The MITRE team takes security seriously. If you discover a security vulnerability in the settingslogic fork, please report it responsibly.

• Email: saf-security@mitre.org
• GitHub: Use the Security tab to report vulnerabilities privately
• Direct Contact: lippold@gmail.com for urgent issues

When reporting security issues, please provide:

1. Description of the vulnerability
2. Steps to reproduce the issue
3. Affected versions (Ruby version, settingslogic version)
4. Potential impact assessment
5. Suggested fix (if you have one)

• Acknowledgment: Within 48 hours
• Initial Assessment: Within 1 week
• Fix Timeline: Depends on severity
  • Critical: Within 1 week
  • High: Within 2 weeks
  • Medium: Within 1 month
  • Low: Next release

This gem uses YAML for configuration files with secure defaults:

• Default: Uses YAML.safe_load to prevent arbitrary code execution
• Permitted classes: Symbol, Date, Time, DateTime, BigDecimal
• Customizable: Add your own classes via Settingslogic.yaml_permitted_classes
• YAML aliases: Fully supported with aliases: true parameter

⚠️ Important: Configuration files should be:

• Stored in secure locations
• Not user-uploadable
• Protected with appropriate file permissions

Configuration files support ERB templates. This means:

• Environment variables can be embedded
• Ruby code can be executed during configuration loading

Best Practices:

# Good - using environment variables
production:
  secret_key: <%= ENV['SECRET_KEY_BASE'] %>
  
# Avoid - executing arbitrary code
production:
  value: <%= `whoami` %>  # Don't do this!

The gem can load configuration from:

• Local files (recommended)
• HTTP/HTTPS URLs (use with caution)

For production environments, always use local files with proper permissions.

• YAML deserialization security: Replaced YAML.unsafe_load with YAML.safe_load to prevent arbitrary object instantiation (addresses CVE-2022-32224 pattern)
• Removed open-uri vulnerability: Replaced open-uri with Net::HTTP to prevent SSRF attacks
• Protocol validation: Explicitly blocks dangerous protocols (file://, ftp://, gopher://, etc.)
• Safe YAML loading: Default permitted classes: Symbol, Date, Time, DateTime, BigDecimal
• Input sanitization: Dynamic method names validated with /^\w+$/ to prevent code injection

• No automatic redirects: HTTP client doesn't follow redirects automatically
• Controlled deserialization: Prevents arbitrary object instantiation in YAML
• Proper error handling: Security errors fail safely without exposing internals
• Comprehensive testing: 18 security-specific test cases added

• CVE-2020-8287 (related): Uses vulnerable open-uri for URL loading
• No Psych 4 support (Ruby 3.1+ compatibility issues)
• Uses deprecated YAML.load without restrictions
• No security updates since 2012

• All known security issues have been addressed
• Regular security audits via bundler-audit
• Active maintenance by MITRE SAF team
• Comprehensive security test coverage (94.63%)

We follow responsible disclosure:

1. Security issues are fixed in private
2. Patches are released with security advisories
3. Credit is given to reporters (unless they prefer anonymity)

• MITRE CVE Database
• Ruby Security Advisories
• Rails Security Guide