Skip to content

Commit 69e15e2

Browse files
authored
docs: add security assessment to SECURITY.md (#70)
## Summary Adds a Security Assessment section to SECURITY.md documenting the six most likely and impactful threats for this project, along with existing mitigations for each: 1. API credential exposure (HIGH) 2. Unintended write operations (HIGH) 3. Prompt injection via BookStack content (MEDIUM) 4. Insecure transport (MEDIUM) 5. Supply chain compromise (MEDIUM) 6. SSRF via BOOKSTACK_BASE_URL (LOW) Satisfies OSPS-SA-03.01 — the project must perform a security assessment to understand the most likely and impactful potential security problems. ## Test plan - [ ] SECURITY.md renders correctly on GitHub 🤖 Generated with [Claude Code](https://claude.com/claude-code) Signed-off-by: Paradoxbound <paradoxbound@users.noreply.github.com> Co-authored-by: Paradoxbound <paradoxbound@users.noreply.github.com>
1 parent 2f36d91 commit 69e15e2

1 file changed

Lines changed: 59 additions & 0 deletions

File tree

SECURITY.md

Lines changed: 59 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,65 @@ Only the latest release is actively maintained with security updates.
99
| 2.5.x | yes |
1010
| < 2.5 | no |
1111

12+
## Security Assessment
13+
14+
This section documents the most likely and impactful security risks for this project.
15+
16+
### 1. API credential exposure (HIGH)
17+
18+
**Risk:** `BOOKSTACK_TOKEN_ID` and `BOOKSTACK_TOKEN_SECRET` grant full API access to the BookStack instance. If leaked — via environment variable logging, process listings, config files committed to git, or container inspection — an attacker gains complete read/write access to BookStack.
19+
20+
**Mitigations:**
21+
- Tokens are read from environment variables only; never hardcoded or logged
22+
- `.env` is listed in `.gitignore`
23+
- CI/CD uses no manually stored secrets (`GITHUB_TOKEN` is auto-provisioned per run)
24+
- README advises HTTPS, dedicated users with limited permissions, and regular token rotation
25+
26+
### 2. Unintended write operations (HIGH)
27+
28+
**Risk:** Write tools (create/update/delete for books, pages, chapters, etc.) could be invoked by a malicious prompt, a confused AI model, or misconfiguration, causing data loss or corruption in BookStack.
29+
30+
**Mitigations:**
31+
- Write tools are not registered unless `BOOKSTACK_ENABLE_WRITE=true` is explicitly set
32+
- Write operations are disabled by default; the server exposes only read tools in the default configuration
33+
34+
### 3. Prompt injection via BookStack content (MEDIUM)
35+
36+
**Risk:** BookStack pages returned to the MCP client could contain adversarial instructions designed to manipulate the AI model into taking unintended actions (e.g. exfiltrating content, invoking write tools).
37+
38+
**Mitigations:**
39+
- The MCP server is a passive relay; it does not interpret or act on page content itself
40+
- Write operations require explicit opt-in (`BOOKSTACK_ENABLE_WRITE=true`), limiting the blast radius
41+
- Operators should use a BookStack API user scoped to the minimum required permissions
42+
43+
### 4. Insecure transport (MEDIUM)
44+
45+
**Risk:** If BookStack is accessed over plain HTTP, API tokens and content are transmitted in cleartext and vulnerable to interception.
46+
47+
**Mitigations:**
48+
- README advises using HTTPS for all production BookStack instances
49+
- No enforcement at the server level; operators are responsible for BookStack TLS configuration
50+
51+
### 5. Supply chain compromise (MEDIUM)
52+
53+
**Risk:** A compromised npm dependency or GitHub Action could inject malicious code into the build or runtime.
54+
55+
**Mitigations:**
56+
- All GitHub Actions are pinned to exact commit SHAs
57+
- `npm audit` runs on every CI build and fails on high/critical vulnerabilities
58+
- OSV Scanner and Trivy scan dependencies and the Docker image on every build
59+
- Dependabot opens weekly PRs for outdated packages and the Docker base image
60+
- SLSA Level 2 provenance attestation on every released Docker image
61+
- `npm ci` used in all builds to enforce the lock file
62+
63+
### 6. Server-Side Request Forgery via BOOKSTACK_BASE_URL (LOW)
64+
65+
**Risk:** If an operator sets `BOOKSTACK_BASE_URL` to an internal network address, the server could be used to probe or interact with internal services.
66+
67+
**Mitigations:**
68+
- `BOOKSTACK_BASE_URL` is operator-supplied at deployment time; it is not accepted from end users or MCP clients
69+
- Operators are responsible for ensuring the URL points to a legitimate BookStack instance
70+
1271
## Reporting a Vulnerability
1372

1473
Please do **not** open a public GitHub issue for security vulnerabilities.

0 commit comments

Comments
 (0)