chore: import upstream snapshot with attribution
govulncheck / govulncheck (push) Has been cancelled
Lint / golangci-lint (push) Has been cancelled
Run Tests / Unit Tests (push) Has been cancelled
Run Tests / Etcd Integration Tests (push) Has been cancelled
Harness (E2E) / Harnesses (mock LLM) (push) Has been cancelled
Harness (E2E) / Provider harnesses (live LLM conformance) (push) Has been cancelled
govulncheck / govulncheck (push) Has been cancelled
Lint / golangci-lint (push) Has been cancelled
Run Tests / Unit Tests (push) Has been cancelled
Run Tests / Etcd Integration Tests (push) Has been cancelled
Harness (E2E) / Harnesses (mock LLM) (push) Has been cancelled
Harness (E2E) / Provider harnesses (live LLM conformance) (push) Has been cancelled
This commit is contained in:
+178
@@ -0,0 +1,178 @@
|
||||
# Security Policy
|
||||
|
||||
## Supported Versions
|
||||
|
||||
We actively support the following versions of go-micro:
|
||||
|
||||
| Version | Supported |
|
||||
| ------- | ------------------ |
|
||||
| 5.x | :white_check_mark: |
|
||||
| 4.x | :x: |
|
||||
| 3.x | :x: |
|
||||
| < 3.0 | :x: |
|
||||
|
||||
## Reporting a Vulnerability
|
||||
|
||||
**Please do not report security vulnerabilities through public GitHub issues.**
|
||||
|
||||
### How to Report
|
||||
|
||||
Use GitHub's private security advisory feature:
|
||||
https://github.com/micro/go-micro/security/advisories/new
|
||||
|
||||
This keeps vulnerability reports private, ties follow-up to the affected repository, and avoids relying on project email routing.
|
||||
|
||||
### What to Include
|
||||
|
||||
Please include as much of the following information as possible:
|
||||
|
||||
- Type of vulnerability (e.g., RCE, XSS, SQL injection, etc.)
|
||||
- Full paths of source file(s) related to the vulnerability
|
||||
- Location of the affected source code (tag/branch/commit or direct URL)
|
||||
- Step-by-step instructions to reproduce the issue
|
||||
- Proof-of-concept or exploit code (if possible)
|
||||
- Impact of the issue, including how an attacker might exploit it
|
||||
|
||||
### Response Timeline
|
||||
|
||||
- **Acknowledgment**: Within 48 hours
|
||||
- **Initial Assessment**: Within 5 business days
|
||||
- **Fix Timeline**: Depends on severity
|
||||
- Critical: 7 days
|
||||
- High: 14 days
|
||||
- Medium: 30 days
|
||||
- Low: Next release cycle
|
||||
|
||||
### Disclosure Policy
|
||||
|
||||
- We follow **coordinated disclosure**
|
||||
- We'll work with you to understand and fix the issue
|
||||
- We'll credit you in the security advisory (unless you prefer to remain anonymous)
|
||||
- Please give us reasonable time to fix before public disclosure
|
||||
- We'll publish a security advisory on GitHub when the fix is released
|
||||
|
||||
## Security Best Practices
|
||||
|
||||
When using go-micro in production:
|
||||
|
||||
### TLS/Transport Security
|
||||
|
||||
```go
|
||||
import "go-micro.dev/v5/transport"
|
||||
|
||||
// Enable TLS verification (recommended)
|
||||
os.Setenv("MICRO_TLS_SECURE", "true")
|
||||
|
||||
// Or use SecureConfig explicitly
|
||||
tlsConfig := transport.SecureConfig()
|
||||
```
|
||||
|
||||
See [TLS Security Update](internal/website/docs/TLS_SECURITY_UPDATE.md) for details.
|
||||
|
||||
### Authentication
|
||||
|
||||
```go
|
||||
import "go-micro.dev/v5/auth"
|
||||
|
||||
// Use JWT authentication
|
||||
service := micro.NewService(
|
||||
micro.Auth(auth.NewAuth()),
|
||||
)
|
||||
```
|
||||
|
||||
### Input Validation
|
||||
|
||||
Always validate and sanitize inputs in your handlers:
|
||||
|
||||
```go
|
||||
func (h *Handler) Create(ctx context.Context, req *Request, rsp *Response) error {
|
||||
// Validate input
|
||||
if req.Name == "" {
|
||||
return errors.BadRequest("handler.create", "name is required")
|
||||
}
|
||||
|
||||
// Sanitize and process
|
||||
// ...
|
||||
}
|
||||
```
|
||||
|
||||
### Rate Limiting
|
||||
|
||||
Implement rate limiting for public-facing services:
|
||||
|
||||
```go
|
||||
import "go-micro.dev/v5/client"
|
||||
|
||||
// Client-side rate limiting
|
||||
client.NewClient(
|
||||
client.RequestTimeout(time.Second * 5),
|
||||
client.Retries(3),
|
||||
)
|
||||
```
|
||||
|
||||
### Secrets Management
|
||||
|
||||
Never commit secrets to version control:
|
||||
|
||||
```go
|
||||
// Good: Use environment variables
|
||||
apiKey := os.Getenv("API_KEY")
|
||||
|
||||
// Better: Use a secrets manager
|
||||
import "github.com/hashicorp/vault/api"
|
||||
```
|
||||
|
||||
### Dependency Security
|
||||
|
||||
Regularly update dependencies:
|
||||
|
||||
```bash
|
||||
# Check for vulnerabilities
|
||||
go list -json -m all | nancy sleuth
|
||||
|
||||
# Update dependencies
|
||||
go get -u ./...
|
||||
go mod tidy
|
||||
```
|
||||
|
||||
## Known Security Considerations
|
||||
|
||||
### Reflection Usage
|
||||
|
||||
go-micro uses reflection for automatic handler registration. While this is a deliberate design choice for developer productivity, be aware:
|
||||
|
||||
- Type safety is enforced at runtime, not compile time
|
||||
- Malformed requests won't crash services (errors are returned)
|
||||
- See [Performance Considerations](internal/website/docs/performance.md)
|
||||
|
||||
### TLS Certificate Verification
|
||||
|
||||
**Default behavior in v5**: TLS certificate verification is **disabled** for backward compatibility.
|
||||
|
||||
**Production recommendation**: Enable secure mode:
|
||||
|
||||
```bash
|
||||
export MICRO_TLS_SECURE=true
|
||||
```
|
||||
|
||||
This will be the default in v6.
|
||||
|
||||
## Security Updates
|
||||
|
||||
Security updates are published as:
|
||||
- GitHub Security Advisories
|
||||
- Release notes with `[SECURITY]` prefix
|
||||
- CVE entries for critical issues
|
||||
|
||||
Subscribe to releases: https://github.com/micro/go-micro/releases
|
||||
|
||||
## Bug Bounty
|
||||
|
||||
We currently do not offer a bug bounty program, but we greatly appreciate responsible disclosure and will publicly credit researchers who report valid security issues.
|
||||
|
||||
## Questions?
|
||||
|
||||
For security questions that are not vulnerabilities, please:
|
||||
- Open a discussion: https://github.com/micro/go-micro/discussions
|
||||
- Join Discord: https://discord.gg/G8Gk5j3uXr
|
||||
|
||||
Reference in New Issue
Block a user