| Version | Supported |
|---|---|
| 0.1.x | ✅ |
| < 0.1 | ❌ |
Please do not open a public GitHub issue for security vulnerabilities.
Email security reports to: technology@endevsols.com
Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact assessment
- Your name / handle (for credit, if desired)
We will acknowledge within 48 hours and aim to release a patch within 14 days for confirmed critical vulnerabilities.
LongParser processes arbitrary user-supplied documents and routes them through LLMs. Key risks:
| Risk | Mitigation |
|---|---|
| Prompt injection via documents | System prompt explicitly forbids following <CONTEXT> instructions |
| File upload exploits | MIME allowlist, 100MB size cap, streaming write to isolated path |
| API key leakage | Keys never logged; only SHA-256 hash used as tenant_id |
| MongoDB injection | Motor driver + typed Pydantic inputs prevent injection |
| SSRF via webhook | No outbound HTTP made based on user input |
| Hallucinated citations | Citation IDs validated against retrieved set before returning to client |
We use uv for deterministic dependency resolution. Run:
uv audit # Check for known vulnerabilities in dependencies