Add STRIDE threat model to security docs#9562
Merged
aclark4life merged 14 commits intomainfrom Apr 22, 2026
Merged
Conversation
- Update .github/SECURITY.md with threat model summary and link to handbook - Add docs/handbook/security.rst with full STRIDE analysis (14 threats across Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege categories) - Add prioritised mitigation recommendations - Link security.rst into the handbook toctree Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Adds a STRIDE-based threat model to the Pillow security documentation and links it from the handbook and GitHub Security Policy to help downstream integrators assess and mitigate risks when processing untrusted images.
Changes:
- Introduces a new
docs/handbook/security.rstpage with STRIDE threats and prioritized mitigations. - Adds the security page to the handbook
toctree. - Updates
.github/SECURITY.mdwith a threat model summary and link to the handbook page.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| docs/handbook/security.rst | New STRIDE threat model and prioritized mitigation recommendations. |
| docs/handbook/index.rst | Links the new security page into the handbook navigation. |
| .github/SECURITY.md | Adds a threat model summary and links to the full handbook page. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
radarhere
reviewed
Apr 15, 2026
radarhere
reviewed
Apr 15, 2026
radarhere
reviewed
Apr 15, 2026
radarhere
reviewed
Apr 15, 2026
radarhere
reviewed
Apr 15, 2026
radarhere
reviewed
Apr 15, 2026
radarhere
reviewed
Apr 15, 2026
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
- docs/handbook/security.rst - .github/SECURITY.md Co-authored-by: Andrew Murray <3112309+radarhere@users.noreply.github.com>
radarhere
reviewed
Apr 16, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
radarhere
reviewed
Apr 21, 2026
| ┌──────────────────────────────────────────┐ | ||
| │ C libraries (bundled or system) │ | ||
| │ libjpeg · libpng · libtiff · libwebp │ | ||
| │ openjpeg · freetype · littlecms │ |
Member
There was a problem hiding this comment.
I'm going to be a little picky and suggest littlecms2, rather than littlecms.
If this is intended to be a complete list, then it is missing libimagequant, libraqm, harfbuzz, fribidi, libavif, libxcb and zlib(-ng).
If it's not intended to be a complete list, then I question if libpng should here - it's something that's used by other dependencies, not by used by us directly, so it's not a top tier dependency.
Member
Author
There was a problem hiding this comment.
I'm not sure if it's intended to be a complete list and is littlecms2 a newer version of littlecms?
Member
Author
There was a problem hiding this comment.
Let's go with not intended to be a complete list.
radarhere
reviewed
Apr 21, 2026
radarhere
reviewed
Apr 21, 2026
radarhere
reviewed
Apr 21, 2026
radarhere
reviewed
Apr 21, 2026
radarhere
reviewed
Apr 21, 2026
| **T-3 — Supply chain tampering** | ||
|
|
||
| Pre-compiled wheels bundle libjpeg-turbo, libpng, libtiff, libwebp, openjpeg, | ||
| freetype, and littlecms. A compromised PyPI release or build pipeline could |
Member
There was a problem hiding this comment.
Again, this is not a complete list.
radarhere
reviewed
Apr 21, 2026
| *Mitigations:* pin with hash verification (``pip install --require-hashes``); | ||
| monitor `Pillow security advisories | ||
| <https://github.com/python-pillow/Pillow/security/advisories>`_; use | ||
| Dependabot or OSV-Scanner for bundled C library CVEs. |
Member
There was a problem hiding this comment.
Is this document aimed at users? This is mitigation advice for us.
radarhere
reviewed
Apr 21, 2026
radarhere
reviewed
Apr 21, 2026
radarhere
reviewed
Apr 21, 2026
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Andrew Murray <3112309+radarhere@users.noreply.github.com>
- Add image.getexif() alongside image._getexif() in T-1 mitigations - Remove 'appended bytes' from T-2 (Pillow does not preserve them on resave) - Reframe R-1 threat as user-facing (not Pillow dev advice); add DecompressionBombError to the log/alert list - Add blank line before E-3 heading - Qualify dependency list in recommendation #4 as non-exhaustive Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Andrew Murray <3112309+radarhere@users.noreply.github.com>
Member
Author
|
RST does not allow inline markup (backticks) nested inside bold markers. Remove backticks from the E-3 and E-4 heading text so they render correctly. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
radarhere
reviewed
Apr 22, 2026
radarhere
reviewed
Apr 22, 2026
radarhere
reviewed
Apr 22, 2026
radarhere
reviewed
Apr 22, 2026
radarhere
approved these changes
Apr 22, 2026
Co-authored-by: Andrew Murray <3112309+radarhere@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
PR docs: https://pillow--9562.org.readthedocs.build/en/9562/handbook/security.html
Changes proposed in this pull request: