Please do not report security vulnerabilities through public GitHub issues.

If you discover a security vulnerability in MyGarage, please report it privately to help us fix it before public disclosure.

Preferred Method: Use GitHub Security Advisories

• Go to the Security tab of this repository
• Click "Report a vulnerability"
• Fill out the advisory form with details

Alternative Method: Create a Private Issue

• Open a GitHub Issue
• Mark it as security-related
• Provide detailed information about the vulnerability

To help us understand and fix the issue quickly, please include:

• Type of vulnerability (e.g., SQL injection, XSS, authentication bypass)
• Affected component (e.g., backend API, frontend, Docker image)
• Affected version(s) (e.g., v2.14.0, all versions, Docker latest tag)
• Steps to reproduce - Detailed instructions to trigger the vulnerability
• Potential impact - What could an attacker do with this vulnerability?
• Suggested fix (if you have one) - We appreciate any guidance!
• Your contact information - So we can follow up with questions

• Acknowledgment: We'll acknowledge receipt within 48 hours
• Initial assessment: We'll provide an initial assessment within 5 business days
• Fix timeline: Critical issues will be patched within 7 days, high-priority within 14 days
• Disclosure: We'll coordinate with you on responsible disclosure timing
• Credit: We'll publicly credit you in the security advisory (unless you prefer anonymity)

We actively support the following versions with security updates:

Docker Tags:

• latest - Always points to the most recent stable release with security patches
• v2.x.x - Specific version tags (e.g., v2.14.0)
• main - Development branch, not recommended for production

When deploying MyGarage, follow these security recommendations:

• Never use auth_mode=none in production - This disables all authentication!
• Use auth_mode=local with strong passwords, or auth_mode=oidc with a trusted SSO provider
• If you must use none mode (e.g., behind a trusted reverse proxy with authentication), set MYGARAGE_ALLOW_AUTH_NONE=true to acknowledge the risk

• Run behind a reverse proxy (Traefik, Nginx, Caddy) with HTTPS
• Configure proper CORS origins via MYGARAGE_CORS_ORIGINS environment variable
• Limit network access to trusted networks (use Docker networks, firewall rules)
• Enable JWT cookie secure flag in production (auto-enabled when debug=false)

• Use strong, unique passwords for PostgreSQL (if using external database)
• Restrict database network access to MyGarage container only
• Enable PostgreSQL SSL/TLS connections for remote databases
• Regularly backup your database and test restore procedures

• Run the official ghcr.io/homelabforge/mygarage Docker image
• Keep the image updated - check for security patches regularly
• MyGarage runs as non-root user (UID 1000) by default
• Review and restrict volume mounts to necessary directories only

• Never commit .env files to version control
• Use Docker secrets or environment variable injection for sensitive values
• Rotate JWT secrets periodically (requires user re-authentication)
• Review .env.example for security-sensitive configuration options

• Upload size limits are enforced (10MB photos, 25MB documents by default)
• Only allowed file extensions are accepted (configured in config.py)
• Store uploaded files outside the web root (handled automatically)
• Consider scanning uploads with antivirus tools if accepting files from untrusted users

• Subscribe to GitHub releases for security announcements
• Monitor application logs for suspicious activity
• Enable health checks in your container orchestration
• Test updates in a staging environment before production deployment

MyGarage includes the following built-in security features:

• Authentication: Local JWT or OIDC/SSO integration
• Password Hashing: Argon2id with high memory cost (100MB, time cost 3, parallelism 4)
• Session Management: HttpOnly JWT cookies with SameSite protection
• Rate Limiting:
  • Auth endpoints: 5 requests/minute (brute-force protection)
  • Upload endpoints: 20 requests/minute
  • Export endpoints: 5 requests/minute (resource protection)
  • General API: 200 requests/minute
• Input Validation: Pydantic models with strict validation
• SQL Injection Prevention: SQLAlchemy ORM with parameterized queries
• CORS Protection: Configurable allowed origins
• Content Security: File extension and MIME type validation

MyGarage defaults to auth_mode=none for easy initial setup. This mode:

• Disables all authentication - Anyone who can access the URL can access all data
• Displays prominent security warnings in logs
• Is blocked in production unless MYGARAGE_ALLOW_AUTH_NONE=true is set
• Should NEVER be used when exposed to the public internet

Recommended for:

• Local development and testing
• Single-user deployments behind a firewall
• Behind a reverse proxy with external authentication (e.g., Authelia, oauth2-proxy)

Switch to local or oidc mode before exposing to untrusted networks.

When MYGARAGE_DEBUG=true:

• Detailed error messages are returned to clients (may leak internal paths)
• Stack traces are included in error responses
• More verbose logging (may include sensitive information)
• JWT cookie secure flag is disabled (allows HTTP in development)

Never enable debug mode in production.

