Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docs: improve & expand security documentation #317

Merged
merged 1 commit into from
Jan 5, 2025
Merged

docs: improve & expand security documentation #317

merged 1 commit into from
Jan 5, 2025

Conversation

Stebalien
Copy link
Owner

Alternative to #311 (this patch includes a few miscellaneous documentation fixes from that PR as well).

The previous documentation didn't sufficiently cover permissions issues and mixed all the security concerns into a single section. This patch separates things out into separate sections and hopefully makes all this easier to understand.

This patch also documents the DoS mitigation introduced in #314 (I stared writing this documentation first then decided that I'd rather just fix the DoS vector...).

I've also removed the link to the OWASP documentation to avoid confusing users (their documentation is mostly concerned with low-level C and platform-specific temporary file creation functions).

@Stebalien
docs: improve & expand security documentation
f8be020 
Alternative to #311 (this patch includes a few miscellaneous
documentation fixes from that PR as well).

The previous documentation didn't sufficiently cover permissions issues
and mixed all the security concerns into a single section. This patch
separates things out into separate sections and hopefully makes all this
easier to understand.

This patch also documents the DOS mitigation introduced in #314.

I've also removed the link to the OWASP documentation to avoid confusing
users (their documentation is mostly concerned with low-level C and
platform-specific temporary file creation functions).
@Stebalien Stebalien mentioned this pull request Jan 3, 2025
Closed
n0toose
n0toose approved these changes Jan 3, 2025
View reviewed changes
Copy link
Contributor

@n0toose n0toose left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is straight to the point and does not cram everything into one place. I definitely prefer this over #311. It provides enough context for the implementer to decide what works best for them.

@Stebalien Stebalien merged commit 3a722e8 into master Jan 5, 2025
14 checks passed
@Stebalien Stebalien deleted the steb/fix-docs branch January 5, 2025 18:02
@n0toose
Copy link
Contributor

n0toose commented Jan 5, 2025

P.S. I used your documentation as a point of reference today, as I was reviewing whether my usage of your crate was sane. I think I have to mention that it was immensely helpful from my perspective. I found the explanations in the sections "Denial of Service" and "Temporary File Cleaners" to be very, very good. I really liked the step-by-step Mitigations and the short explanations as to whether "this problem is likely to affect the developer in any capacity whatsoever".

@Stebalien
Copy link
Owner Author

I'm glad it was helpful!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@n0toose n0toose n0toose approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Stebalien @n0toose