We release security updates for the following versions:

We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly.

DO NOT open a public GitHub issue for security vulnerabilities.

Instead:

1. Email the maintainers directly (see package.json for contact info)
2. Include:
   • Description of the vulnerability
   • Steps to reproduce
   • Potential impact
   • Suggested fix (if any)
3. Wait for acknowledgment (typically within 48 hours)

• Acknowledgment: Within 48 hours
• Initial assessment: Within 1 week
• Fix timeline: Depends on severity
  • Critical: Within days
  • High: Within 1-2 weeks
  • Medium: Within 4 weeks
  • Low: Next release cycle

• We will notify you when we have a fix ready
• We will coordinate disclosure timing with you
• We will credit you in the security advisory (unless you prefer to remain anonymous)
• We will publish a security advisory on GitHub

SVG files can contain malicious content. SVG-BBOX processes SVG files in headless Chrome, which provides some isolation but does not guarantee complete safety.

Risks:

• XXE (XML External Entity) attacks via malicious SVG
• XSS (Cross-Site Scripting) via embedded scripts in SVG
• Resource exhaustion via extremely large or complex SVG
• File system access via <image> or <use> elements with file:// URLs

Mitigations:

• Run in headless browser (isolated environment)
• Disable JavaScript in browser context (when possible)
• Validate SVG files before processing
• Set timeouts on all operations
• Run in sandboxed environment (Docker, VM) for untrusted input

SVG files can reference external resources (images, fonts, stylesheets). This can lead to:

• SSRF (Server-Side Request Forgery) - SVG requests internal network resources
• Data exfiltration - SVG sends data to external servers
• Canvas tainting - External resources without CORS headers

Mitigations:

• Block external network requests when processing untrusted SVG
• Use Content Security Policy (CSP) in browser context
• Validate and sanitize external resource URLs
• Run in network-isolated environment for untrusted input

We regularly update dependencies to address known vulnerabilities.

What we do:

• Monitor security advisories for dependencies
• Run npm audit regularly (bun uses npm for security audits)
• Update dependencies promptly
• Use tools like Dependabot for automated updates

What you can do:

• Keep your installation up to date
• Run npm audit to check for known vulnerabilities
• Report dependency vulnerabilities you discover

The CLI tools execute in your local environment with your permissions.

Risks:

• Path traversal - Malicious file paths could access unintended files
• Command injection - User input could be interpreted as shell commands
• File overwrite - Output paths could overwrite important files

Mitigations:

• Validate and sanitize all file paths
• Use absolute paths internally
• Never execute user input as shell commands
• Confirm before overwriting existing files (where applicable)
• Use Node.js built-in path utilities (path.join, path.resolve)

We use Puppeteer to launch headless Chrome, which has its own security considerations.

Risks:

• Browser vulnerabilities - Outdated Chrome/Chromium versions
• Sandbox escapes - Malicious SVG could exploit browser bugs

Mitigations:

• Use latest Puppeteer (bundles recent Chrome)
• Run with sandbox enabled (default)
• Set resource limits (memory, CPU time)
• Use --no-sandbox only when absolutely necessary (CI environments)

When using SVG-BBOX in production:

1. Validate input

   // Check file size before processing
   const stats = fs.statSync(svgPath);
   if (stats.size > 10 * 1024 * 1024) {
     // 10 MB limit
     throw new Error('SVG file too large');
   }

2. Set timeouts

   // Prevent infinite loops/hangs
   const timeout = 30000; // 30 seconds
   // Use timeout options in all operations

3. Sanitize SVG (if processing untrusted input)

   // Use a library like DOMPurify or sanitize-html
   const sanitizedSvg = DOMPurify.sanitize(svgContent, {
     USE_PROFILES: { svg: true }
   });

4. Run in isolated environment

   # Use Docker for untrusted SVG processing
   docker run --rm -v ./input:/input:ro -v ./output:/output \
     svg-bbox sbb-getbbox /input/untrusted.svg

5. Block external network

   // In Puppeteer, intercept and block external requests
   await page.setRequestInterception(true);
   page.on('request', (request) => {
     const url = new URL(request.url());
     if (url.hostname !== 'localhost') {
       request.abort();
     } else {
       request.continue();
     }
   });

Comprehensive Audit Performed: 2026-01-19

1. Command Injection - File paths now validated and sanitized ✅
2. Path Traversal - Comprehensive path validation added ✅
3. SVG Code Injection - SVG sanitization implemented ✅
4. JSON Injection - JSON validation prevents prototype pollution ✅
5. Insecure Temp Files - Secure temp directory handling ✅
6. Undefined Variable Bug - Fixed in sbb-fix-viewbox ✅
7. Missing File Extension Validation - Extension validation added ✅
8. Windows Command Injection - Safe path handling on Windows ✅

✅ Completed:

• Created lib/security-utils.cjs with comprehensive security functions
• Created lib/cli-utils.cjs for standardized CLI tooling
• Path validation (validateFilePath, validateOutputPath)
• SVG sanitization (readSVGFileSafe, sanitizeSVGContent)
  • Fixed event handler removal regex (changed \son\w+ to \s+on\w+)
• JSON validation (readJSONFileSafe, validateRenameMapping)
• Secure temp file handling (createSecureTempDir)
• Custom error classes for better error handling

✅ CLI Tools Completed (6/6 - 100%):

1. sbb-getbbox.cjs - All security fixes applied ✅
2. sbb-fix-viewbox.cjs - All fixes + undefined variable bug fixed ✅
3. sbb-svg2png.cjs - All fixes + PNG output validation ✅
4. sbb-test.cjs - All fixes + JSON/log output validation ✅
5. sbb-compare.cjs - All security fixes applied ✅
6. sbb-extract.cjs - All security fixes applied ✅

Current Status: 6/6 CLI tools secured (100% complete)

• Limited SVG sanitization - Basic script/event removal (use DOMPurify for full sanitization)
• No network isolation by default - External resources can be loaded
• No built-in resource limits - Large/complex SVG can consume excessive resources
• Browser security dependency - Relies on Chromium's security model

When contributing code:

• Validate all user input (file paths, options, arguments)
• Use parameterized queries/commands (no string concatenation)
• Set timeouts on all async operations
• Handle errors explicitly (no silent failures)
• Sanitize output (especially HTML generation)
• Document security considerations in PR
• Check dependencies for known vulnerabilities (npm audit)
• Add tests for security-critical code

We use:

• npm audit - Check for vulnerable dependencies (bun uses npm for audits)
• ESLint - Static analysis for common security issues
• Dependabot - Automated dependency updates

• OWASP Top 10
• SVG Security
• Puppeteer Security
• Node.js Security Best Practices

For security issues: See package.json for maintainer contact information

For general questions: Open a GitHub discussion (NOT an issue)

Thank you for helping keep SVG-BBOX secure! 🔒