From 82deb85c64ab8969c84b1f24707bd170cdbc1be6 Mon Sep 17 00:00:00 2001 From: Huang Xin Date: Wed, 8 Apr 2026 01:17:56 +0800 Subject: [PATCH] docs: add threat model and incident response plan to SECURITY.md (#3788) - Add Threat Model section covering assets, threat actors, attack surfaces, and mitigations for ebook parsing, cloud sync, OPDS integration, rendered HTML/JS, supply chain, and Tauri IPC - Add Incident Response Plan with triage, containment, remediation, disclosure, and post-incident review steps - Add severity definitions table Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- SECURITY.md | 105 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 105 insertions(+) diff --git a/SECURITY.md b/SECURITY.md index 2df5be2a..f8a84141 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,5 +1,69 @@ # Security Policy +## Threat Model + +### Overview + +Readest is a cross-platform e-reader (macOS, Windows, Linux, Android, iOS, Web) built on Next.js and Tauri. It processes user-supplied ebook files, syncs data to the cloud, integrates with external services (OPDS catalogs, KOReader, DeepL, Yandex), and handles user authentication. + +### Assets + +| Asset | Description | +| ------------------------------ | ------------------------------------------------------------------------------------ | +| Ebook files | User-uploaded EPUB, MOBI, PDF, and other formats stored locally and in cloud storage | +| Reading progress & annotations | Highlights, bookmarks, and notes synced across devices | +| User credentials | Authentication tokens and session data for cloud sync | +| User preferences & settings | Reading preferences, custom fonts, theme configurations | +| External API keys | Translation service credentials (DeepL, Yandex) configured by users | + +### Threat Actors + +| Actor | Motivation | +| ----------------------- | ---------------------------------------------------------- | +| Malicious ebook author | Craft a malformed file to exploit the parser or renderer | +| Network attacker (MitM) | Intercept sync traffic to steal credentials or inject data | +| Malicious OPDS server | Serve crafted catalog responses to exploit the client | +| Compromised dependency | Supply chain attack via npm or Cargo ecosystem | +| Unauthorized user | Access another user's synced library or annotations | + +### Attack Surfaces & Mitigations + +#### 1. Ebook File Parsing + +- **Risk:** Malformed EPUB/MOBI/PDF files could trigger parser bugs, path traversal, or script injection via embedded HTML/JS. +- **Mitigations:** Ebook content is rendered in a sandboxed iframe. External script execution is blocked. File parsing is isolated from the main process. + +#### 2. Cloud Sync & Authentication + +- **Risk:** Credential theft, session hijacking, or unauthorized access to another user's library data. +- **Mitigations:** All sync traffic uses HTTPS/TLS. Authentication tokens are stored securely (OS keychain/secure storage). Server-side authorization ensures users can only access their own data. + +#### 3. OPDS / External Catalog Integration + +- **Risk:** A malicious OPDS server could serve crafted XML to exploit the parser, or redirect downloads to malicious files. +- **Mitigations:** OPDS responses are parsed defensively. Users explicitly add catalog sources. Downloaded files are treated as untrusted user content. + +#### 4. Rendered HTML/JS in Ebook Content + +- **Risk:** Embedded JavaScript in EPUB files could attempt XSS or data exfiltration. +- **Mitigations:** Book content is rendered in a sandboxed iframe with scripting restrictions. Navigation outside the book context is blocked. + +#### 5. Supply Chain + +- **Risk:** Compromised npm or Cargo packages could introduce malicious code. +- **Mitigations:** Dependencies are pinned via `pnpm-lock.yaml` and `Cargo.lock`. Dependabot and GitHub's dependency review are enabled for automated vulnerability detection. + +#### 6. Desktop Native Code (Tauri) + +- **Risk:** Tauri IPC commands could be abused by malicious web content to access the filesystem or OS APIs. +- **Mitigations:** Tauri's allowlist restricts which IPC commands are exposed. File system access is scoped to the application data directory. + +### Out of Scope + +- Vulnerabilities in user's operating system or browser outside of Readest's control +- Physical access attacks to a user's device +- Issues in third-party services (DeepL, Yandex, Calibre) themselves + ## Supported Versions Readest does not currently maintain separate release channels. Security updates are provided only for the latest release series. @@ -35,3 +99,44 @@ What to expect after you report: Please keep vulnerability details private until a fix is available and the maintainers have approved disclosure. + +## Incident Response Plan + +When a security vulnerability is confirmed, we follow this process: + +### 1. Triage (Day 1–2) + +- Assign a severity level (Critical / High / Medium / Low) based on impact and exploitability. +- Identify affected versions, components, and users. +- Assign an owner responsible for coordinating the response. + +### 2. Containment (Day 1–3) + +- Assess whether an immediate mitigation or workaround can be published. +- Limit further exposure where possible (e.g., disable affected features, update dependencies). + +### 3. Remediation (Day 3–14, depending on severity) + +- Develop and internally review a fix. +- Validate the fix does not introduce regressions. +- Prepare a patched release and update changelog. + +### 4. Disclosure & Release + +- Coordinate disclosure timing with the reporter. +- Publish a GitHub Security Advisory with CVE if applicable. +- Release the patched version and notify users via release notes. + +### 5. Post-Incident Review + +- Document the root cause, timeline, and resolution. +- Update processes or controls to prevent recurrence. + +### Severity Definitions + +| Severity | Description | +| -------- | --------------------------------------------------------------------- | +| Critical | Remote code execution, full data compromise, or authentication bypass | +| High | Significant data exposure, privilege escalation, or denial of service | +| Medium | Limited data exposure or functionality disruption | +| Low | Minor issues with minimal security impact |