Document security policy and threat model

lovasoa · lovasoa · commit 42d774be1fd8 · 2026-06-05T16:59:32.000+02:00
diff --git a/SECURITY.md b/SECURITY.md
@@ -2,6 +2,146 @@
 
 ## Reporting a Vulnerability
 
-If you find a critical security vulnerability in this repo, you can report it directly by
-email to the main maintainer on `contact@ophir.dev`.
-This will allow publishing a new safe version before the vulnerability starts being exploited.
+Please report suspected SQLPage vulnerabilities privately to
+`contact@ophir.dev`.
+
+Include the SQLPage version or commit, database backend, relevant
+configuration, minimal SQL file if possible, and the exact attacker-controlled
+input. Do not open a public issue for a non-public vulnerability.
+
+## Threat Model
+
+SQLPage is a runtime for applications written in SQL. It maps HTTP requests to
+SQL files, executes those files on the configured database, and renders the
+result. SQLPage is not a sandbox for SQLPage application authors or operators.
+
+### Trusted Control
+
+The following define the application's behavior and are trusted:
+
+- Application files under `web_root`, including SQL files and static assets.
+- Application files stored in the optional `sqlpage_files` table.
+- SQLPage configuration, command-line arguments, environment variables, and
+  `.env` files.
+- Templates, migrations, and connection-management SQL in the configuration
+  directory.
+- Database behavior and access: roles, permissions, schema, extensions,
+  triggers, stored procedures, views, and migrations.
+- Anyone or anything that can modify one of the above.
+
+Control of trusted inputs is control of the SQLPage application. If an attacker
+can edit `sqlpage.json`, change `web_root`, weaken OIDC path rules, enable
+dangerous Markdown options, enable `allow_exec`, alter templates, or write SQL
+into `sqlpage_files`, that is outside SQLPage's vulnerability boundary unless
+SQLPage itself granted that access to an untrusted actor.
+
+### Untrusted Data
+
+The following are untrusted data by default:
+
+- HTTP paths, query strings, form fields, request bodies, and multipart uploads.
+- Uploaded filenames, MIME types, and file contents.
+- HTTP headers, cookies, Basic Auth credentials, and unauthenticated OIDC
+  callback parameters.
+- Responses from remote servers contacted with `sqlpage.fetch` or
+  `sqlpage.fetch_with_meta`.
+- Values returned by database queries, except when SQLPage is loading
+  application files from `sqlpage_files`.
+
+Database contents are data, not trust. A researcher should not have to prove
+which table values are user-generated. SQLPage must handle database values as
+untrusted unless trusted SQL places them in a documented control position.
+
+Some result columns are control positions: SQLPage treats their values as
+instructions, not ordinary display data. These include component names,
+`dynamic` component properties, HTTP headers, redirects, cookies, downloads,
+file paths passed to file functions or `run_sql`, URLs passed to `fetch`, raw
+HTML, unsafe Markdown, and `exec` command names or arguments. If trusted SQL
+puts untrusted data in a control position, the resulting behavior is the
+application's responsibility.
+
+## In Scope
+
+Please report cases where SQLPage itself lets untrusted data gain a capability
+that should require trusted control. Examples:
+
+- An HTTP request can execute attacker-chosen SQL on the configured database
+  without trusted SQL explicitly exposing that behavior.
+- SQLPage parameter handling turns `$name`, `:name`, or `?name` into executable
+  SQL instead of a bound database value.
+- HTTP routing, path decoding, static file serving, caching, `run_sql`, or file
+  functions expose host files that trusted SQL or configuration did not choose
+  to expose.
+- Reserved private files, including the `sqlpage/` prefix, dotfiles,
+  templates, and configuration, are reachable over HTTP.
+- `allow_exec` is false, but an attacker can execute a local command through
+  SQLPage.
+- Built-in OIDC handling accepts forged, expired, wrong-issuer,
+  wrong-audience, wrong-nonce, or wrong-signature tokens, or applies configured
+  public/protected path rules incorrectly.
+- Default-safe rendering or safe Markdown executes browser script from
+  untrusted data.
+- SQLPage-generated production error responses expose source code, stack
+  traces, SQL text, parameters, environment values, or configuration values.
+- Upload handling allows path traversal, overwrite of unintended files, or file
+  disclosure without trusted SQL selecting that behavior.
+- Official SQLPage documentation or examples recommend placing untrusted data in
+  a control position without validation.
+
+## Out of Scope
+
+The following are usually application or deployment vulnerabilities, not
+SQLPage vulnerabilities:
+
+- A trusted SQL file omits authentication or authorization checks.
+- Trusted SQL, a stored procedure, trigger, view, or extension builds and
+  executes SQL from untrusted data.
+- Trusted SQL selects untrusted data into a control position such as
+  `component`, `dynamic.properties`, a redirect target, header value, file path,
+  `run_sql` target, `fetch` URL, raw HTML, unsafe Markdown, or `exec` argument.
+- Trusted SQL intentionally reads a host file, including an absolute path, and
+  returns it to a client.
+- An operator intentionally changes configuration to expose files, trust a
+  different database, make an OIDC path public, weaken CSP, enable dangerous
+  Markdown options, load SQLite extensions, or enable `allow_exec`.
+- An attacker can modify SQL files, templates, configuration, environment
+  variables, migrations, database code, or `sqlpage_files`.
+- The configured database role has broader permissions than the application
+  needs.
+- A SQLPage application is publicly reachable because no authentication was
+  configured.
+- Trusted SQL asks SQLPage or the database to perform expensive work.
+
+These may still be serious and should be fixed in the affected application,
+deployment, or documentation.
+
+## Boundary Examples
+
+Report: `/x.sql?sort=...` causes SQLPage to execute attacker-chosen SQL because
+SQLPage rewrote a parameter incorrectly.
+
+Do not report as SQLPage: `x.sql` passes `sort` to a stored procedure that
+concatenates it into dynamic SQL.
+
+Report: a normal table cell containing `<script>` executes script in the
+browser when rendered by a default-safe component.
+
+Do not report as SQLPage: trusted SQL selects that value as `html`,
+`unsafe_contents_md`, `component`, or `dynamic.properties`.
+
+Report: `/..%2F..%2Fetc%2Fpasswd` or `/sqlpage/sqlpage.json` is served directly
+by SQLPage.
+
+Do not report as SQLPage: trusted SQL calls
+`sqlpage.read_file_as_text('/etc/passwd')` and renders the result.
+
+Report: an unauthenticated request can write a new SQL file into
+`sqlpage_files` through an unintended SQLPage endpoint.
+
+Do not report as SQLPage: an administrator, migration, or intentionally exposed
+application page writes SQL into `sqlpage_files`.
+
+Report: official documentation recommends `sqlpage.run_sql($user_input)`.
+
+Do not report as SQLPage: a private application uses
+`sqlpage.run_sql($user_input)` despite the documentation warning against it.
