oauth2-proxy/ea7cbf6d.17f4e0d0.js

(window.webpackJsonp=window.webpackJsonp||[]).push([[39],{105:function(e,t,n){"use strict";n.d(t,"a",(function(){return d})),n.d(t,"b",(function(){return m}));var r=n(0),i=n.n(r);function o(e,t,n){return t in e?Object.defineProperty(e,t,{value:n,enumerable:!0,configurable:!0,writable:!0}):e[t]=n,e}function a(e,t){var n=Object.keys(e);if(Object.getOwnPropertySymbols){var r=Object.getOwnPropertySymbols(e);t&&(r=r.filter((function(t){return Object.getOwnPropertyDescriptor(e,t).enumerable}))),n.push.apply(n,r)}return n}function s(e){for(var t=1;t<arguments.length;t++){var n=null!=arguments[t]?arguments[t]:{};t%2?a(Object(n),!0).forEach((function(t){o(e,t,n[t])})):Object.getOwnPropertyDescriptors?Object.defineProperties(e,Object.getOwnPropertyDescriptors(n)):a(Object(n)).forEach((function(t){Object.defineProperty(e,t,Object.getOwnPropertyDescriptor(n,t))}))}return e}function c(e,t){if(null==e)return{};var n,r,i=function(e,t){if(null==e)return{};var n,r,i={},o=Object.keys(e);for(r=0;r<o.length;r++)n=o[r],t.indexOf(n)>=0||(i[n]=e[n]);return i}(e,t);if(Object.getOwnPropertySymbols){var o=Object.getOwnPropertySymbols(e);for(r=0;r<o.length;r++)n=o[r],t.indexOf(n)>=0||Object.prototype.propertyIsEnumerable.call(e,n)&&(i[n]=e[n])}return i}var u=i.a.createContext({}),l=function(e){var t=i.a.useContext(u),n=t;return e&&(n="function"==typeof e?e(t):s(s({},t),e)),n},d=function(e){var t=l(e.components);return i.a.createElement(u.Provider,{value:t},e.children)},p={inlineCode:"code",wrapper:function(e){var t=e.children;return i.a.createElement(i.a.Fragment,{},t)}},b=i.a.forwardRef((function(e,t){var n=e.components,r=e.mdxType,o=e.originalType,a=e.parentName,u=c(e,["components","mdxType","originalType","parentName"]),d=l(n),b=r,m=d["".concat(a,".").concat(b)]||d[b]||p[b]||o;return n?i.a.createElement(m,s(s({ref:t},u),{},{components:n})):i.a.createElement(m,s({ref:t},u))}));function m(e,t){var n=arguments,r=t&&t.mdxType;if("string"==typeof e||r){var o=n.length,a=new Array(o);a[0]=b;var s={};for(var c in t)hasOwnProperty.call(t,c)&&(s[c]=t[c]);s.originalType=e,s.mdxType="string"==typeof e?e:r,a[1]=s;for(var u=2;u<o;u++)a[u]=n[u];return i.a.createElement.apply(null,a)}return i.a.createElement.apply(null,n)}b.displayName="MDXCreateElement"},96:function(e,t,n){"use strict";n.r(t),n.d(t,"frontMatter",(function(){return a})),n.d(t,"metadata",(function(){return s})),n.d(t,"rightToc",(function(){return c})),n.d(t,"default",(function(){return l}));var r=n(2),i=n(6),o=(n(0),n(105)),a={id:"security",title:"Security"},s={unversionedId:"community/security",id:"version-6.1.x/community/security",isDocsHomePage:!1,title:"Security",description:"OAuth2 Proxy is a community project.",source:"@site/versioned_docs/version-6.1.x/community/security.md",slug:"/community/security",permalink:"/oauth2-proxy/docs/6.1.x/community/security",editUrl:"https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/versioned_docs/version-6.1.x/community/security.md",version:"6.1.x",sidebar:"version-6.1.x/docs",previous:{title:"Request Signatures",permalink:"/oauth2-proxy/docs/6.1.x/features/request_signatures"}},c=[{value:"Security Disclosures",id:"security-disclosures",children:[{value:"How will we respond to disclosures?",id:"how-will-we-respond-to-disclosures",children:[]}]}],u={rightToc:c};function l(e){var t=e.components,n=Object(i.a)(e,["components"]);return Object(o.b)("wrapper",Object(r.a)({},u,n,{components:t,mdxType:"MDXLayout"}),Object(o.b)("div",{className:"admonition admonition-note alert alert--secondary"},Object(o.b)("div",Object(r.a)({parentName:"div"},{className:"admonition-heading"}),Object(o.b)("h5",{parentName:"div"},Object(o.b)("span",Object(r.a)({parentName:"h5"},{className:"admonition-icon"}),Object(o.b)("svg",Object(r.a)({parentName:"span"},{xmlns:"http://www.w3.org/2000/svg",width:"14",height:"16",viewBox:"0 0 14 16"}),Object(o.b)("path",Object(r.a)({parentName:"svg"},{fillRule:"evenodd",d:"M6.3 5.69a.942.942 