zfish 0.1.10

Ultra-light, zero-dependency Rust CLI framework for building beautiful command-line applications
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281

# Security Policy

## 🔒 Supported Versions

We release patches for security vulnerabilities in the following versions:

| Version | Supported          |
| ------- | ------------------ |
| 0.1.x   | :white_check_mark: |
| < 0.1.0 | :x:                |

**Note:** As ZFish is a CLI framework library (not a service), most security considerations relate to:
- Terminal escape sequence handling
- Input validation
- File system operations (if any)
- Dependencies (we use zero external dependencies)

---

## 🛡️ Security Considerations

### Terminal Safety

ZFish handles ANSI escape sequences for terminal control. We take the following precautions:

- ✅ All escape sequences are carefully validated
- ✅ No user input is directly interpolated into escape sequences
- ✅ Terminal state is properly restored on errors
- ✅ No execution of shell commands from user input

### Input Validation

When using ZFish's interactive prompt features:

- ✅ Input is sanitized before display
- ✅ No code execution from user input
- ✅ Buffer overflow protection via Rust's memory safety

### Platform-Specific Code

ZFish uses platform-specific APIs (Windows Console API, Unix ioctl):

- ✅ FFI calls are carefully validated
- ✅ Proper error handling for all system calls
- ✅ No unsafe memory operations without bounds checking

---

## 🚨 Reporting a Vulnerability

We take security seriously. If you discover a security vulnerability in ZFish, please follow these steps:

### **DO NOT** open a public issue

Public disclosure of vulnerabilities can put the entire community at risk.

### ✅ Instead, Report Privately

**Method 1: GitHub Security Advisories (Recommended)**

1. Go to https://github.com/JeetKarena/ZFish/security/advisories
2. Click "Report a vulnerability"
3. Fill in the details following the template below

**Method 2: Email**

Send an email to: **karenajeet@proton.me**

### 📋 Vulnerability Report Template

Please include the following information:

```markdown
## Summary
Brief description of the vulnerability

## Severity
Your assessment: Critical / High / Medium / Low

## Component
Which part of ZFish is affected?
- [ ] Terminal control (term.rs)
- [ ] ANSI escape sequences (style.rs)
- [ ] Progress bars (progress.rs)
- [ ] Interactive prompts (prompt.rs)
- [ ] Argument parsing (args.rs)
- [ ] Platform-specific code (os/)
- [ ] Other: ___________

## Description
Detailed description of the vulnerability

## Steps to Reproduce
1. Step 1
2. Step 2
3. Step 3

## Proof of Concept
```rust
// Code that demonstrates the vulnerability
```

## Impact
What could an attacker achieve with this vulnerability?

## Suggested Fix (Optional)
If you have ideas on how to fix this

## Environment
- OS: 
- Rust version:
- ZFish version:
```

---

## 🔍 What Happens Next?

1. **Acknowledgment** - We'll acknowledge receipt within **48 hours**
2. **Investigation** - We'll investigate and confirm the vulnerability
3. **Timeline** - We'll provide an expected timeline for a fix
4. **Coordination** - We'll work with you on coordinated disclosure
5. **Fix & Release** - We'll release a patch and security advisory
6. **Credit** - You'll be credited in the advisory (unless you prefer anonymity)

---

## 🕐 Response Timeline

- **Initial Response:** Within 48 hours
- **Status Update:** Within 7 days
- **Fix Timeline:** Depends on severity
  - Critical: Within 7 days
  - High: Within 30 days
  - Medium: Within 90 days
  - Low: Next regular release

---

## 🏆 Security Hall of Fame

We appreciate security researchers who help keep ZFish safe:

<!-- Security researchers who responsibly disclose vulnerabilities will be listed here -->

*No vulnerabilities reported yet. Be the first!*

---

## 📚 Security Best Practices for Users

When using ZFish in your applications:

### ✅ DO:

- Keep ZFish updated to the latest version
- Validate user input before passing to ZFish functions
- Handle errors appropriately
- Review terminal output in security-sensitive contexts
- Use ZFish's safe APIs for terminal control

### ❌ DON'T:

- Don't pass unsanitized user input directly to style functions
- Don't execute shell commands based on user input
- Don't trust terminal size detection in security-critical code
- Don't use ZFish in setuid/setgid programs without review

### Example: Safe Input Handling

```rust
use zfish::{Style, Color};

// ✅ Safe - controlled styling
let user_input = get_user_input();
let sanitized = user_input.replace('\x1b', ""); // Remove escape sequences
println!("{}", Style::new().fg(Color::Green).apply(&sanitized));

// ❌ Unsafe - potential injection
let user_input = get_user_input();
println!("\x1b[32m{}\x1b[0m", user_input); // DON'T DO THIS
```

---

## 🔐 Security Features

### Memory Safety

ZFish is written in **Rust**, providing:

- No buffer overflows
- No use-after-free
- No null pointer dereferences
- Thread safety

### Zero Dependencies

ZFish has **zero external dependencies**, which means:

- Smaller attack surface
- No supply chain vulnerabilities
- Easier security auditing
- Faster security response

### Minimal `unsafe` Code

- `unsafe` is only used for necessary FFI calls
- All `unsafe` blocks are documented and reviewed
- Platform-specific code is isolated in `os/` module

---

## 📜 Security Disclosure Policy

### Coordinated Disclosure

We follow a **coordinated disclosure** process:

1. Security researchers report vulnerabilities privately
2. We investigate and develop a fix
3. We coordinate a disclosure date
4. We release a patch
5. We publish a security advisory
6. Public disclosure occurs

### Public Disclosure Timeline

- **90 days** from initial report, or
- **When a fix is released**, whichever comes first

We may request additional time for complex vulnerabilities.

---

## 🚀 Security Updates

Security patches are released as soon as possible:

- **Patch version bump** for security fixes
- Published to crates.io immediately
- GitHub Security Advisory published
- Announcement in repository README

### Stay Informed

- **Watch** this repository for security advisories
- 📧 **Subscribe** to GitHub notifications
- 🔔 **Enable** security alerts for your projects using ZFish

---

## 📞 Contact

For security-related inquiries:

- **Security Email:** security@zfish.dev
- **GitHub Security:** https://github.com/JeetKarena/ZFish/security/advisories
- **General Contact:** See [CODE_OF_CONDUCT.md](CODE_OF_CONDUCT.md)

---

## 🙏 Acknowledgments

We thank the security research community for helping keep ZFish and its users safe.

**Responsible disclosure is appreciated and will be recognized.**

---

## 📖 Additional Resources

- [OWASP Secure Coding Practices](https://owasp.org/www-project-secure-coding-practices-quick-reference-guide/)
- [Rust Security Guidelines](https://anssi-fr.github.io/rust-guide/)
- [CWE - Common Weakness Enumeration](https://cwe.mitre.org/)

---

*Last Updated: October 2025*

**Stay Safe! 🦈🔒**