You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
docs: add security assessment to SECURITY.md (#70)
## Summary
Adds a Security Assessment section to SECURITY.md documenting the six
most likely and impactful threats for this project, along with existing
mitigations for each:
1. API credential exposure (HIGH)
2. Unintended write operations (HIGH)
3. Prompt injection via BookStack content (MEDIUM)
4. Insecure transport (MEDIUM)
5. Supply chain compromise (MEDIUM)
6. SSRF via BOOKSTACK_BASE_URL (LOW)
Satisfies OSPS-SA-03.01 — the project must perform a security assessment
to understand the most likely and impactful potential security problems.
## Test plan
- [ ] SECURITY.md renders correctly on GitHub
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Signed-off-by: Paradoxbound <paradoxbound@users.noreply.github.com>
Co-authored-by: Paradoxbound <paradoxbound@users.noreply.github.com>
Copy file name to clipboardExpand all lines: SECURITY.md
+59Lines changed: 59 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -9,6 +9,65 @@ Only the latest release is actively maintained with security updates.
9
9
| 2.5.x | yes |
10
10
| < 2.5 | no |
11
11
12
+
## Security Assessment
13
+
14
+
This section documents the most likely and impactful security risks for this project.
15
+
16
+
### 1. API credential exposure (HIGH)
17
+
18
+
**Risk:**`BOOKSTACK_TOKEN_ID` and `BOOKSTACK_TOKEN_SECRET` grant full API access to the BookStack instance. If leaked — via environment variable logging, process listings, config files committed to git, or container inspection — an attacker gains complete read/write access to BookStack.
19
+
20
+
**Mitigations:**
21
+
- Tokens are read from environment variables only; never hardcoded or logged
22
+
-`.env` is listed in `.gitignore`
23
+
- CI/CD uses no manually stored secrets (`GITHUB_TOKEN` is auto-provisioned per run)
24
+
- README advises HTTPS, dedicated users with limited permissions, and regular token rotation
25
+
26
+
### 2. Unintended write operations (HIGH)
27
+
28
+
**Risk:** Write tools (create/update/delete for books, pages, chapters, etc.) could be invoked by a malicious prompt, a confused AI model, or misconfiguration, causing data loss or corruption in BookStack.
29
+
30
+
**Mitigations:**
31
+
- Write tools are not registered unless `BOOKSTACK_ENABLE_WRITE=true` is explicitly set
32
+
- Write operations are disabled by default; the server exposes only read tools in the default configuration
33
+
34
+
### 3. Prompt injection via BookStack content (MEDIUM)
35
+
36
+
**Risk:** BookStack pages returned to the MCP client could contain adversarial instructions designed to manipulate the AI model into taking unintended actions (e.g. exfiltrating content, invoking write tools).
37
+
38
+
**Mitigations:**
39
+
- The MCP server is a passive relay; it does not interpret or act on page content itself
- Operators should use a BookStack API user scoped to the minimum required permissions
42
+
43
+
### 4. Insecure transport (MEDIUM)
44
+
45
+
**Risk:** If BookStack is accessed over plain HTTP, API tokens and content are transmitted in cleartext and vulnerable to interception.
46
+
47
+
**Mitigations:**
48
+
- README advises using HTTPS for all production BookStack instances
49
+
- No enforcement at the server level; operators are responsible for BookStack TLS configuration
50
+
51
+
### 5. Supply chain compromise (MEDIUM)
52
+
53
+
**Risk:** A compromised npm dependency or GitHub Action could inject malicious code into the build or runtime.
54
+
55
+
**Mitigations:**
56
+
- All GitHub Actions are pinned to exact commit SHAs
57
+
-`npm audit` runs on every CI build and fails on high/critical vulnerabilities
58
+
- OSV Scanner and Trivy scan dependencies and the Docker image on every build
59
+
- Dependabot opens weekly PRs for outdated packages and the Docker base image
60
+
- SLSA Level 2 provenance attestation on every released Docker image
61
+
-`npm ci` used in all builds to enforce the lock file
62
+
63
+
### 6. Server-Side Request Forgery via BOOKSTACK_BASE_URL (LOW)
64
+
65
+
**Risk:** If an operator sets `BOOKSTACK_BASE_URL` to an internal network address, the server could be used to probe or interact with internal services.
66
+
67
+
**Mitigations:**
68
+
-`BOOKSTACK_BASE_URL` is operator-supplied at deployment time; it is not accepted from end users or MCP clients
69
+
- Operators are responsible for ensuring the URL points to a legitimate BookStack instance
70
+
12
71
## Reporting a Vulnerability
13
72
14
73
Please do **not** open a public GitHub issue for security vulnerabilities.
0 commit comments