How DevStackBox handles security, what operations are unsafe, and how to report vulnerabilities.

Do NOT report security issues in public GitHub Issues.

Send to: shiv@srapsware.com

Include:

• DevStackBox version
• Operating system and version
• Steps to reproduce
• What the impact is
• Whether you have a suggested fix

Response time: within 7 days.

You will receive credit in the release notes when the issue is fixed unless you request otherwise.

DevStackBox is a local developer tool. Understanding what it does helps understand the security boundaries.

What it does:

• Starts and stops Apache, MySQL, and PHP processes
• Reads and writes config files (php.ini, httpd.conf, my.cnf)
• Downloads PHP binaries from windows.php.net (Phase 3 feature)
• Edits Windows hosts file for virtual hosts (requires elevation)
• Reads log files from disk
• Opens browser windows to localhost
• Creates Windows directory junctions for PHP version switching

What it does NOT do:

• Connect to any external server except windows.php.net for PHP downloads
• Collect telemetry or usage data
• Send any data to any cloud service
• Require internet access for normal operation

DevStackBox executes these binaries:

• apache/bin/httpd.exe
• mysql/bin/mysqld.exe
• php/8.3/php.exe

Risk: If binaries are replaced by a malicious actor with filesystem access, the app will execute the replacement.

Mitigation: DevStackBox does NOT verify binary checksums at runtime (current limitation). See docs/KNOWN_ISSUES.md. This is a future improvement.

Rule: Always install DevStackBox to a directory you control. Do NOT run it from a shared/network drive.

DevStackBox reads and writes config/php.ini, config/httpd.conf, config/my.cnf.

Risk: A malicious config could cause Apache/MySQL to expose services beyond localhost.

Default behavior: All configs generated by DevStackBox bind services to 127.0.0.1 only. Do not manually change bind addresses unless you understand the implications.

When download_php_version becomes real, it will download from windows.php.net.

Planned security requirements before this ships:

1. Download over HTTPS only
2. Verify SHA-256 checksum against windows.php.net checksums page
3. Do NOT execute downloaded files until checksum passes
4. Show the checksum verification result in the UI

Current state: This feature is a stub. No download happens. See docs/KNOWN_ISSUES.md ISSUE-003.

Virtual host creation will require editing C:\Windows\System32\drivers\etc\hosts.

Risk: Incorrect edits can break DNS resolution for the entire system.

Planned mitigation:

• Always back up hosts before editing
• Only append/remove DevStackBox-managed entries (marked with comments)
• Require UAC elevation prompt before writing
• Provide one-click restore of original hosts

All backend commands in lib.rs must follow these rules:

1. Never pass user-supplied strings directly into shell commands
2. Use std::process::Command with discrete args, NOT shell string composition
3. Validate service name against an allowlist (["mysql", "apache", "php"]) before using in paths
4. Never execute arbitrary code from the frontend

Example of safe vs unsafe:

// UNSAFE - never do this
Command::new("cmd").arg(format!("/C start {}", user_input))

// SAFE
match service.as_str() {
    "mysql" => { /* execute mysqld.exe */ }
    "apache" => { /* execute httpd.exe */ }
    _ => return Err("Unknown service".to_string())
}

When reading or writing files based on service name:

1. Always resolve paths through get_installation_path().join("known_subdir")
2. Never concatenate user input directly into file paths
3. Never allow .. in any user-supplied path component

Known issue: Tauri apps bundling unsigned native binaries (Apache, MySQL, PHP) can trigger Windows Defender SmartScreen or antivirus false positives.

Current status: Binaries are not code-signed.

User guidance:

• If SmartScreen blocks the installer: click "More info" → "Run anyway"
• If antivirus flags the binary: the installer is downloaded from GitHub Releases - verify the SHA-256 hash listed on the release page before running
• Add the DevStackBox installation directory to antivirus exclusions if it repeatedly flags service binaries

Future plan: Add code signing (see docs/ROADMAP.md Phase 4.4). Until then, publish SHA-256 hashes on every GitHub Release.

The auto-generated my.cnf and startup configuration:

• Binds MySQL to 127.0.0.1 only (not 0.0.0.0)
• Default root password: empty (this is acceptable for local dev, not for production)
• No remote connections allowed by default

Important: DevStackBox is for LOCAL DEVELOPMENT ONLY. Never expose the MySQL or Apache ports to a public network.

The auto-generated httpd.conf:

• Listens on port 80 (localhost only by default)
• ServerTokens Prod to hide version info
• Directory listing disabled for all directories except www/

DevStackBox does NOT run as administrator normally. Operations that require elevation:

• Creating Windows directory junctions on older Windows setups (mklink /J)
• Editing C:\Windows\System32\drivers\etc\hosts (virtual hosts feature)
• Writing to C:\Program Files\DevStackBox\ after installation

When elevation is required, Tauri will trigger a UAC prompt. DevStackBox will not silently attempt elevated operations.

• No telemetry collection
• No crash report uploads (user must manually submit GitHub Issues)
• No license enforcement or phone-home
• No automatic config changes without user action
• No background services that run when the app is closed (except the services you explicitly start)