wirepusher 1.0.0-alpha.2

Official Rust Client Library for WirePusher - Send push notifications with async/await support
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217

# Security Policy

## Supported Versions

We release patches for security vulnerabilities in the following versions:

| Version | Supported          |
| ------- | ------------------ |
| 1.x.x   | :white_check_mark: |
| < 1.0   | :x:                |

## Reporting a Vulnerability

The WirePusher team takes security bugs seriously. We appreciate your efforts to responsibly disclose your findings.

### How to Report

**Please do NOT report security vulnerabilities through public GitLab issues.**

Instead, please report security vulnerabilities via email to:

**security@wirepusher.com**

### What to Include

To help us triage and fix the issue quickly, please include:

1. **Type of vulnerability** (e.g., authentication bypass, injection, etc.)
2. **Full paths** of source files related to the vulnerability
3. **Location** of the affected source code (tag/branch/commit or direct URL)
4. **Step-by-step instructions** to reproduce the issue
5. **Proof-of-concept or exploit code** (if possible)
6. **Impact** of the vulnerability (what an attacker could achieve)
7. **Any mitigating factors** or workarounds you've identified

### What to Expect

After you submit a report:

1. **Acknowledgment** - We'll acknowledge receipt within 48 hours
2. **Assessment** - We'll assess the vulnerability and determine severity
3. **Updates** - We'll provide regular updates (at least every 7 days)
4. **Fix Timeline** - We aim to release fixes for:
   - **Critical** vulnerabilities: Within 7 days
   - **High** vulnerabilities: Within 14 days
   - **Medium** vulnerabilities: Within 30 days
   - **Low** vulnerabilities: Next regular release

5. **Disclosure** - We'll coordinate with you on public disclosure timing
6. **Credit** - We'll credit you in the security advisory (unless you prefer to remain anonymous)

## Security Best Practices

### For Users

When using the WirePusher Rust Client Library:

1. **Keep the SDK updated** to the latest version
2. **Never commit credentials** to version control
3. **Use environment variables** for sensitive configuration
4. **Validate input** before sending to the SDK
5. **Handle errors gracefully** without exposing sensitive information
6. **Use HTTPS** for all network communication
7. **Limit token scope** to minimum required permissions

### Credential Management

```rust
// ❌ Bad - Hardcoded credentials
let client = Client::new("abc12345", "device_id")?;

// ✅ Good - Environment variables
use std::env;
let token = env::var("WIREPUSHER_TOKEN")?;
let device_id = env::var("WIREPUSHER_DEVICE_ID")?;
let client = Client::new(token, device_id)?;
```

### Error Handling

```rust
// ❌ Bad - Exposes sensitive information
match client.send("Title", "Message").await {
    Err(e) => println!("Error: {:?}", e), // May log tokens
    Ok(_) => println!("Success"),
}

// ✅ Good - Safe error handling
match client.send("Title", "Message").await {
    Ok(_) => println!("Notification sent"),
    Err(Error::Authentication { .. }) => {
        eprintln!("Authentication failed - check credentials");
    }
    Err(Error::Validation { message, .. }) => {
        eprintln!("Validation error: {}", message);
    }
    Err(_) => eprintln!("Notification failed"),
}
```

### Input Validation

```rust
// ❌ Bad - No validation
async fn handle_request(title: String, message: String) {
    client.send(&title, &message).await.ok();
}

// ✅ Good - Validate input
async fn handle_request(title: String, message: String) -> Result<()> {
    if title.is_empty() || message.is_empty() {
        return Err("Missing required fields".into());
    }

    if title.len() > 256 || message.len() > 4096 {
        return Err("Content too long".into());
    }

    client.send(&title, &message).await?;
    Ok(())
}
```

### Context Timeouts

```rust
use tokio::time::{timeout, Duration};

// ❌ Bad - No timeout
client.send("Title", "Message").await?;

// ✅ Good - Use timeout
timeout(
    Duration::from_secs(10),
    client.send("Title", "Message")
).await??;
```

## Known Security Considerations

### API Token Security

- Tokens are transmitted in API requests and should be kept confidential
- Tokens are stored in plaintext by the SDK (secure storage is the user's responsibility)
- Compromised tokens can be used to send notifications as your user
- Rotate tokens regularly as a security best practice

### Network Communication

- All communication with WirePusher API is over HTTPS
- The SDK uses reqwest which respects system-level TLS/SSL settings
- Certificate validation is handled by the Rust runtime
- Minimum TLS 1.2 is enforced by default

### Dependencies

The SDK has minimal runtime dependencies to reduce supply chain risks:
- `reqwest` - Well-maintained HTTP client with security focus
- `tokio` - Industry-standard async runtime
- `serde`/`serde_json` - Widely-used serialization library
- `thiserror` - Error handling
- `aes`, `cbc`, `sha1` - Cryptography (encryption support)

We monitor dependencies for known vulnerabilities and update promptly.

### Memory Safety

- Rust's ownership system prevents buffer overflows and memory corruption
- Borrow checker prevents use-after-free vulnerabilities
- Type safety prevents many common programming errors
- No unsafe code in the library (except in vetted dependencies)

## Vulnerability Disclosure Process

When we receive a security bug report:

1. **Confirm the vulnerability** and determine affected versions
2. **Develop and test a fix** for all supported versions
3. **Prepare security advisory** with:
   - Description of the vulnerability
   - Affected versions
   - Fixed versions
   - Workarounds (if any)
   - Credit to reporter
4. **Release patched versions**
5. **Publish security advisory** on GitLab
6. **Notify users** via:
   - GitLab security advisory
   - Project README update
   - crates.io documentation

## Security Audit History

| Date | Type | Findings | Status |
|------|------|----------|--------|
| TBD  | TBD  | TBD      | TBD    |

## Security Hall of Fame

We thank the following individuals for responsibly disclosing security vulnerabilities:

- (None yet)

## Resources

- [Rust Security Best Practices](https://anssi-fr.github.io/rust-guide/)
- [OWASP API Security Top 10](https://owasp.org/www-project-api-security/)
- [RustSec Advisory Database](https://rustsec.org/)

## Questions?

For security-related questions that aren't reporting vulnerabilities:

- Email: security@wirepusher.com
- General questions: support@wirepusher.com

Thank you for helping keep WirePusher and its users safe!