Skip to content

Security: tkuchel/DropBear.Codex

Security

SECURITY.md

Security Policy

Last Updated: October 29, 2025 Version: 2025.10.0+


Reporting Security Vulnerabilities

We take the security of DropBear.Codex seriously. If you discover a security vulnerability, please follow responsible disclosure:

How to Report

DO NOT create a public GitHub issue for security vulnerabilities.

Instead:

  1. Email: security@dropbear.com (or use GitHub Security Advisories)
  2. Include:
    • Description of the vulnerability
    • Steps to reproduce
    • Potential impact
    • Suggested fix (if any)
  3. Allow up to 48 hours for initial response
  4. Allow up to 90 days for fix before public disclosure

What to Expect

  • Acknowledgment within 48 hours
  • Status update within 7 days
  • Fix timeline based on severity:
    • Critical: 7-14 days
    • High: 14-30 days
    • Medium: 30-60 days
    • Low: 60-90 days

Security Audit Summary

Last Audit: October 29, 2025 Security Grade: A- (Excellent) Critical Vulnerabilities: 0 High Severity Issues: 0 (all resolved in v2025.10.0)

Overall Security Posture

DropBear.Codex demonstrates strong security fundamentals:

  • ✅ Modern cryptographic algorithms (AES-GCM, RSA-OAEP, Argon2id)
  • ✅ No weak/deprecated algorithms (MD5, SHA1, DES)
  • ✅ Proper error handling with Result pattern
  • ✅ Memory safety with key clearing
  • ✅ No SQL injection, command injection, or insecure deserialization

Known Security Issues

High Severity (RESOLVED ✅)

H1: Hardcoded Default Encryption Key

Status: ✅ FIXED (Version 2025.10.0) Location: DropBear.Codex.Utilities/Obfuscation/Jumbler.cs Resolution: Removed default key support. keyPhrase parameter is now required for all operations. Method will fail with error if default key is attempted. Breaking Change: Yes - callers must now explicitly provide keyPhrase

H2: PBKDF2 Iteration Count Below Recommendations

Status: ✅ FIXED (Version 2025.10.0) Location: DropBear.Codex.Utilities/Obfuscation/Jumbler.cs Resolution: Increased PBKDF2 iterations from 10,000 to 600,000 (OWASP 2023 recommendation) Breaking Change: Yes - new format incompatible with old jumbled values (v03 format)

H3: Static Salt Usage in PBKDF2

Status: ✅ FIXED (Version 2025.10.0) Location: DropBear.Codex.Utilities/Obfuscation/Jumbler.cs Resolution: Implemented random 32-byte (256-bit) salt generation per operation using RandomNumberGenerator.GetBytes() Breaking Change: Yes - new format stores salt with encrypted data (v03 format)

H4: Unvalidated Connection Strings

Status: ✅ MITIGATED (Version 2025.10.0) Location: DropBear.Codex.Notifications/Extensions/ServiceCollectionExtensions.cs Resolution:

  • Added null/empty validation with exception on startup
  • Added security warning when plain-text passwords detected
  • Added XML documentation recommending Azure Key Vault/Managed Identity Recommendation: Store connection strings in Azure Key Vault, AWS Secrets Manager, or use Managed Identity in production

Medium Severity (Under Review)

  • M1: ✅ FIXED - Key cache now thread-safe using ConcurrentDictionary (Jumbler.cs:28)
  • M2: Hash verification timing attack potential (will use FixedTimeEquals)
  • M3: Windows-only DPAPI encryption (cross-platform alternative planned)
  • M4: Path traversal risk in FileManager (explicit validation being added)
  • M5: XSS risk with MarkupString (already mostly mitigated, under review)

Supported Versions

Version Supported Security Updates
2025.10.x ✅ Yes Active
2025.09.x ⚠️ Limited Critical only
< 2025.09.0 ❌ No Unsupported

Recommendation: Always use the latest version for full security updates.


