We actively support the following versions of gohome with security updates:
| Version | Supported | Status |
|---|---|---|
| 1.x.x | β | Current |
| < 1.0 | β | End of Life |
Recommendation: Always use the latest stable release for the most secure experience.
We take security issues seriously. If you discover a security vulnerability, please follow responsible disclosure:
DO NOT open a public GitHub issue for security vulnerabilities.
Instead, report privately via:
-
GitHub Security Advisories
- Go to Security tab
- Click "Report a vulnerability"
- Fill out the form with details
-
Email (if GitHub is not available)
- Send to: security@ngockhoi96.dev
- Subject:
[SECURITY] gohome - [Brief Description] - Include details below
Please provide the following information:
- Description - Clear explanation of the vulnerability
- Impact - What can an attacker do? (RCE, data leak, DoS, etc.)
- Steps to Reproduce - Detailed instructions to trigger the issue
- Affected Versions - Which versions are vulnerable?
- Proof of Concept - Code, screenshots, or logs demonstrating the issue
- Suggested Fix (optional) - If you have ideas for mitigation
Subject: [SECURITY] gohome - Command Injection in Git Operations
Description:
The git.Client.GetLogs() function does not properly sanitize the --author flag,
allowing command injection when processing malicious git author names.
Impact:
Remote Code Execution (RCE) - An attacker could execute arbitrary commands on
the victim's system by manipulating git configuration.
Steps to Reproduce:
1. Set malicious git author: git config user.name "$(whoami)"
2. Run: gohome --author '$(whoami)'
3. Observe command execution
Affected Versions: v1.0.0 - v1.1.5
Proof of Concept:
[Attached screenshot showing command execution]
Suggested Fix:
Implement strict regex validation on author input before passing to git commands.
See existing sanitization in git/client.go:sanitizeInput()
We aim to respond to security reports within:
- Initial Response: 48 hours
- Triage & Assessment: 7 days
- Fix Development: 14-30 days (depending on severity)
- Public Disclosure: After patch release
We categorize vulnerabilities using CVSS scoring:
| Severity | CVSS Score | Response Time | Example |
|---|---|---|---|
| Critical | 9.0-10.0 | 48 hours | Remote Code Execution |
| High | 7.0-8.9 | 7 days | Privilege Escalation |
| Medium | 4.0-6.9 | 14 days | Information Disclosure |
| Low | 0.1-3.9 | 30 days | Minor config exposure |
- Private Notification - We notify you when we confirm the issue
- Fix Development - We develop and test the patch
- Security Advisory - We create a GitHub Security Advisory (draft)
- Coordinated Release
- Patch released in new version
- Security advisory published
- CVE assigned (if applicable)
- Credits given to reporter (unless anonymous preferred)
- Keep Updated - Always use the latest version
- Verify Downloads - Check SHA256 checksums from GitHub releases
- Use Official Sources - Download only from:
- GitHub Releases
- Official install scripts (
get.ngockhoi96.dev/gohome) - NPM (
@ngockhoi96/gohome) - AUR (Arch Linux)
- Input Validation - Always sanitize user input
- See
internal/git/client.go:sanitizeInput()for reference - Use regex to allow only safe characters
- See
- Path Traversal - Validate file paths
- Use
filepath.Clean()to normalize paths - Check
internal/config/config.go:validateConfigPath()
- Use
- Command Injection - Never pass unsanitized input to shell
- Use
exec.Command()with separate arguments - Avoid
bash -cor similar constructs
- Use
- Dependency Security - Keep dependencies updated
- Run
go mod tidyregularly - Monitor Dependabot alerts
- Run
-
Command Injection Prevention
- All git command arguments sanitized via regex
- Location:
internal/git/client.go:sanitizeInput() - Pattern:
[^a-zA-Z0-9\s._@-]+removed
-
Path Traversal Protection
- Config file paths validated
filepath.Clean()used to normalize paths- Location:
internal/config/config.go:validateConfigPath()
-
No Network Operations
- gohome is fully offline, no outbound connections
- No telemetry or analytics
The following are NOT considered security issues:
- Issues requiring physical access to the machine
- Denial of Service via local resource exhaustion
- Issues in dependencies (report to upstream)
- Social engineering attacks
- Output formatting issues that don't expose sensitive data
Security patches are released as:
- Patch versions (1.0.x) - For minor/low severity
- Minor versions (1.x.0) - For medium/high severity
- Emergency releases - For critical vulnerabilities (within 48h)
Subscribe to:
- GitHub Releases
- GitHub Watch β Security alerts only
We appreciate responsible disclosure and will credit researchers:
- GitHub Security Advisories - Listed as collaborators
- Release Notes - Acknowledged in CHANGELOG
- Hall of Fame - Recognized in README (optional)
You may choose to remain anonymous.
- Security Issues: security@ngockhoi96.dev or GitHub Security Advisories
- General Questions: GitHub Discussions
- Non-Security Bugs: GitHub Issues
Thank you for helping keep gohome secure! π