bare-script 0.1.1

The type-safe scripting authority for Rust. A framework for building robust shell commands and automation with 'Parse, don't validate' philosophy.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225

# Security Policy


This document outlines the security policy for `bare-script`, including supported versions, vulnerability reporting, and security practices.

## Supported Versions


Security updates are provided for the following versions:

| Version | Supported | End of Support |
|---------|-----------|----------------|
| 0.1.x   | ✅ Active  | Not scheduled  |
| < 0.1.0 | ❌ No      | N/A            |

**Note**: As a pre-1.0 project, we recommend always using the latest version to receive security updates.

## Reporting a Vulnerability


If you discover a security vulnerability, please report it **privately** rather than creating a public issue. Responsible disclosure helps protect users while we develop a fix.

### How to Report


**Preferred Method** (Fastest response):
1. Open a [GitHub Security Advisory](https://github.com/bare-rs/bare-script/security/advisories/new)
2. Provide detailed information (see below)
3. Allow time for investigation before public disclosure

**Alternative Method**:
- Email: Create a new private GitHub Discussion with the `security` label
- Note: Response time may be longer via this method

### Required Information


Please include:

1. **Description**: Clear explanation of the vulnerability
2. **Impact Assessment**: What can an attacker achieve?
3. **Affected Versions**: Which versions are vulnerable?
4. **Reproduction Steps**: Minimal code demonstrating the issue
5. **Proposed Fix**: If you have suggestions (optional)
6. **Your Contact**: For coordination (optional)

### Response Timeline


| Phase | Timeline | Action |
|-------|----------|--------|
| Acknowledgment | Within 48 hours | Confirm receipt of report |
| Initial Assessment | Within 7 days | Determine validity and severity |
| Fix Development | Varies | Develop and test patch |
| Disclosure Coordination | Before release | Agree on timeline with reporter |
| Public Disclosure | After release | Publish advisory |

### Security Response Process


1. **Receive**: Security team receives report via private channel
2. **Assess**: Validate and assess severity (CVSS scoring)
3. **Develop**: Create and test fix
4. **Coordinate**: Plan disclosure timeline with reporter
5. **Release**: Publish fix and security advisory
6. **Disclose**: Public announcement after fix is available

## Security Features


This project incorporates the following security measures:

### Memory Safety


- **Zero Unsafe Code**: `#![deny(unsafe_code)]` enforced
- **Rust Ownership**: Compiler-enforced memory safety
- **No Undefined Behavior**: Guaranteed by safe Rust subset

### Command Execution Security


- **No Shell Injection**: Arguments passed directly to process, not through shell
- **Environment Isolation**: Can clear or remove environment variables
- **Working Directory Control**: Explicit control over execution directory
- **Timeout Support**: Prevents hanging processes

### Supply Chain Security


- **Minimal Dependencies**: Reduces attack surface
- **Pinning**: Lockfile for reproducible builds
- **Auditing**: Regular `cargo-audit` checks recommended

## Security Best Practices


### For Users


1. **Keep Updated**: Use the latest version
2. **Validate Input**: Even with type safety, validate at system boundaries
3. **Audit Dependencies**: Run `cargo-audit` regularly

```bash
# Install cargo-audit

cargo install cargo-audit

# Audit dependencies

cargo audit
```

### For Contributors


1. **No Unsafe Code**: Never use `unsafe` blocks
2. **Validate Early**: Parse and validate at construction time
3. **Document Assumptions**: Security-critical code needs comments
4. **Test Edge Cases**: Security bugs often hide in edge cases
5. **Review Carefully**: Security-related changes need extra review

### For AI Contributors


**Security-Sensitive Code** (requires human review):
- Input validation logic
- Error handling paths
- Command execution paths
- Any code dealing with process creation

**AI Guidelines**:
- Flag any code that handles untrusted input
- Note when validation rules have edge cases
- Ask for human review on security-relevant changes
- Never assume command arguments are safe

## Security Checklist for Releases


Before each release, verify:

- [ ] `cargo audit` shows no vulnerabilities
- [ ] All dependencies up to date
- [ ] No new `unsafe` code introduced
- [ ] Security tests pass
- [ ] Documentation accurately describes security properties
- [ ] CHANGELOG mentions any security-relevant changes

## Vulnerability Disclosure Policy


### Our Commitment


- We will acknowledge receipt within 48 hours
- We will provide regular updates on our progress
- We will credit researchers (with their permission)
- We will fix valid vulnerabilities in a timely manner
- We will not take legal action against good-faith researchers

### Disclosure Timeline


**Standard Timeline** (for most vulnerabilities):
- Report received: Day 0
- Fix released: Within 90 days
- Public disclosure: Within 7 days of fix release

**Expedited Timeline** (for critical vulnerabilities):
- Report received: Day 0
- Fix released: Within 30 days
- Public disclosure: Within 3 days of fix release

### Coordination with Reporter


We will:
- Keep reporter informed of progress
- Share proposed fix for validation
- Coordinate disclosure timing
- Offer credit in advisory (if desired)

## Security-Related Configuration


### Cargo.toml Settings


```toml
[package]
edition = "2024"
rust-version = "1.85.0"

[lints.rust]
unsafe_code = "forbid"
```

### CI Security Checks


Recommended CI pipeline:

```yaml
security-checks:
  runs-on: ubuntu-latest
  steps:
    - uses: actions/checkout@v4

    # Audit dependencies
    - name: cargo-audit
      uses: rustsec/audit-check@v1

    # Check for unsafe code
    - name: Check unsafe
      run: |
        cargo check --all-targets
        grep -r "#\[forbid(unsafe" src/
```

## Third-Party Security Resources


- [Rust Security Advisory Database](https://rustsec.org/)
- [OWASP Rust Security Guidelines](https://owasp.org/)
- [Cargo Audit](https://github.com/RustSec/cargo-audit)
- [Rust Secure Code Guidelines](https://github.com/rust-secure-code/safety-dance)

## Security History


### Known Vulnerabilities


None at this time.

### Security Advisories


No security advisories have been issued for this project.

## Questions?


For security-related questions:

- **General**: Open a [GitHub Discussion](https://github.com/bare-rs/bare-script/discussions) with `security` label (for non-sensitive questions)
- **Sensitive**: Use private security advisory process above

---

**Last Updated**: 2026-03-09

**Next Review**: 2026-06-09