Security Best Practices for Users

1. Cryptography

✅ DO:

  • Use Argon2id for password hashing (default in Hashing project)
  • Use AES-GCM for authenticated encryption (Serialization project)
  • Provide custom key phrases for Jumbler (don't rely on defaults)
  • Use strong, randomly generated keys (32+ bytes)

❌ DON'T:

  • Don't use MD5 or SHA1 for security purposes
  • Don't reuse encryption keys across environments
  • Don't store keys in source code or public config files
  • Don't use weak passwords for key derivation

2. Data Protection

✅ DO:

  • Store secrets in Azure Key Vault, AWS Secrets Manager, or similar
  • Use environment variables for configuration in production
  • Enable encryption at rest for databases
  • Use HTTPS/TLS for all network communication

❌ DON'T:

  • Don't commit secrets to version control
  • Don't log sensitive data (passwords, tokens, PII)
  • Don't expose connection strings in error messages
  • Don't store sensitive data in plain text

3. Input Validation

✅ DO:

  • Validate all user input using ValidationHelper (Blazor project)
  • Use Result pattern for error handling (prevents information leakage)
  • Sanitize file paths before file operations
  • Validate file uploads (size, type, content)

❌ DON'T:

  • Don't trust client-side validation alone
  • Don't use user input directly in file paths
  • Don't execute user-provided code or commands
  • Don't deserialize untrusted data without validation

4. Blazor Security

✅ DO:

  • Use Blazor's automatic HTML encoding (@ syntax)
  • Validate SVG content before rendering (IconLibrary does this)
  • Implement Content Security Policy headers
  • Use HttpOnly cookies for session management

❌ DON'T:

  • Don't use MarkupString with user-controlled data
  • Don't disable XSS protection features
  • Don't execute JavaScript from user input
  • Don't trust client-side authorization alone

5. Database Security

✅ DO:

  • Use Entity Framework Core (prevents SQL injection)
  • Use parameterized queries always
  • Implement proper authorization checks
  • Use read-only connections when possible

❌ DON'T:

  • Don't concatenate SQL strings with user input
  • Don't expose database errors to users
  • Don't use overly-permissive database accounts
  • Don't disable query logging in development

Security Features by Project

DropBear.Codex.Core

  • ✅ Result pattern prevents exception leakage
  • ✅ Structured error handling
  • ✅ Type-safe error propagation

DropBear.Codex.Hashing

  • ✅ Argon2id (best for passwords)
  • ✅ Blake2/Blake3 (fast, secure)
  • ✅ Constant-time hash verification (being added)

DropBear.Codex.Serialization

  • ✅ AES-GCM authenticated encryption
  • ✅ RSA with OAEP-SHA256 padding
  • ✅ No insecure deserialization (no BinaryFormatter)
  • ✅ Encrypted serialization for sensitive data

DropBear.Codex.Notifications

  • ✅ Entity Framework Core (parameterized queries)
  • ✅ Encrypted notification content support
  • ⚠️ Connection string validation being added

DropBear.Codex.Blazor

  • ✅ Automatic HTML encoding
  • ✅ SVG content validation
  • ✅ Minimal MarkupString usage
  • ⚠️ CSP headers recommended

DropBear.Codex.Files

  • ✅ Verified file format with embedded hashes
  • ✅ Content validation
  • ⚠️ Path traversal protection being enhanced

DropBear.Codex.Utilities

  • ⚠️ Jumbler: Default key being removed (require custom keys)
  • ⚠️ PBKDF2: Iterations being increased to 600,000+
  • ✅ Secure random number generation

DropBear.Codex.Workflow

  • ✅ Result pattern throughout
  • ✅ Proper error handling
  • ✅ No code execution vulnerabilities

DropBear.Codex.StateManagement

  • ✅ Safe snapshot management
  • ✅ No serialization vulnerabilities
  • ✅ Proper validation

DropBear.Codex.Tasks

  • ✅ Validation before execution
  • ✅ Timeout protection
  • ✅ Cancellation token support

