|
| 1 | +# Security Policy |
| 2 | + |
| 3 | +## Supported Versions |
| 4 | + |
| 5 | +We release patches for security vulnerabilities. Currently supported versions: |
| 6 | + |
| 7 | +| Version | Supported | |
| 8 | +| ------- | ------------------ | |
| 9 | +| 1.0.x | :white_check_mark: | |
| 10 | +| < 1.0 | :x: | |
| 11 | + |
| 12 | +## Reporting a Vulnerability |
| 13 | + |
| 14 | +If you discover a security vulnerability in this project, please report it by emailing **Naor.tedgi@gmail.com**. |
| 15 | + |
| 16 | +Please include the following information in your report: |
| 17 | + |
| 18 | +- A description of the vulnerability |
| 19 | +- Steps to reproduce the issue |
| 20 | +- Potential impact of the vulnerability |
| 21 | +- Any suggested fixes (if applicable) |
| 22 | + |
| 23 | +**Please do not open a public issue for security vulnerabilities.** |
| 24 | + |
| 25 | +We will acknowledge your email within 48 hours and aim to provide a detailed response within 5 business days. We will keep you informed about our progress throughout the resolution process. |
| 26 | + |
| 27 | +## Security Best Practices |
| 28 | + |
| 29 | +When using `express-body-parser-error-handler`, please follow these security best practices: |
| 30 | + |
| 31 | +### 1. Configure Appropriate Body Size Limits |
| 32 | + |
| 33 | +Always set reasonable size limits for body-parser to prevent denial-of-service attacks: |
| 34 | + |
| 35 | +```js |
| 36 | +const { urlencoded, json } = require('body-parser'); |
| 37 | +const bodyParserErrorHandler = require('express-body-parser-error-handler'); |
| 38 | + |
| 39 | +// Set appropriate limits based on your application needs |
| 40 | +app.use(urlencoded({ extended: false, limit: '100kb' })); |
| 41 | +app.use(json({ limit: '100kb' })); |
| 42 | +app.use(bodyParserErrorHandler()); |
| 43 | +``` |
| 44 | + |
| 45 | +### 2. Avoid Exposing Sensitive Error Information |
| 46 | + |
| 47 | +The default error handler provides detailed error messages. In production, consider customizing error messages to avoid exposing sensitive information: |
| 48 | + |
| 49 | +```js |
| 50 | +app.use(bodyParserErrorHandler({ |
| 51 | + errorMessage: (err) => { |
| 52 | + if (process.env.NODE_ENV === 'production') { |
| 53 | + return 'Invalid request body'; |
| 54 | + } |
| 55 | + return `Body Parser failed to parse request --> ${err.message}`; |
| 56 | + } |
| 57 | +})); |
| 58 | +``` |
| 59 | + |
| 60 | +### 3. Log Security Events |
| 61 | + |
| 62 | +Use the `onError` callback to log security-relevant events for monitoring: |
| 63 | + |
| 64 | +```js |
| 65 | +app.use(bodyParserErrorHandler({ |
| 66 | + onError: (err, req, res, next) => { |
| 67 | + // Log the error for security monitoring |
| 68 | + console.error('Body parser error:', { |
| 69 | + type: err.type, |
| 70 | + ip: req.ip, |
| 71 | + path: req.path, |
| 72 | + timestamp: new Date().toISOString() |
| 73 | + }); |
| 74 | + } |
| 75 | +})); |
| 76 | +``` |
| 77 | + |
| 78 | +### 4. Keep Dependencies Updated |
| 79 | + |
| 80 | +Regularly update this package and its dependencies to ensure you have the latest security patches: |
| 81 | + |
| 82 | +```sh |
| 83 | +npm update express-body-parser-error-handler |
| 84 | +``` |
| 85 | + |
| 86 | +### 5. Input Validation |
| 87 | + |
| 88 | +This middleware handles body-parser errors, but you should still implement additional input validation for your application logic to ensure data integrity and security. |
| 89 | + |
| 90 | +## Disclosure Policy |
| 91 | + |
| 92 | +When we receive a security vulnerability report, we will: |
| 93 | + |
| 94 | +1. Confirm the vulnerability and determine its impact |
| 95 | +2. Develop and test a fix |
| 96 | +3. Release a patch as soon as possible |
| 97 | +4. Credit the reporter (unless they wish to remain anonymous) |
| 98 | +5. Publish a security advisory on GitHub |
| 99 | + |
| 100 | +## Comments on This Policy |
| 101 | + |
| 102 | +If you have suggestions on how this process could be improved, please submit a pull request or open an issue to discuss. |
0 commit comments