Stephen Way
faaf522b05
Some checks are pending
ci / check (push) Waiting to run
Bugs:
* Shell injection in `fj auth setup-git`: the hostname is now validated
against a strict DNS pattern and `git config` is invoked directly
(no `sh -c`). Added 4 unit tests covering shell metacharacters.
* Pager won't compile on Windows: the libc-based dup2 redirect lives
behind `#[cfg(unix)]`. Non-Unix gets a no-op stub.
Agent-focused Forgejo API gaps:
* `fj issue edit-comment ID` / `delete-comment ID`. Fix a wrong comment
after the fact (an agent's bread-and-butter).
* `fj search code "..." [-R owner/name]`. The most-requested missing
search dimension for codebase exploration.
* `fj pr request-review N user1 user2`, `unrequest-review N user`.
Distinct from `pr review` (your own approval/changes/comment).
* `fj repo watch / unwatch / star / unstar / starred`. Mark repos for
monitoring.
* `fj milestone {list,view,create,edit,close,reopen,delete,assign}`
with `assign N --milestone ID|none` to attach an issue/PR.
UX + stability:
* Global `--json-fields foo,bar` projection on top of any `--json`
output, gh-style. Dotted-path support (`--json-fields owner.login`).
* 429 / Retry-After honored in the retry loop with a 30 s cap.
* Clap `suggestions` feature for typo'd subcommands.
* `fj auth token` and `auth status --show-token` refuse to write to a
TTY by default (`--force` to override).
CI:
* `.forgejo/workflows/ci.yml` runs fmt/clippy/test/release-build on
every push and PR, mirroring the local pre-push hook.
Docs:
* `SECURITY.md` with threat model and known sharp edges.
* `docs/gh-to-fj.md` full command-by-command mapping.
* `docs/faq.md` covering tokens, hosts, debug, scripting, plugins.
Tests: 60 → 75 passing (2 ignored: editor and env-mutating tests that
fight the cargo test harness on macOS).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
70 lines
2.6 KiB
Markdown
70 lines
2.6 KiB
Markdown
# Security policy
|
|
|
|
## Reporting a vulnerability
|
|
|
|
Please report security issues to **stephen@rasterstate.com** rather than
|
|
opening a public issue. Encrypt with the GPG key below if the issue is
|
|
sensitive. Expect a response within 72 hours.
|
|
|
|
Include if possible:
|
|
|
|
- A clear description of the issue and impact.
|
|
- Steps to reproduce, with a minimal example.
|
|
- The fj version (`fj --version`) and Forgejo version
|
|
(`fj api /version`).
|
|
|
|
## Threat model
|
|
|
|
fj is a CLI that:
|
|
|
|
- Stores Forgejo API tokens in the OS keychain (macOS Keychain, Linux
|
|
Secret Service, Windows Credential Manager). Tokens are never written
|
|
to disk in `hosts.toml` or anywhere else under our control.
|
|
- Sends those tokens as bearer headers over HTTPS to the configured
|
|
hosts. The HTTP client uses rustls with the platform's trust store.
|
|
- Shells out to `git` for clone, fetch, and credential-helper setup.
|
|
- Opens `$EDITOR` for body inputs and `$FJ_PAGER` / `$PAGER` for long
|
|
output.
|
|
|
|
Out of scope:
|
|
|
|
- Vulnerabilities in Forgejo itself. Report those to the Forgejo project.
|
|
- Vulnerabilities in `cargo` or in dependent crates. Those should be
|
|
reported via `cargo audit` channels.
|
|
- Loss of tokens stored in the OS keychain via OS-level compromise.
|
|
|
|
## Known sharp edges
|
|
|
|
- `fj auth token` and `fj auth status --show-token` print plaintext
|
|
tokens. We refuse to write to a TTY by default (since this risks
|
|
capture in shell history). Pass `--force` to override, or pipe to a
|
|
consumer like a credential helper.
|
|
- `fj auth setup-git` registers a `credential.helper` that invokes
|
|
`fj auth token` at git-credential time. The hostname is validated
|
|
against a strict DNS-style pattern at setup, but the helper string
|
|
still passes through git's `!`-prefix shell evaluator at use time. If
|
|
you've configured fj to talk to a host that some other tool added an
|
|
attacker-controlled value for, audit your git config.
|
|
- `fj extension`'s plugin dispatch shells out to `fj-<name>` binaries
|
|
on PATH. Treat any executable named `fj-*` on PATH as trusted code.
|
|
|
|
## Token hygiene
|
|
|
|
- Rotate Forgejo tokens periodically. `fj auth refresh --token NEW`
|
|
replaces the stored value without losing your host config.
|
|
- Scope tokens narrowly when the API supports it. fj only needs the
|
|
scopes for the operations you actually run.
|
|
- If you suspect a token is compromised, revoke it on the Forgejo side
|
|
immediately, then `fj auth logout --host <host>` and `fj auth login
|
|
--host <host>` to re-pair.
|
|
|
|
## Versions
|
|
|
|
We aim to fix security issues in the latest `main` and one prior minor
|
|
release. There is no LTS branch yet.
|
|
|
|
## GPG key
|
|
|
|
(Not yet published. Email reports without encryption are acceptable for
|
|
now; ack within 72 hours.)
|