0 0 1-.28-.7c0-.28.09-.52.28-.7.19-.18.42-.28.7-.28.28 0 .52.09.7.28.18.19.28.42.28.7 0 .28-.09.52-.28.7a1 1 0 0 1-.7.3c-.28 0-.52-.11-.7-.3zM8 7.99c-.02-.25-.11-.48-.31-.69-.2-.19-.42-.3-.69-.31H6c-.27.02-.48.13-.69.31-.2.2-.3.44-.31.69h1v3c.02.27.11.5.31.69.2.2.42.31.69.31h1c.27 0 .48-.11.69-.31.2-.19.3-.42.31-.69H8V7.98v.01zM7 2.3c-3.14 0-5.7 2.54-5.7 5.68 0 3.14 2.56 5.7 5.7 5.7s5.7-2.55 5.7-5.7c0-3.15-2.56-5.69-5.7-5.69v.01zM7 .98c3.86 0 7 3.14 7 7s-3.14 7-7 7-7-3.12-7-7 3.14-7 7-7z"})))),"note")),Object(o.b)("div",Object(r.a)({parentName:"div"},{className:"admonition-content"}),Object(o.b)("p",{parentName:"div"},"OAuth2 Proxy is a community project.\nMaintainers do not work on this project full time, and as such,\nwhile we endeavour to respond to disclosures as quickly as possible,\nthis may take longer than in projects with corporate sponsorship."))),Object(o.b)("h2",{id:"security-disclosures"},"Security Disclosures"),Object(o.b)("div",{className:"admonition admonition-important alert alert--info"},Object(o.b)("div",Object(r.a)({parentName:"div"},{className:"admonition-heading"}),Object(o.b)("h5",{parentName:"div"},Object(o.b)("span",Object(r.a)({parentName:"h5"},{className:"admonition-icon"}),Object(o.b)("svg",Object(r.a)({parentName:"span"},{xmlns:"http://www.w3.org/2000/svg",width:"14",height:"16",viewBox:"0 0 14 16"}),Object(o.b)("path",Object(r.a)({parentName:"svg"},{fillRule:"evenodd",d:"M7 2.3c3.14 0 5.7 2.56 5.7 5.7s-2.56 5.7-5.7 5.7A5.71 5.71 0 0 1 1.3 8c0-3.14 2.56-5.7 5.7-5.7zM7 1C3.14 1 0 4.14 0 8s3.14 7 7 7 7-3.14 7-7-3.14-7-7-7zm1 3H6v5h2V4zm0 6H6v2h2v-2z"})))),"important")),Object(o.b)("div",Object(r.a)({parentName:"div"},{className:"admonition-content"}),Object(o.b)("p",{parentName:"div"},"If you believe you have found a vulnerability within OAuth2 Proxy or any of its\ndependencies, please do NOT open an issue or PR on GitHub, please do NOT post any\ndetails publicly."))),Object(o.b)("p",null,"Security disclosures MUST be done in private.\nIf you have found an issue that you would like to bring to the attention of the\nmaintenance team for OAuth2 Proxy, please compose an email and send it to the\nlist of maintainers in our ",Object(o.b)("a",Object(r.a)({parentName:"p"},{href:"https://github.com/oauth2-proxy/oauth2-proxy/blob/master/MAINTAINERS"}),"MAINTAINERS")," file."),Object(o.b)("p",null,"Please include as much detail as possible.\nIdeally, your disclosure should include:"),Object(o.b)("ul",null,Object(o.b)("li",{parentName:"ul"},"A reproducible case that can be used to demonstrate the exploit"),Object(o.b)("li",{parentName:"ul"},"How you discovered this vulnerability"),Object(o.b)("li",{parentName:"ul"},"A potential fix for the issue (if you have thought of one)"),Object(o.b)("li",{parentName:"ul"},"Versions affected (if not present in master)"),Object(o.b)("li",{parentName:"ul"},"Your GitHub ID")),Object(o.b)("h3",{id:"how-will-we-respond-to-disclosures"},"How will we respond to disclosures?"),Object(o.b)("p",null,"We use ",Object(o.b)("a",Object(r.a)({parentName:"p"},{href:"https://docs.github.com/en/github/managing-security-vulnerabilities/about-github-security-advisories"}),"GitHub Security Advisories"),"\nto privately discuss fixes for disclosed vulnerabilities.\nIf you include a GitHub ID with your disclosure we will add you as a collaborator\nfor the advisory so that you can join the discussion and validate any fixes\nwe may propose."),Object(o.b)("p",null,"For minor issues and previously disclosed vulnerabilities (typically for\ndependencies), we may use regular PRs for fixes and forego the security advisory."),Object(o.b)("p",null,"Once a fix has been agreed upon, we will merge the fix and create a new release.\nIf we have multiple security issues in flight simultaneously, we may delay\nmerging fixes until all patches are ready.\nWe may also backport the fix to previous releases,\nbut this will be at the discretion of the maintainers."))}l.isMDXComponent=!0}}]);