personal-projects/py-wikijs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c6b9d045e142b6dffc0f92ccba8f95eaeb6e321c
py-wikijs/SECURITY.md
Claude cef6903cbc feat: implement production-ready features from improvement plan phase 2.5 & 2.6 
Phase 2.5: Fix Foundation (CRITICAL)
- Fixed 4 failing tests by adding cache attribute to mock_client fixture
- Created comprehensive cache tests for Pages endpoint (test_pages_cache.py)
- Added missing dependencies: pydantic[email] and aiohttp to core requirements
- Updated requirements.txt with proper dependency versions
- Achieved 82.67% test coverage with 454 passing tests

Phase 2.6: Production Essentials
- Implemented structured logging (wikijs/logging.py)
  * JSON and text log formatters
  * Configurable log levels and output destinations
  * Integration with client operations

- Implemented metrics and telemetry (wikijs/metrics.py)
  * Request tracking with duration, status codes, errors
  * Latency percentiles (min, max, avg, p50, p95, p99)
  * Error rate calculation
  * Thread-safe metrics collection

- Implemented rate limiting (wikijs/ratelimit.py)
  * Token bucket algorithm for request throttling
  * Per-endpoint rate limiting support
  * Configurable timeout handling
  * Burst capacity management

- Created SECURITY.md policy
  * Vulnerability reporting procedures
  * Security best practices
  * Response timelines
  * Supported versions

Documentation
- Added comprehensive logging guide (docs/logging.md)
- Added metrics and telemetry guide (docs/metrics.md)
- Added rate limiting guide (docs/rate_limiting.md)
- Updated README.md with production features section
- Updated IMPROVEMENT_PLAN_2.md with completed checkboxes

Testing
- Created test suite for logging (tests/test_logging.py)
- Created test suite for metrics (tests/test_metrics.py)
- Created test suite for rate limiting (tests/test_ratelimit.py)
- All 454 tests passing
- Test coverage: 82.67%

Breaking Changes: None
Dependencies Added: pydantic[email], email-validator, dnspython

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-10-23 16:45:02 +00:00

2.8 KiB
Raw Blame History

Security Policy

Supported Versions

Version Supported
0.3.x
0.2.x
0.1.x

Reporting a Vulnerability

Please do not report security vulnerabilities through public GitHub issues.

Instead, please report them via email to: lmiranda@hotserv.cloud

Include the following information:

  • Type of vulnerability
  • Full paths of affected source files
  • Location of affected source code (tag/branch/commit)
  • Step-by-step instructions to reproduce
  • Proof-of-concept or exploit code (if possible)
  • Impact of the issue

Response Timeline

  • Initial Response: Within 48 hours
  • Status Update: Within 7 days
  • Fix Timeline: Depends on severity
    • Critical: 7-14 days
    • High: 14-30 days
    • Medium: 30-60 days
    • Low: Best effort

Security Best Practices

API Keys

  • Never commit API keys to version control
  • Use environment variables for sensitive data
  • Rotate API keys regularly
  • Use separate keys for different environments

SSL/TLS

  • Always use HTTPS for Wiki.js instances
  • Verify SSL certificates (verify_ssl=True)
  • Use modern TLS versions (1.2+)
  • Keep certificates up to date

Dependencies

  • Keep dependencies updated
  • Monitor security advisories
  • Use pip-audit for vulnerability scanning
  • Review dependency changes before upgrading

Authentication

  • Use JWT authentication for production
  • Implement token refresh mechanisms
  • Store tokens securely
  • Never log authentication credentials

Input Validation

  • Always validate user input
  • Use type hints and Pydantic models
  • Sanitize data before processing
  • Check for injection vulnerabilities

Disclosure Policy

Once a vulnerability is fixed:

  1. We will publish a security advisory
  2. Credit will be given to the reporter (if desired)
  3. Details will be disclosed responsibly
  4. Users will be notified through appropriate channels

Security Features

Built-in Security

  • Request validation using Pydantic
  • SSL certificate verification by default
  • Rate limiting to prevent abuse
  • Structured logging for audit trails
  • No hardcoded credentials

Recommended Practices

# Good: Use environment variables
import os
from wikijs import WikiJSClient

client = WikiJSClient(
    os.getenv("WIKIJS_URL"),
    auth=os.getenv("WIKIJS_API_KEY"),
    verify_ssl=True
)

# Bad: Hardcoded credentials
# client = WikiJSClient(
#     "https://wiki.example.com",
#     auth="my-secret-key"  # DON'T DO THIS
# )

Contact

For security concerns, contact:

Acknowledgments

We appreciate the security researchers and contributors who help make this project more secure.

Reference in New Issue View Git Blame Copy Permalink