vulnerability report

[Sharifi-Amin]

Bug Report

I have found a security vulnerability in docsify.sj. How would you like me to report it?

Steps to reproduce

What is current behaviour

What is the expected behaviour

Other relevant information

• Bug does still occur when all/other plugins are disabled?

• Your OS:

• Node.js version:

• npm/yarn version:

• Browser version:

• Docsify version:

• Docsify plugins:

Please create a reproducible sandbox

Mention the docsify version in which this bug was not present (if any)

[anikethsaha]

here only. fill the template and you can submit the report here

[Sharifi-Amin]

I would advise against disclosing security vulnerabilities in a public manner before there is fix. please confirm that you want me to disclose details of the vulnerability here. I'll be happy to provide a detailed report and try to help to push a fix as soon as possible .

[anikethsaha]

I would advise against disclosing security vulnerabilities in a public manner before there is fix.

thanks for the alert. no don't report here.
Actually we didn't set up any security policy as of now (I know its bad, I will set up this as soon as possible after discussing with the team ).

• I would suggest reporting it to Snyk Security Team first. They will help triage the security issue and work with all involved parties to remediate and release a fix.
• if you want to contact me, you can contact through my email
  and if you want to share some sensitive report ( still I would suggest to reach snyk team first ), mention in the mail and we can discuss there how to do so !

[trusktr]

How severe is this issue? Is it in an NPM module that affects local development?

It is hard to imagine any issue with static HTML (markdown) sites being insecure. Docsify sites are purely static by default, with no user information (or did I miss something?).

@anikethsaha Maybe we can make a security issue template, and it can specify contact instructions there.

[anikethsaha]

we need to set up a policy here

[trusktr]

Ah cool, I didn't know about that.

[anikethsaha]

It is hard to imagine any issue with static HTML (markdown) sites being insecure. Docsify sites are purely static by default, with no user information (or did I miss something?).

true, but we do support GA, codefund plugins and markdown may contain embedded files so it may be harmful in those cases. not sure though 😅 .

I will still suggest reporting first in snyk for any cases even if it is in our dependencies,

[Sharifi-Amin]

I'll get in touch with snyk team asap. I'll contact you through email for a detailed report

[Sharifi-Amin]

we need to set up a policy here

please let me know if I can contribute in any way

[anikethsaha]

I'll get in touch with snyk team asap. I'll contact you through email for a detailed report

great. 👍

please let me know if I can contribute in any way

contribution of any kind are always welcome. you can share some idea or submit as a policy for better approach. We can discuss there

[Sharifi-Amin]

The Snyk team have verified the vulnerability. they will try to get in touch with you to discuss a fix. if you want to close this issue, you can always reach me at amin.sharifi691@gmail.com.

[anikethsaha]

Thanks a lot for the reports and responses.
this issue also was a reminder that we need a policy for security reports.

you can always reach me at amin.sharifi691@gmail.com.

sure.

Thanks 👍

[anikethsaha]

I think it's better to keep it open until a response from snyk just to mark it. 👍

[Sharifi-Amin]

Thanks a lot for the reports and responses.
this issue also was a reminder that we need a policy for security reports.

you can always reach me at amin.sharifi691@gmail.com.

sure.

Thanks 👍

my pleasure