Skip to content

Commit d209fe4

Browse files
committed
docs: add a security posture & liability disclaimer
officeParser is a parser/generator/converter that necessarily opens files from potentially untrusted sources, so it's worth stating plainly what that means for consumers of the library: - README.md: new "Security & Trust Boundary" section (linked from the TOC) covering what's actively hardened against (injection, zip bombs, DoS, SSRF - see CHANGELOG.md for the ongoing history) and the honest limit of that: no software is guaranteed vulnerability-free, there's no dedicated security team behind a solo-maintained project, and final responsibility for a compromised input file's impact rests with the consumer, per the MIT LICENSE's "AS IS" clause. - SECURITY.md: a matching "Security Posture & Disclaimer" section between "My Security Commitment" and "Out of Scope" - the more canonical version of the same statement for the doc people land on specifically for security questions. Also fixed two stray "us"/"our" instances to "me"/"my" for pronoun consistency with the rest of the file (this is a solo-maintained project, first person throughout).
1 parent c70571c commit d209fe4

2 files changed

Lines changed: 45 additions & 2 deletions

File tree

README.md

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -62,6 +62,7 @@ A robust, strictly-typed **Node.js and Browser** library for parsing office file
6262
- [Browser Usage](#browser-usage)
6363
- [Troubleshooting & Common Issues](#troubleshooting--common-issues)
6464
- [Known Limitations](#known-limitations)
65+
- [Security & Trust Boundary](#security--trust-boundary)
6566
- [Contributing](#contributing)
6667

6768
---
@@ -1231,6 +1232,28 @@ For a full debugging guide, visit the [Live Documentation](https://harshankur.gi
12311232
12321233
---
12331234
1235+
## Security & Trust Boundary
1236+
1237+
`officeParser` is a **parser, generator, and converter** — by design, it opens and processes files
1238+
handed to it, which may originate from an untrusted source (a user upload, an inbox attachment, a
1239+
scraped document, etc.). I treat every input as potentially adversarial and actively harden the
1240+
library against it: output sanitization against injection (HTML/CSS/URL/script/CSV/RTF/Markdown),
1241+
zip-bomb protection, resource/recursion limits against denial-of-service payloads, SSRF protection
1242+
during PDF rendering, and more — see [CHANGELOG.md](CHANGELOG.md) for the ongoing history of these
1243+
fixes and [SECURITY.md](SECURITY.md) for how to report a vulnerability.
1244+
1245+
That said: **no parser can be guaranteed 100% free of vulnerabilities**, and I'm the sole
1246+
maintainer of this project — there is no dedicated security team behind it. I'm committed to
1247+
fixing legitimate reports promptly, but I cannot promise the library is impervious to a
1248+
sufficiently novel attack, and I make no warranty to that effect (see the [LICENSE](LICENSE)'s
1249+
"AS IS" clause, under which this software is provided). **Responsibility for how a compromised or
1250+
malicious input file affects your system ultimately rests with you, the consumer of the library**
1251+
if you process files from untrusted sources, apply the isolation appropriate to your threat
1252+
model regardless (sandboxing/containerization, resource limits, running as a low-privilege
1253+
process, etc.) rather than treating any single library's hardening as a complete solution.
1254+
1255+
---
1256+
12341257
**npm**: [https://npmjs.com/package/officeparser](https://npmjs.com/package/officeparser)
12351258
12361259
**github**: [https://github.com/harshankur/officeParser](https://github.com/harshankur/officeParser)

SECURITY.md

Lines changed: 22 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -17,9 +17,9 @@ Maintenance and security patches are currently provided for the latest major bra
1717
**Please do not open public issues for security vulnerabilities.**
1818

1919
### 🛑 Why Private Disclosure?
20-
Publicly disclosing a vulnerability before a fix is available creates an immediate window for attackers to exploit the issue against the millions of users currently running this library. Private reporting allows us to develop, test, and release a patch **before** the technical details are shared, ensuring that the community remains protected.
20+
Publicly disclosing a vulnerability before a fix is available creates an immediate window for attackers to exploit the issue against the millions of users currently running this library. Private reporting allows me to develop, test, and release a patch **before** the technical details are shared, ensuring that the community remains protected.
2121

22-
To facilitate a safe disclosure, please use our private GitHub reporting channel:
22+
To facilitate a safe disclosure, please use my private GitHub reporting channel:
2323

2424
### GitHub Private Reporting
2525
1. Navigate to the [Security tab](https://github.com/harshankur/officeParser/security) of this repository.
@@ -37,6 +37,26 @@ Upon receiving a valid report, I will:
3737

3838
I ask that you follow **coordinated disclosure** practices and allow a reasonable window to release a patch before sharing technical details publicly.
3939

40+
## Security Posture & Disclaimer
41+
42+
`officeParser` is a parser, generator, and converter for office documents — it is often used to
43+
process files from untrusted sources (user uploads, email attachments, scraped content, etc.), so
44+
I treat every input as potentially adversarial. I actively invest in hardening the library against
45+
malicious input — output sanitization against injection, zip-bomb and decompression limits,
46+
recursion/resource limits against denial-of-service payloads, SSRF protection during PDF
47+
rendering, and more — and I will keep shipping security fixes for as long as I actively maintain
48+
this project (see CHANGELOG.md for the ongoing history).
49+
50+
That said, I am the sole maintainer of this project, with no dedicated security team behind it,
51+
and **no software can be guaranteed free of vulnerabilities**. I make no warranty that
52+
`officeParser` is or will remain impervious to a sufficiently novel attack — the library is
53+
provided "AS IS", without warranty of any kind, per the [LICENSE](LICENSE). **Final responsibility
54+
for the impact of a compromised or malicious input file on your system rests with you, the
55+
consumer of the library.** If you process files from untrusted sources, apply isolation
56+
appropriate to your own threat model (sandboxing/containerization, resource limits, a
57+
low-privilege execution context, etc.) rather than relying on any single library's hardening as a
58+
complete solution.
59+
4060
## Out of Scope
4161
- **Third-Party Dependencies**: Vulnerabilities in upstream libraries (e.g., `tesseract.js`, `pdfjs-dist`, `fflate`) should be reported directly to their respective maintainers.
4262
- **Semantic Chunking & External APIs**: When using `Semantic Strategy` for chunking, you provide an `embed` function. If this function sends data to external LLM providers (like OpenAI or Anthropic), the security and privacy of that data transfer are governed by your implementation and the provider's terms. `officeParser` itself does not transmit document data to external servers by default.

0 commit comments

Comments
 (0)