| Version | Supported |
|---|---|
| 0.1.x | Yes |
netcheck is designed with the following security principles:
- No command injection: All subprocess calls use argument arrays (
subprocess.run([...])) and nevershell=True. User input is never interpolated into shell commands. - Input validation: All hostnames, IP addresses, port numbers, and CIDR ranges are validated against strict patterns before processing.
- SSRF protection: When used as a library, private/internal IP ranges can be blocked to prevent Server-Side Request Forgery.
- Timeout enforcement: Every network operation has a configurable timeout to prevent resource exhaustion.
- Minimal dependencies: Only
dnspythonandcryptographyare required. No HTTP client libraries (e.g.,requests) are used.
If you discover a security vulnerability, please report it responsibly:
- Do NOT open a public GitHub issue.
- Email the maintainer directly with details of the vulnerability.
- Include steps to reproduce the issue if possible.
- Allow reasonable time for a fix before public disclosure.
We aim to acknowledge security reports within 48 hours and provide a fix within 7 days for critical issues.
The following are in scope for security reports:
- Command injection via hostnames, IPs, or other user input
- SSRF bypasses when
--no-privateis enabled - Denial of service through resource exhaustion
- Information disclosure
- Dependency vulnerabilities
- Features that require elevated privileges (ping, traceroute) behaving differently based on OS permissions
- Rate limiting effectiveness under extreme load
- Network-level attacks against the tool's traffic