| Version | Supported |
|---|---|
| 1.x.x | ✅ Actively supported |
| < 1.0.0 | ❌ End of life |
If you discover a security vulnerability in BioBots Tool, please report it responsibly:
- Do not open a public GitHub issue for security vulnerabilities
- Email online.saurav@gmail.com with:
- Description of the vulnerability
- Steps to reproduce
- Impact assessment
- Suggested fix (if any)
- You'll receive an acknowledgment within 48 hours
- A fix will be developed and released as soon as possible
- Arithmetic operator whitelist: The
ValidArithmeticHashSet only acceptsgreater,lesser, andequal— all other values are rejected with a 400 Bad Request - Numeric parameter validation:
double.TryParse()validates all numeric inputs before processing; non-numeric values return 400 Bad Request - Metric name validation: Only metrics registered in
MetricRegistryare queryable; unknown metric names return 400 Bad Request with a list of valid options
GlobalExceptionFiltercatches all unhandled exceptions and returns generic, safe error messages to clients- Internal exception details (stack traces, file paths, class names) are logged server-side via
System.Diagnostics.Tracebut never exposed in API responses - Exception type mapping:
FileNotFoundException→ 404,ArgumentException→ 400, all others → 500
- Read-only data access: The application only reads from
bioprint-data.json— no write operations, no database, no SQL injection risk - Streaming deserialization: JSON is parsed via
JsonTextReaderstream, avoiding full-file string allocation (limits memory exhaustion vectors) - Null-record filtering: Records with missing nested objects are skipped during loading, preventing
NullReferenceExceptioncascades
- Thread-safe cache: Double-checked locking pattern with volatile field prevents race conditions during cache rebuilds
- File-path configuration: The
DataFilePathsetting is read fromWeb.config<appSettings>at startup — not from user input
- All docs site pages use
escapeHtml()to sanitize data values before rendering them in the DOM - Data is loaded from a static JSON file — no user-supplied content is rendered without escaping
- The bioprint-data.json contains anonymized experimental data only
- No authentication tokens, API keys, or personal information in client-side code
- No cookies or local storage used for sensitive data
- Branch protection on
master— PRs require review - CodeQL analysis runs on every push and PR (JavaScript + C# scanning)
- Dependabot monitors NuGet, npm, GitHub Actions, and Docker dependencies for known vulnerabilities
- Docker container runs as non-root user with health checks
| Threat | Mitigation | Status |
|---|---|---|
| Malformed API input | Whitelist validation for operators, TryParse for numbers, MetricRegistry for metrics | ✅ Mitigated |
| Stack trace leakage | GlobalExceptionFilter returns generic messages, logs details server-side | ✅ Mitigated |
| XSS in docs site | escapeHtml() on all user-facing data rendering | ✅ Mitigated |
| Dependency vulnerabilities | Dependabot + CodeQL automated scanning | ✅ Monitored |
| Memory exhaustion | Streaming JSON deserialization, bounded dataset | ✅ Mitigated |
| Race conditions | Double-checked locking with volatile cache field | ✅ Mitigated |
| Path traversal | DataFilePath from config only, not user input | ✅ Mitigated |
Security-relevant dependencies are monitored via Dependabot:
Microsoft.AspNet.WebApi5.2.3Newtonsoft.Json13.0.3jest^30.2.0 (dev only)jest-environment-jsdom^30.2.0 (dev only)
- CSV formula injection prevention — cell values prefixed with
=,+,-,@are sanitized on export (CWE-1236) - Prototype pollution guard — object merging utilities reject
__proto__,constructor, andprototypekeys - URL safety validation — external URLs are validated against
javascript:anddata:scheme injection - Content Security Policy — docs site pages set restrictive CSP meta tags to block inline script injection