|
| 1 | +# Security Policy |
| 2 | + |
| 3 | +## Supported Versions |
| 4 | + |
| 5 | +The following versions of the `PDF_PrintPreview_XLSX_Export` application are currently supported with security updates: |
| 6 | + |
| 7 | +| Version | Supported | |
| 8 | +|---------|--------------------| |
| 9 | +| 1.x | ✅ | |
| 10 | + |
| 11 | +## Security Considerations |
| 12 | + |
| 13 | +This application is built using .NET Framework 4.8 and includes functionalities for generating PDF files and exporting data to XLSX format. Below are key security considerations for users and contributors: |
| 14 | + |
| 15 | +### Native Windows API Calls |
| 16 | +- The application uses Windows API functions (`gdi32.dll`, `winspool.Drv`, `kernel32.dll`) for font handling and printer settings. These calls are performed using `DllImport` with proper error handling to prevent crashes or undefined behavior. |
| 17 | +- Memory management for native resources (e.g., `GlobalLock`, `GlobalUnlock`, `GlobalFree`) is implemented to avoid memory leaks or unauthorized access. |
| 18 | +- Users should ensure the application runs in a trusted environment, as native API calls may interact with system-level resources. |
| 19 | + |
| 20 | +### File Handling |
| 21 | +- The application writes to PDF and XLSX files using user-specified paths via `SaveFileDialog`. File paths are validated to ensure they have the correct extensions (`.pdf`, `.xlsx`) to prevent unintended file overwrites. |
| 22 | +- No external file dependencies (e.g., image files) are included in PDF generation, reducing the risk of unauthorized file access. |
| 23 | +- File operations use `FileStream` and `ZipArchive` with proper disposal to prevent resource leaks. |
| 24 | + |
| 25 | +### Data Processing |
| 26 | +- Input data for PDF and XLSX generation is derived from in-memory `DataGridView` components and does not directly process user-provided input, minimizing risks of injection attacks. |
| 27 | +- String escaping is implemented (e.g., `EscapeString`, `EscapeXml`, `EscapeXmlAttribute`) to prevent injection of malicious content into PDF or XLSX outputs. |
| 28 | +- Random sample data is generated internally using `Random` for testing purposes. This data is not user-controlled and poses no security risk. |
| 29 | + |
| 30 | +### Compression |
| 31 | +- The application uses `DeflateStream` for zlib compression of font data and ICC profiles in PDF generation. The compression process is performed in-memory and does not involve external libraries prone to vulnerabilities. |
| 32 | +- Adler-32 checksums are calculated to ensure data integrity during compression. |
| 33 | + |
| 34 | +### Third-Party Dependencies |
| 35 | +- This application does not rely on external NuGet packages or third-party libraries, reducing the risk of supply chain attacks. |
| 36 | +- The embedded sRGB ICC profile is sourced from application resources and compressed securely. |
| 37 | + |
| 38 | +## Best Practices for Secure Usage |
| 39 | +- **Run in a Trusted Environment**: Execute the application on a trusted system to prevent unauthorized access to system resources via native API calls. |
| 40 | +- **Validate Output Files**: Ensure output file paths are in secure, user-controlled directories to avoid overwriting critical system files. |
| 41 | +- **Keep .NET Framework Updated**: Use the latest patched version of .NET Framework 4.8 to mitigate known vulnerabilities in the framework. |
| 42 | +- **Limit Permissions**: Run the application with least-privilege permissions to minimize the impact of potential exploits. |
| 43 | + |
| 44 | +## Reporting a Vulnerability |
| 45 | +If you discover a security vulnerability in this project, please report it responsibly by following these steps: |
| 46 | +1. **Do Not Open a Public Issue**: To protect users, do not disclose vulnerabilities in public GitHub issues or discussions. |
| 47 | +2. **Contact the Maintainer**: Email the vulnerability details to samialtas@gmail.com with the subject "Security Vulnerability in PDF_PrintPreview_XLSX_Export". |
| 48 | +3. **Provide Details**: Include a detailed description of the vulnerability, steps to reproduce, and potential impact. |
| 49 | +4. **Response Time**: Expect an acknowledgment within 48 hours. We aim to address and resolve reported vulnerabilities promptly. |
| 50 | + |
| 51 | +## Vulnerability Handling |
| 52 | +- Reported vulnerabilities will be investigated and prioritized based on their severity. |
| 53 | +- Patches or mitigations will be released in a timely manner, and affected versions will be updated in the supported versions table above. |
| 54 | +- We will credit reporters (if desired) in release notes, unless anonymity is requested. |
| 55 | + |
| 56 | +Thank you for helping keep this project secure! |
0 commit comments