security:audit": "npm audit --audit-level=moderate",
"security:audit:fix": "npm audit fix"
}
}- Security vulnerability scanning on every build
- License compliance checking
- Secret scanning in commits
- Static code analysis
- Monitor extension telemetry for anomalies (if added)
- Log security events appropriately
- Rate limiting for remote requests
- Resource usage monitoring
-
Immediate Response:
- Document the issue privately
- Assess impact and scope
- Implement temporary mitigations if needed
-
Coordination:
- Follow Microsoft security disclosure policy
- Coordinate with security team if internal
- Prepare patches and security updates
-
Communication:
- Use SECURITY.md for reporting process
- Prepare security advisories for significant issues
- Update affected users through appropriate channels
- Report via SECURITY.md process
- Include reproduction steps
- Provide impact assessment
- Suggest potential mitigations
Before releasing new versions:
- Security audit passes without critical/high issues
- License compliance check passes
- No secrets or credentials in code
- Input validation tested
- Remote content handling secure
- Error handling doesn't leak info
- Dependencies updated and secure
- Security documentation updated
- Microsoft Security Development Lifecycle
- OWASP Secure Coding Practices
- VS Code Extension Security Guidelines
- Node.js Security Best Practices
Remember: Security is everyone's responsibility. When in doubt, ask for a security review!