diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 000000000..db9b563c8 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,88 @@ +# Security policy + +Thanks for taking the time to help keep `fg-data-profiling` (formerly +`ydata-profiling`, formerly `pandas-profiling`) and its users secure. + +## Supported versions + +Security fixes are applied to the **latest minor release** on PyPI and +to the project's `develop` branch. Earlier minors are best-effort only. + +| Version line | Supported | +|---------------|-----------------| +| `develop` | yes | +| latest 4.x | yes | +| older 4.x | best-effort | +| 3.x and older | no longer maintained | + +The current supported Python range is declared in +[`pyproject.toml`](./pyproject.toml). + +## Reporting a vulnerability + +**Please do NOT open a public GitHub issue or pull request for security +problems.** Reports filed publicly give attackers a head-start before a +patched release is available. + +You have two private channels: + +1. **GitHub Security Advisory** — preferred. Use + [Security Advisories → "Report a vulnerability"](https://github.com/Data-Centric-AI-Community/fg-data-profiling/security/advisories/new) + on this repository. GitHub provides an end-to-end encrypted thread + with the maintainers and lets us coordinate a fix + CVE without + exposing the report. +2. **Email** — send a description to `opensource@ydata.ai`. Encrypt with + the maintainers' public keys if possible. Include "fg-data-profiling + security" in the subject line so the report is routed correctly. + +Please include, at minimum: + +- a clear description of the issue and its impact (what an attacker can + do, on which versions); +- a minimal reproducer or proof-of-concept; +- the affected component (e.g. HTML report rendering, Spark backend, + serialization, dependency surface); +- any suggested mitigation or patch you already have in mind. + +## What to expect + +- **Initial reply within 5 business days** acknowledging receipt and + routing the report to the right maintainer. +- A coordinated-disclosure timeline — typically 30–90 days depending on + the severity and complexity of the fix. +- A patched release on PyPI plus a public advisory once the fix lands. + Reporters who wish to be credited will be named in the advisory and + the release notes. +- If we determine the report is not a vulnerability (e.g. an unsupported + configuration, a third-party dependency issue best filed upstream), + we will explain that decision and, where useful, point you at the + right place to file it. + +## Out of scope + +The following are not vulnerabilities in this project on their own: + +- Bugs in unsupported versions (see the table above). +- Issues that require an attacker to already have local code execution + or filesystem write access on the user's machine. +- Findings that depend on running the library on **untrusted dataframes + or HTML output that the user has explicitly chosen to render in their + browser**. The HTML report is meant to be rendered locally by trusted + users; sharing a generated report with an untrusted party is the + user's responsibility. +- Vulnerabilities in transitive dependencies — please file those upstream + with the appropriate project. We are happy to review pinning changes + here once a fixed version is published upstream. + +## Hall of fame + +Security researchers credited in past advisories will be listed here as +those advisories are published. + +--- + +*This file responds to issue +[#1499](https://github.com/Data-Centric-AI-Community/fg-data-profiling/issues/1499). +GitHub recommends every public OSS repository ship a `SECURITY.md` +([documentation](https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository)) +so that vulnerability reports have a clear, private channel.* diff --git a/tests/issues/test_issue1499.py b/tests/issues/test_issue1499.py new file mode 100644 index 000000000..b46fc1e80 --- /dev/null +++ b/tests/issues/test_issue1499.py @@ -0,0 +1,60 @@ +""" +Test for issue 1499: +https://github.com/Data-Centric-AI-Community/fg-data-profiling/issues/1499 + +Repository hygiene: ship a SECURITY.md describing a private channel for +vulnerability reports, as recommended by GitHub's repo-security +documentation +(https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository). + +The test below would fail on origin/develop (no SECURITY.md present) and +passes on the fix branch. It also asserts the file mentions the keys a +researcher needs in order to actually use the policy: a private reporting +channel, a reply-time expectation, and a "do not file public issues" +warning. +""" + +from pathlib import Path + +REPO_ROOT = Path(__file__).resolve().parents[2] + + +def test_security_md_exists_at_repo_root(): + """GitHub auto-detects SECURITY.md in the repo root, /docs, or /.github.""" + candidates = [ + REPO_ROOT / "SECURITY.md", + REPO_ROOT / ".github" / "SECURITY.md", + REPO_ROOT / "docs" / "SECURITY.md", + ] + found = [p for p in candidates if p.is_file()] + assert found, "Expected a SECURITY.md at one of: " + ", ".join( + str(p.relative_to(REPO_ROOT)) for p in candidates + ) + + +def test_security_md_describes_a_private_reporting_channel(): + path = next( + p + for p in [ + REPO_ROOT / "SECURITY.md", + REPO_ROOT / ".github" / "SECURITY.md", + REPO_ROOT / "docs" / "SECURITY.md", + ] + if p.is_file() + ) + text = path.read_text(encoding="utf-8").lower() + # The three things a researcher needs to know: + # 1. Where to report privately (advisory or email). + # 2. Not to file a public issue. + # 3. What response window to expect. + assert ( + "security advisory" in text + or "security advisories" in text + or "@" in text # an email address — the minimal alternative + ), "SECURITY.md must point to a private reporting channel (advisory or email)." + assert ( + "public" in text and "issue" in text + ), "SECURITY.md must warn against filing public issues for vulnerabilities." + assert any( + kw in text for kw in ("days", "business day", "response", "reply") + ), "SECURITY.md must give an expected response window."