Skip to content

Security: RikaiDev/inboxd

Security

SECURITY.md

Security Guidelines for inboxd

This document outlines the security measures and best practices implemented in the inboxd project.

πŸ›‘οΈ 2025 JavaScript Security Standards

Based on 2025 industry recommendations, inboxd implements maximum security quality standards:

Security Tools Implemented

  • ESLint Security Plugins: eslint-plugin-security, eslint-plugin-no-unsanitized
  • npm audit: Built-in Node.js dependency vulnerability scanning
  • Snyk: Advanced security scanning with actionable insights
  • CycloneDX + OWASP Dep-Scan: SBOM generation and comprehensive dependency analysis
  • Custom Security Scripts: Automated security validation

Security Commands

# ESLint security rules (maximum quality - no false positives)
npm run lint:check

# Dependency vulnerability audit
npm run security:audit

# Snyk security scan
npm run security:snyk

# CycloneDX SBOM + OWASP Dep-Scan
npm run security:depscan

# Comprehensive security suite
npm run security:comprehensive

# All security checks combined
npm run security:full

πŸ” Security Overview

inboxd implements multiple layers of security to protect user data and ensure safe operation:

1. User Authorization System

  • Explicit consent: Users must explicitly grant permission for AI to access LINE chat messages
  • Persistent authorization: Authorization state is securely stored and can be revoked at any time
  • No automatic access: Application never automatically starts LINE or accesses user data

2. Data Encryption

  • AES-256 encryption: All sensitive message content is encrypted using AES-256-CBC
  • Local key storage: Encryption keys are stored locally on the user's device
  • Secure key permissions: Keys are stored with restrictive file permissions (600)
  • Transparent encryption: Users experience seamless encryption/decryption

3. Code Security

  • ESLint security rules: Automated checks for common security vulnerabilities
  • Dependency auditing: Regular scans for vulnerable npm packages
  • Input sanitization: Protection against XSS and injection attacks
  • Secure coding practices: Following OWASP guidelines

πŸ› οΈ Security Tools

Available Commands

# Run ESLint security rules
npm run lint:check

# Check for dependency vulnerabilities
npm run security:audit

# Run Snyk security scan (requires SNYK_TOKEN)
npm run security:snyk

# Run all security checks
npm run security:check

# Run comprehensive security suite
npm run security:comprehensive

Security Tools Used

  1. ESLint Security Plugins

    • eslint-plugin-security: Detects common security vulnerabilities
    • eslint-plugin-no-unsanitized: Prevents XSS through unsanitized input

  2. npm audit: Checks for known security vulnerabilities in dependencies

  3. Snyk: Advanced security scanning for open-source dependencies and code

  4. Custom Security Script: Comprehensive security validation including:

    • Code vulnerability scanning
    • Encryption key security validation
    • Authorization state checks

πŸ” Security Checks

Automated Checks

The following security checks are performed automatically:

ESLint Security Rules

  • Buffer security issues
  • Child process usage
  • Eval usage detection
  • Object injection prevention
  • Timing attack prevention
  • Unsafe regex detection
  • XSS prevention

Dependency Security

  • Vulnerable package detection
  • Outdated dependency warnings
  • License compliance checks

Custom Security Validations

  • Encryption key file permissions
  • Authorization state integrity
  • Common security vulnerability patterns

Manual Security Reviews

Developers should manually review:

  1. Database queries: Ensure no SQL injection vulnerabilities
  2. File operations: Validate file paths and permissions
  3. IPC communication: Verify secure inter-process communication
  4. External API calls: Ensure safe handling of external services
  5. Error handling: Prevent information leakage through error messages

πŸ“‹ Security Checklist for Developers

Before Committing Code

  • Run npm run security:comprehensive
  • Fix all security warnings
  • Review code for potential security issues
  • Ensure encryption is used for sensitive data

When Adding Dependencies

  • Run npm audit after adding new packages
  • Check package licenses for compatibility
  • Review package security history
  • Consider using Snyk for additional vulnerability checks

When Handling Sensitive Data

  • Always encrypt sensitive data before storage
  • Use secure random generation for keys/tokens
  • Implement proper access controls
  • Log security events appropriately

🚨 Security Incident Response

If a security vulnerability is discovered:

  1. Immediate Response

    • Stop deployment of vulnerable code
    • Notify security team
    • Assess impact and risk

  2. Investigation

    • Determine root cause
    • Identify affected systems/data
    • Document findings

  3. Remediation

    • Develop and test fix
    • Deploy security patches
    • Update security documentation

  4. Prevention

    • Improve security checks
    • Update development guidelines
    • Conduct security training

πŸ”’ Privacy Protection

Data Handling Principles

  • Data minimization: Only collect necessary data
  • Purpose limitation: Data used only for stated purposes
  • Storage limitation: Data retained only as long as needed
  • Integrity and confidentiality: Data protected against unauthorized access

User Data Rights

  • Access: Users can view their data
  • Rectification: Users can correct their data
  • Erasure: Users can delete their data
  • Portability: Users can export their data
  • Restriction: Users can limit data processing

πŸ“ž Contact

For security-related questions or concerns:

πŸ“š Additional Resources

There aren’t any published security advisories