From 92a50af5ed7c3eaf7b209fd8ad6b098512902fc9 Mon Sep 17 00:00:00 2001 From: James Feng <47167674+GhostDragon124@users.noreply.github.com> Date: Wed, 3 Jun 2026 19:51:37 +0800 Subject: [PATCH] docs: update SECURITY.md with Phase 4 completion --- SECURITY.md | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 5b7aef5a2..b0cfd0360 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -19,12 +19,17 @@ Only the `main` branch receives security updates. No release tags are maintained | Area | Status | |------|--------| -| Credential redaction in logs | Addressed (#38-40) | -| Remote control default bind (0.0.0.0 → 127.0.0.1) | Addressed (#64) | -| Shell injection via headersHelper | Addressed (#36) | -| URL substring validation bypass | Addressed (#41-43) | -| HTML stripping fragility | Addressed (#18-24) | +| Credential redaction in logs | ✅ Phase 1 | +| Remote control default bind (0.0.0.0 → 127.0.0.1) | ✅ Phase 1 | +| Shell injection via headersHelper | ✅ Phase 3 | +| URL substring validation bypass | ✅ Phase 3 | +| HTML stripping fragility | ✅ Phase 3 + Phase 4 | +| **Command injection (which, imagePaste, exec wrappers)** | ✅ Phase 4 | +| **ReDoS in debugFilter regex** | ✅ Phase 4 | +| **Sanitization bypass (stripHtml, claudemd, sedEditParser, bingAdapter)** | ✅ Phase 4 | +| **Clear-text logging in MCP handler** | ✅ Phase 4 | | BashTool shell execution | **By design** — BashTool's job is to run shell commands. Do not report shell metacharacter usage as a vulnerability. | +| Teleport / bridge / feature-flagged modules | Out of scope — not enabled in this fork. CodeQL alerts in these modules are accepted risk. | | Decompilation artifacts (unused variables, dead code) | Out of scope — these are expected in reverse-engineered code. | | Docker sandbox escape (`bwrap`) | In scope — report via advisory. | @@ -33,3 +38,7 @@ Only the `main` branch receives security updates. No release tags are maintained Code scanning runs on every push to `main` via `codeql.yml` (security-extended suite). Quality-only rules are dismissed as decompilation artifacts. Security alerts are triaged and addressed per the above scope. + +**Current baseline:** 187 open alerts (down from 199 after Phase 1-4). Remaining +open alerts are predominantly in feature-flagged modules (teleport, bridge, ACP, +computer-use) that are not enabled in this fork. Core-path alerts are all addressed.