| Version | Supported |
|---|---|
| 1.0.x | ✅ |
| < 1.0 | ❌ |
- Location:
website_diff/fetcher.py - Implementation:
- URL scheme validation (only http/https allowed)
- Basic SSRF protection with localhost/internal network detection
- URL parsing using
urllib.parse.urlparsefor safe parsing
- Status: ✅ Implemented
- Note: Localhost access is allowed for development/testing purposes
- Location:
website_diff/cli.py,website_diff/link_traverser.py - Implementation:
- URL normalization and validation
- Filtering of dangerous protocols (javascript:, mailto:, tel:, etc.)
- Email address detection and filtering
- Status: ✅ Implemented
- Location: All file operations
- Implementation:
- Uses
pathlib.Pathfor safe path handling - Paths are relative to user-specified directories
- No direct user input used in file paths without validation
- Uses
- Status: ✅ Safe
- Note: All file operations use
Pathobjects which prevent path traversal
- Status: ✅ Verified
- Findings: No use of
eval(),exec(),subprocesswithshell=True, oros.system()
- Status: ✅ Verified
- Findings:
- No passwords, API keys, or tokens in code
- Secrets only referenced via environment variables in GitHub Actions
- Docker credentials stored as GitHub secrets
- Status: ✅ Verified
- Findings:
- All file writes use explicit encoding ('utf-8')
- Binary file operations use 'wb' mode appropriately
- No unsafe file permissions set
-
SSRF Protection Enhancement (Medium Priority)
- Consider implementing a more robust SSRF protection mechanism
- Add option to disable localhost access in production environments
- Implement IP address whitelist/blacklist functionality
-
Rate Limiting (Low Priority)
- Consider adding rate limiting for web requests to prevent abuse
- Implement request throttling for link traversal
-
Content Size Limits (Low Priority)
- Add maximum content size limits to prevent memory exhaustion
- Implement streaming for very large files
If you discover a security vulnerability, please report it via:
- GitHub Security Advisories: https://github.com/GeiserX/Website-Diff/security/advisories
- Email: sergio@geiser.cloud
Please include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if available)
-
Secrets Management
- Never commit secrets to the repository
- Use environment variables or secret management tools
- Rotate credentials regularly
-
Network Security
- Be cautious when comparing URLs from untrusted sources
- Use the tool in isolated environments when testing unknown websites
- Monitor network traffic when using the tool
-
File System Security
- Use dedicated directories for reports and screenshots
- Review generated files before sharing
- Clean up generated artifacts regularly
- No hardcoded secrets
- URL validation implemented
- SSRF protection (basic)
- Path traversal protection (via Path objects)
- No command injection vectors
- Safe file operations
- Input sanitization
- Proper error handling
- No unsafe deserialization
- Dependencies up to date