Skip to content

Security: hocestnonsatis/qast

Security

SECURITY.md

Security Policy

Supported Versions

Security fixes are published for the latest minor release in each supported major line.

Version Supported
2.1.x
2.0.x
1.x
< 1.0

We recommend running the latest 2.1.x release. Older supported lines receive critical fixes only when backporting is practical.

Reporting a Vulnerability

If you believe you have found a security vulnerability in QAST, please report it responsibly.

Preferred: GitHub Private Vulnerability Reporting

Alternative: Open a GitHub issue with the Security label and avoid posting exploit details publicly until a fix is available.

Please include:

  • A clear description of the issue and its potential impact
  • Steps to reproduce, or a minimal proof of concept
  • Affected version(s)
  • Any suggested mitigation or fix, if you have one

What to expect

Stage Timeline
Initial acknowledgement Within 3 business days
Triage and severity assessment Within 7 business days
Fix or mitigation plan Depends on severity; critical issues are prioritized
Coordinated disclosure After a patched release is available

We may ask follow-up questions during investigation. If the report is declined (for example, it is out of scope or not reproducible), we will explain why.

Please do not open public issues with full exploit details before a fix is released.

Scope

Reports are in scope when they demonstrate a security impact in QAST itself, such as:

  • Parser bypass that allows disallowed fields or operators despite validation
  • Denial of service through unbounded resource use in the library's parsing or validation path
  • Injection or unsafe output when using built-in adapters with validated input
  • Memory or CPU exhaustion within documented complexity limits

The following are generally out of scope:

  • Vulnerabilities in downstream ORMs, databases, or application frameworks
  • Misconfiguration by consumers (for example, omitting allowedFields or validate: true in production)
  • Issues that require an attacker to control server-side code or deployment configuration outside QAST

Security Model

QAST is designed to be safe by default, but correct integration is required:

  • allowedFields and allowedOperators — restrict which fields and operators can appear in a query
  • fieldConstraints — validate value types, ranges, enums, and patterns per field
  • validate: "true" (default) — enforce whitelists and complexity limits during parsing
  • Complexity limitsmaxDepth, maxNodes, maxQueryLength, maxArrayLength, maxStringLength
  • Field sanitizationsanitizeFieldName() helps prevent unsafe field names from reaching ORM layers

Example (recommended for production APIs):

const ast = parseQuery(rawFilter, {
  allowedFields: ['age', 'name', 'active'],
  allowedOperators: ['eq', 'ne', 'gt', 'lt', 'gte', 'lte', 'in'],
  fieldConstraints: {
    age: { type: 'number', min: 0, max: 130 },
    active: { type: 'boolean' },
  },
  maxDepth: 5,
  maxNodes: 50,
  maxQueryLength: 2048,
  validate: true,
});

Security advisories for QAST are published via GitHub Security Advisories and noted in CHANGELOG.md.

Dependencies

QAST has zero runtime dependencies. Dev dependencies are used only for development and CI. Security updates to dev tooling are handled through Dependabot and routine maintenance releases.

There aren't any published security advisories