gui.do
Barazo AppView backend
barazo.forum
1# Security Policy
2
3## Supported Versions
4
5| Version | Supported |
6| ------- | ------------------ |
7| 1.x | :white_check_mark: |
8| < 1.0 | :x: |
9
10## Reporting a Vulnerability
11
12**Do not open a public issue for security vulnerabilities.**
13
14Instead, use GitHub's private vulnerability reporting:
15
161. Go to the repository
172. Click "Security" tab
183. Click "Report a vulnerability"
194. Fill in the details
20
21Or email: security@barazo.forum
22
23We will respond within 72 hours with next steps.
24
25## Security Scope for This Repo
26
27barazo-api is the AppView backend -- it handles authentication, user input, database access, and firehose ingestion. The following areas are in scope for security reports:
28
29### Authentication & Authorization
30
31- **OAuth bypass** -- circumventing AT Protocol OAuth flows, session hijacking, token leakage
32- **Authorization escalation** -- accessing admin/moderator endpoints without the required role
33- **Session management** -- JWT/session token weaknesses, missing expiration, replay attacks
34
35### Input Validation & Injection
36
37- **SQL injection** -- any path that bypasses Drizzle ORM parameterized queries
38- **NoSQL/command injection** -- Valkey command injection via unsanitized input
39- **Content injection** -- storing malicious content that bypasses DOMPurify sanitization
40- **Zod schema bypass** -- requests that circumvent Zod validation on API endpoints
41
42### AT Protocol & Firehose
43
44- **Firehose record manipulation** -- crafted AT Protocol records that exploit indexing logic
45- **DID spoofing** -- forging identity claims through manipulated DIDs or handles
46- **Cross-community data leaks** -- accessing data from communities the user is not authorized to view
47- **Deletion event bypass** -- circumventing GDPR deletion propagation via firehose replay
48
49### Rate Limiting & Abuse
50
51- **Rate limit bypass** -- circumventing per-endpoint or per-user rate limits
52- **Burst detection evasion** -- evading anti-spam burst detection thresholds
53- **First-post queue bypass** -- new accounts posting without moderation review
54- **Resource exhaustion** -- requests that cause excessive CPU, memory, or database load
55
56### Data Security
57
58- **BYOK key exposure** -- leaking user-provided AI API keys (encrypted with AES-256-GCM at rest)
59- **Backup data exposure** -- unencrypted PII in backup outputs
60- **Logging PII** -- personal data appearing in Pino structured logs
61- **Database role escalation** -- application role gaining DDL privileges reserved for the migration role
62
63## Security Practices
64
65- Strict TypeScript (`strict: true`, no `any`, no `@ts-ignore`)
66- All API endpoints validate input with Zod schemas
67- All user-generated content sanitized with DOMPurify
68- Drizzle ORM with parameterized queries only (no raw SQL)
69- Helmet middleware for security headers (CSP, HSTS, X-Frame-Options)
70- Rate limiting on all endpoints
71- Three-role database separation (migrator, app, readonly)
72- BYOK API keys encrypted at rest (AES-256-GCM)
73- Dependencies updated weekly via Dependabot
74- CodeQL security scanning on every PR
75- Structured logging via Pino (no `console.log` in production)
76
77## Disclosure Policy
78
79We follow responsible disclosure:
80
81- 90 days before public disclosure
82- Credit given to reporter (if desired)
83- CVE assigned when applicable