We release patches for security vulnerabilities in the following versions:
| Version | Supported |
|---|---|
| 0.1.x | ✅ |
We take security vulnerabilities seriously. If you discover a security issue in RailJS, please report it by:
- DO NOT open a public issue
- Email the details to the repository maintainers via GitHub
- Open a private security advisory on GitHub
Please include the following information:
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact
- Suggested fix (if any)
- Your contact information
- Initial Response: Within 48 hours
- Status Update: Within 7 days
- Fix Timeline: Varies by severity
- Critical: Within 7 days
- High: Within 30 days
- Medium: Within 90 days
- Low: Next minor release
- We will acknowledge receipt of your report
- We will provide regular updates on our progress
- We will notify you when the vulnerability is fixed
- We will credit you in the security advisory (unless you prefer to remain anonymous)
When using RailJS:
Always validate event data before processing:
rail.on('user.input', (data) => {
// Validate input
if (!data || typeof data.text !== 'string') {
return;
}
// Sanitize
const clean = sanitize(data.text);
// Process
processInput(clean);
}, 'input-handler');Never use eval() or Function() with event data:
// ❌ DANGEROUS
rail.on('execute', (data) => {
eval(data.code); // Never do this!
});
// ✅ SAFE
rail.on('execute', (data) => {
// Use a safe alternative like a whitelist of functions
const allowedActions = { add, subtract, multiply };
if (allowedActions[data.action]) {
allowedActions[data.action](data.params);
}
});RailJS provides data isolation via deep cloning. Keep this enabled for untrusted data:
// ✅ Safe: Cloning enabled (default)
const rail = new Rail({ clone: true });
// ⚠️ Only disable for trusted, internal modules
const fastRail = new Rail({ clone: false });Implement rate limiting for public-facing modules:
const rateLimiter = {
name: 'rate-limiter',
limits: new Map(),
connect(rail) {
rail.on('public.api', (data) => {
if (this.isRateLimited(data.userId)) {
rail.emit('rate-limit.exceeded', { userId: data.userId });
return;
}
// Process request
}, 'rate-limiter');
},
isRateLimited(userId) {
// Implement rate limiting logic
}
};Don't leak sensitive information in error messages:
rail.on('rail.error', (data) => {
// ❌ Don't expose internals
console.log('Error:', data.error.stack);
// ✅ Log safely
logger.error('Module error', {
module: data.module,
event: data.event,
// Sanitize error message
message: sanitizeError(data.error)
});
}, 'error-logger');Keep dependencies updated:
# Check for vulnerabilities
npm audit
# Fix vulnerabilities
npm audit fixWhile deep cloning provides data isolation, it has performance implications:
- Trade-off: Safety vs Speed
- Recommendation: Keep cloning enabled unless performance testing shows it's a bottleneck
- Risk: Disabling cloning allows modules to mutate shared data
Event history stores all emitted events:
// History grows unbounded by default
const rail = new Rail();
rail.emit('event', sensitiveData); // Stored in history!
// Clear history periodically
rail.clearHistory();Modules have full access to the Rail instance:
- Only attach trusted modules
- Review third-party modules before use
- Modules can emit any event, including system events
Security updates will be released as:
- Patch versions for security fixes in current minor version
- Security advisories on GitHub
- npm security advisories
Subscribe to:
- GitHub repository notifications
- npm package updates
- Security advisories
For security concerns, please use GitHub's private security advisory feature or contact the maintainers directly through the repository.
We appreciate responsible disclosure and will acknowledge security researchers who report vulnerabilities.