Security Compliance

Standards Alignment

  • OWASP Top 10 2021: No A01-A10 vulnerabilities
  • ⚠️ NIST SP 800-63B: PBKDF2 iterations below current recommendations (being fixed)
  • CWE-259: No hardcoded passwords
  • CWE-311: Proper cryptographic storage
  • CWE-327: No broken cryptographic algorithms

Cryptographic Standards

  • AES-256-GCM: NIST approved, authenticated encryption
  • RSA-2048+ with OAEP: Industry standard
  • Argon2id: Winner of Password Hashing Competition 2015
  • Blake2/Blake3: Modern, fast, secure hashing
  • ⚠️ PBKDF2-HMAC-SHA256: Used but iterations being increased

Dependency Security

NuGet Package Updates

We monitor all dependencies for known vulnerabilities:

  • GitHub Dependabot: Enabled
  • NuGet Audit: Enabled in project files
  • Update Frequency: Monthly security reviews

Current Status

✅ All packages up-to-date as of October 2025 ✅ No known vulnerable dependencies


Security Tools & CI/CD

Recommended Tools (Being Integrated)

  1. git-secrets - Prevent committing secrets
  2. gitleaks - Scan for leaked secrets
  3. OWASP Dependency-Check - Vulnerable dependency scanning
  4. SonarQube - Code quality & security analysis
  5. Snyk - Dependency vulnerability scanning

Pre-commit Hooks (Recommended)

# Install pre-commit hooks
pip install pre-commit
pre-commit install

# Scan for secrets
pre-commit run --all-files

Secure Development Guidelines

Code Review Checklist

Before merging code, verify:

  • No hardcoded secrets or credentials
  • Input validation on all user-provided data
  • Proper error handling (Result pattern)
  • Sensitive data cleared from memory
  • Cryptographic operations use approved algorithms
  • No SQL concatenation (use EF Core)
  • No unsafe deserialization
  • Logging doesn't expose sensitive data

Testing Security

// Example: Test for path traversal protection
[Fact]
public void FileManager_PathTraversal_Blocked()
{
    var manager = new FileManager(baseDir);
    var result = manager.GetFile("../../etc/passwd");

    Assert.False(result.IsSuccess);
    Assert.Contains("traversal", result.Error.Message);
}

// Example: Test encryption/decryption
[Fact]
public async Task Encryption_RoundTrip_Success()
{
    var data = "sensitive data";
    var encrypted = await _encryptor.EncryptAsync(data);
    var decrypted = await _encryptor.DecryptAsync(encrypted);

    Assert.NotEqual(data, encrypted); // Ensure actually encrypted
    Assert.Equal(data, decrypted);    // Ensure properly decrypted
}

Security Contact

Primary Contact: security@dropbear.com Response Time: 48 hours PGP Key: [Available on request]

For non-security issues, use standard GitHub issues: https://github.com/tkuchel/DropBear.Codex/issues


Acknowledgments

We thank the following researchers for responsible disclosure:

  • (No public reports yet)

Version History

2025.10.0 (October 29, 2025)

  • Initial security policy published
  • Comprehensive security audit completed
  • FIXED H1: Removed hardcoded default encryption key (Jumbler v03)
  • FIXED H2: Increased PBKDF2 iterations to 600,000 (OWASP 2023)
  • FIXED H3: Implemented random salt generation per operation
  • FIXED H4: Added connection string validation and security warnings
  • FIXED M1: Migrated key cache to ConcurrentDictionary (thread-safe)
  • Security grade improved: B+ → A-
  • Breaking changes: Jumbler format v03 incompatible with older versions

Future (2025.11.0)

  • Add path traversal protection (M4)
  • Implement FixedTimeEquals for hash comparison (M2)
  • Cross-platform DPAPI alternative (M3)
  • Target grade: A

Last Updated: October 29, 2025 Next Review: November 2025

There aren't any published security advisories