We release patches for security vulnerabilities for the following versions:
| Version | Supported |
|---|---|
| 9.x | ✅ |
| 8.x | ✅ |
| < 8.0 | ❌ |
We take the security of CommandDotNet seriously. If you believe you have found a security vulnerability, please report it to us as described below.
- Open a public GitHub issue
- Disclose the vulnerability publicly before we've had a chance to address it
Report security vulnerabilities using one of these methods:
- Create a private security advisory on GitHub (preferred for sensitive issues) - Learn more about security advisories
- Create a GitHub issue mentioning @drewburlingame
- Post in Discord at https://discord.gg/QFxKSeG and mention the maintainers
Please include the following information in your report:
- Type of vulnerability (e.g., remote code execution, information disclosure, etc.)
- Full paths of source file(s) related to the manifestation of the issue
- The location of the affected source code (tag/branch/commit or direct URL)
- Any special configuration required to reproduce the issue
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the issue, including how an attacker might exploit it
Please note: CommandDotNet is maintained as a free-time open source project. While we take security seriously, we cannot guarantee specific response times.
-
Acknowledgment: We will acknowledge your report when we are able to review it.
-
Verification: We will work to verify the vulnerability and determine its impact.
-
Fix: Once verified, we will develop and test a fix as our schedules allow.
-
Release: We will release a patch for supported versions.
-
Disclosure: After the patch is released, we will publicly disclose the vulnerability. We will credit you for the discovery unless you prefer to remain anonymous.
When a security vulnerability is confirmed:
- A fix will be developed and tested
- A new release will be published with the security fix
- The vulnerability will be disclosed in the release notes
- A security advisory will be published on GitHub
When using CommandDotNet in your applications:
-
Keep Dependencies Updated: Regularly update to the latest version of CommandDotNet to receive security patches.
-
Input Validation: Always validate user input, even though CommandDotNet provides type conversion and validation features.
-
Sensitive Data: Never log or display sensitive information (passwords, tokens, etc.) in command output or help text.
-
File System Access: Be cautious when accepting file paths from users. Validate and sanitize paths to prevent directory traversal attacks.
-
Command Injection: When executing external commands based on user input, properly sanitize and validate the input.
-
Dependency Scanning: Use tools like Dependabot or Snyk to monitor your dependencies for known vulnerabilities.
CommandDotNet includes several security-focused features:
- Password Type: Use
[Option] Password Password { get; set; }to mask password input - Type Safety: Strong typing helps prevent injection attacks
- Input Validation: Built-in validation with FluentValidation and DataAnnotations support
- Secure Defaults: Safe default configurations
If you have questions about security but don't believe you've found a vulnerability, please:
- Open a GitHub Discussion
- Join us on Discord