sb 0.3.12

Terminal Markdown Browser/Editor with Git integration, syntax highlighting, and media support
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138

# Security Policy

## Supported Versions

| Version | Supported          |
| ------- | ------------------ |
| 0.3.x   | :white_check_mark: |
| < 0.3   | :x:                |

## Reporting a Vulnerability

We take the security of Saorsa Browser seriously. If you discover a security vulnerability, please follow these steps:

1. **DO NOT** open a public issue
2. Email your findings to [security contact - please update with your email]
3. Include the following information:
   - Description of the vulnerability
   - Steps to reproduce
   - Potential impact
   - Suggested fix (if available)

### Response Timeline

- **Initial Response**: Within 48 hours
- **Status Update**: Within 5 business days
- **Resolution Target**: Critical issues within 30 days

## Security Features

### Path Traversal Protection
- All file paths are validated against directory traversal attempts
- Canonical path resolution ensures files stay within allowed directories
- Hidden files and system files are blocked by default
- See `src/security.rs` for implementation details

### Resource Limits
- **File Size Limit**: 10MB for file operations
- **Preview Limit**: 1MB for rendered previews
- **Memory Protection**: Bounded buffers for all file operations

### Input Validation
- All user inputs are sanitized before processing
- Command injection protection in file operations
- Null byte filtering in paths

### Error Handling
- Sensitive information is redacted from error messages
- File paths, IP addresses, and credentials are sanitized
- Stack traces are filtered in production builds

## Security Best Practices

### For Contributors

1. **Dependencies**
   - Run `cargo audit` before submitting PRs
   - Keep dependencies up to date
   - Avoid unmaintained packages

2. **Code Review**
   - All PRs require security review
   - Use `#[forbid(unsafe_code)]` where possible
   - Document any unsafe blocks with justification

3. **Testing**
   - Include security tests for new features
   - Test boundary conditions and error cases
   - Use property-based testing for input validation

### For Users

1. **Installation**
   - Download only from official sources
   - Verify checksums when available
   - Keep the application updated

2. **Usage**
   - Avoid opening untrusted files
   - Be cautious with symbolic links
   - Report suspicious behavior immediately

## Known Security Considerations

### Dependencies
We are aware of the following unmaintained dependencies:

#### Low Risk - Acceptable 
- `paste` (via ratatui) - Proc-macro helper, no known vulnerabilities, core TUI framework dependency
- `yaml-rust` (via tui-markdown->syntect) - YAML parsing for syntax definitions, no known vulnerabilities

**Risk Assessment**: These dependencies pose minimal security risk as they are:
- Not directly handling user input or network data
- Used in well-contained contexts (UI rendering, syntax highlighting)
- Part of mature, widely-used libraries
- No known CVEs against current versions

**Mitigation**: Regular monitoring via `cargo audit` and security alerts. Alternative implementations would require significant architectural changes that don't justify the low risk level.

### External Commands
- **ffmpeg**: Used for video playback. Ensure you have the latest version installed
- **git**: Used for diff functionality. Keep Git updated to latest stable version

## Security Audit

Regular security audits are performed:
- **Automated**: Weekly via GitHub Actions (cargo-audit)
- **Manual**: Quarterly code review focusing on security
- **External**: Annual third-party security assessment (when applicable)

## Compliance

This project follows security best practices including:
- OWASP guidelines for application security
- Rust security guidelines from the Rust Security Response WG
- CWE Top 25 Most Dangerous Software Weaknesses mitigation

## Security Updates

Security updates are released as soon as fixes are available:
- **Critical**: Immediate patch release
- **High**: Within 7 days
- **Medium**: Within 30 days
- **Low**: Next regular release

## Contact

For security concerns, please contact:
- Primary: [Please add security contact email]
- Secondary: Open an issue with "Security" label (for non-sensitive discussions)

## Acknowledgments

We appreciate responsible disclosure and will acknowledge security researchers who:
- Follow responsible disclosure practices
- Allow reasonable time for patching
- Don't exploit vulnerabilities beyond proof of concept

Contributors will be credited in our security advisories unless they prefer to remain anonymous.