Skip to content

docs(security): add SECURITY.md with policy and PoC examples #27

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
7zuu wants to merge 1 commit into
base: main
Choose a base branch
from
Open

docs(security): add SECURITY.md with policy and PoC examples #27

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
235 changes: 235 additions & 0 deletions .github/SECURITY.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,235 @@
# SECURITY POLICY

SawitDB dibangun dengan fokus pada integritas data, konsistensi transaksi, dan kontrol akses berbasis role (POLRI).
Setiap kerentanan akan ditangani secara terstruktur dan bertanggung jawab.

---

## SUPPORTED VERSIONS

| Version | Status |
| ------- | ----------- |
| 3.0.x | Supported |
| < 3.0 | Unsupported |

Catatan:

* Versi 3.0 menggunakan WAL (Write-Ahead Logging), RBAC, dan Network Mode
* Laporan untuk versi lama tetap diterima namun tidak dijamin diperbaiki

---

## REPORTING A VULNERABILITY

Jangan publikasikan kerentanan secara langsung.

Laporkan melalui:

* GitHub Security Advisories
* Atau melalui issue

### Informasi wajib:

1. Deskripsi kerentanan
2. Dampak (impact)
3. Langkah reproduksi
4. Proof of Concept (PoC)
5. Versi SawitDB
6. Environment:

* OS
* Node.js version
* Mode (Single / Server / Cluster)

---

## SECURITY TESTING EXAMPLES (POC)

Berikut contoh pengujian untuk mengidentifikasi potensi kerentanan.
Semua testing wajib dilakukan secara lokal atau dengan izin.

---

### Authorization Bypass

```javascript
const { SawitClient } = require("@wowoengine/sawitdb");

(async () => {
const client = new SawitClient("sawitdb://127.0.0.1:7878");

await client.connect("guest", "guest123");

try {
const result = await client.query(
"SELECT * FROM users WHERE role = 'admin'"
);

console.log("UNEXPECTED DATA:", result);
} catch (err) {
console.error("EXPECTED ERROR:", err.message);
}
})();
```

---

### Query Injection (Parser Edge Case)

```javascript
const payload = "admin' OR '1'='1";

const query = `
SELECT * FROM users
WHERE username = '${payload}'
`;

console.log(query);

const result = db.query(query);
console.log(result);
```

---

### WAL Consistency (Crash Test)

```javascript
const db = new SawitDB("./test.sawit");

db.query("CREATE TABLE logs");
db.query("BEGIN TRANSACTION");

for (let i = 0; i < 1000; i++) {
db.query(`INSERT INTO logs (msg) VALUES ('log-${i}')`);
}

// Force crash
process.exit(1);
```


```javascript
const db = new SawitDB("./test.sawit");

const result = db.query("SELECT COUNT(*) FROM logs");

console.log(result);
```


---

### Race Condition (Worker Thread)

```javascript
const { SawitClient } = require("@wowoengine/sawitdb");

(async () => {
const client = new SawitClient("sawitdb://127.0.0.1:7878");

await client.connect("admin", "admin123");

const tasks = [];

for (let i = 0; i < 50; i++) {
tasks.push(
client.query(
"UPDATE products SET stock = stock + 1 WHERE id = 1"
)
);
}

await Promise.all(tasks);

const result = await client.query(
"SELECT stock FROM products WHERE id = 1"
);

console.log(result);
})();
```


---

### Memory Stress / Cache Abuse

```javascript
const db = new SawitDB("./stress.sawit");

db.query("CREATE TABLE bigdata");

for (let i = 0; i < 100000; i++) {
db.query(`INSERT INTO bigdata (value) VALUES ('data-${i}')`);
}

const result = db.query("SELECT * FROM bigdata");

console.log("ROWS:", result.length);
```


---

## RESPONSE PROCESS

* Respon awal: 3–7 hari
* Validasi teknis
* Klasifikasi severity
* Patch development
* Security advisory / release

Semua laporan diverifikasi secara objektif.

---

## DISCLOSURE POLICY

* Tidak menyebarkan exploit sebelum patch
* Koordinasi dengan maintainer
* Mengikuti responsible disclosure

Pelapor dapat:

* Dicantumkan sebagai security contributor
* Atau tetap anonim

---

## SCOPE

### Termasuk:

* Authentication / authorization bypass
* RCE (Remote Code Execution)
* Query / parser exploit
* Data corruption (WAL / paging)
* Race condition
* Memory issue yang berdampak keamanan
* Network protocol abuse (sawitdb://)

### Tidak termasuk:

* Bug minor tanpa impact
* Misconfiguration user
* Issue performa
* Social engineering

---

## PROHIBITED ACTIONS

* Akses data tanpa izin
* Testing di server publik tanpa persetujuan
* Eksploitasi di luar ruang lingkup penelitian

Pengujian harus bertanggung jawab dan terkendali.


## ACKNOWLEDGEMENT

Kontributor yang melaporkan kerentanan valid dapat dicantumkan sebagai security contributor.

---