| Version | Supported |
|---|---|
| 3.1.x | ✅ |
| 3.0.x | ✅ |
| 2.x | ❌ |
If you discover a security vulnerability in DuckGuard, please report it responsibly.
Do NOT open a public GitHub issue for security vulnerabilities.
Instead, please email: security@xdatahub.ai
Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
We will respond within 48 hours and provide a fix within 7 days for critical issues.
DuckGuard includes multi-layer SQL injection prevention for user-provided SQL:
- QueryValidator — Validates conditions in conditional checks
- QuerySecurityValidator — Enhanced validation for query-based checks
- ExpressionParser — Whitelisted operators for multi-column expressions
- READ-ONLY enforcement — All SQL operations are read-only
- Query timeout — 30-second limit on custom queries
- Result limits — 10,000 row maximum on query results
For details, see the Security Audit Report.
DuckGuard's core has 7 dependencies. We monitor for known vulnerabilities via GitHub's Dependabot.