MyGarage relies on the following external services:

• NHTSA vPIC API (vpic.nhtsa.dot.gov) - VIN decoding, publicly accessible
• Python/Node.js packages - See requirements.txt and package.json

We regularly monitor dependencies for known vulnerabilities using:

• Dependabot alerts (GitHub)
• pip-audit for Python packages
• npm audit for Node.js packages

MyGarage v2.14.1 underwent comprehensive security analysis using GitHub CodeQL. All CRITICAL, HIGH, and MEDIUM severity findings have been remediated.

• Total Alerts Analyzed: 272
• Security Fixes: 122 (2 CRITICAL, 119 HIGH, 1 MEDIUM)
• Code Quality Fixes: 101 (NOTE level - unused imports, unused variables, etc.)
• False Positives: 23 (6 SSRF + 16 stack trace + 1 secret storage) + 6 code quality = 29 total
• Deferred: 47 (Cyclic imports - architectural refactoring needed)
• Resolution Rate: 89% (223 fixes + 29 false positives + 47 deferred = 272 alerts accounted for)

• Location: backend/app/services/oidc.py:100
• Fix: Created comprehensive URL validation utility (backend/app/utils/url_validation.py)
• Protection:
  • Blocks private IP ranges (RFC 1918, RFC 4193)
  • Blocks loopback and link-local addresses
  • Blocks AWS metadata endpoint (169.254.169.254)
  • DNS rebinding protection
  • Domain allowlisting support
• Commit: Phase 1 - SSRF vulnerabilities

• Location: backend/app/services/nhtsa.py:48
• Fix: Validated API base URL with domain whitelist (*.nhtsa.dot.gov)
• Protection: HTTPS-only, blocks private IPs, validates recalls API
• Commit: Phase 1 - SSRF vulnerabilities

• Scope: 44 Python files, 200+ instances
• Vulnerability: F-string logging allows newline injection for log forgery
• Fix: Converted to parameterized logging (logger.info("msg %s", var))
• Tool: Automated with fix_log_injection.py script
• Files: routes/, services/, utils/, migrations/, core
• Commit: Phase 4 - Log injection vulnerabilities

• Location: backend/app/services/oidc.py:104,108,111,308
• Fix: Created mask_secret() function
• Protection: Shows only first/last 4 chars (oidc_****...****_abcd)
• Commit: Phase 2 - Secret exposure issues

• Location: backend/app/routes/photos.py:250,259
• Fix: Added validate_path_within_base() defense-in-depth
• Protection: Validates resolved path is within PHOTO_DIR
• Commit: Phase 3 - Path injection

• Location: frontend/public/sw.js:147
• Fix: Added strict same-origin validation
• Protection: Rejects messages from unauthorized origins
• Commit: Phase 5 - postMessage origin check

• Analysis: CodeQL cannot detect validation due to static analysis limitations
• Locations: backend/app/services/oidc.py (4 instances), backend/app/services/nhtsa.py (2 instances)
• Protection: All URLs validated by validate_oidc_url() or validate_nhtsa_url() before use
• Implementation: backend/app/utils/url_validation.py
  • Comprehensive SSRF protection (blocks private IPs, localhost, link-local, DNS rebinding)
  • Domain whitelisting for NHTSA (*.nhtsa.dot.gov)
  • HTTPS enforcement for NHTSA
• Why CodeQL Flags: CodeQL's data-flow analysis traces URLs from user input to HTTP requests but cannot semantically verify validation effectiveness
• Note: CodeQL Python does not support inline suppression comments (GitHub Issue #11427)
• Action: Manually dismiss alerts via GitHub UI with justification
• Reference: /srv/raid0/docker/documents/history/mygarage/2025-12-04-codeql-suppression-limitation.md

• Analysis: Exception handlers only active in production (settings.debug=false)
• Implementation: backend/app/utils/error_handlers.py
  • handle_generic_exception(): Logs full trace, returns sanitized message
  • handle_database_error(): Logs full error, returns generic message
• Security: Stack traces never exposed to clients in production
• Debug Mode: Stack traces shown only in controlled dev environments
• Commit: Phase 5 - Documented as false positive

• Location: backend/app/utils/secret_key.py:43
• Analysis: JWT signing key MUST persist across container restarts
• Mitigation:
  • File permissions: 0o600 (owner-only access)
  • Stored in protected /data volume
  • Standard practice for JWT keys
• Alternative: Would require external key management (e.g., HashiCorp Vault)
• Commit: Phase 2 - Documented as false positive

Code Quality Improvements Completed in v2.14.2:

• ✅ Unused imports (65) - FIXED
• ✅ Unused variables (9) - FIXED
• ✅ Empty except blocks (8) - FIXED (added explanatory comments)
• ✅ Mixed return types (3) - DOCUMENTED as false positive
• ✅ Other code style (4) - FIXED

Remaining Items Deferred to Future Refactoring:

• ⏳ Cyclic imports (47) - Architectural issue, documented for future sprint
  • See: /srv/raid0/docker/documents/history/mygarage/2025-12-04-cyclic-imports-deferred.txt
  • Recommended fixes: TYPE_CHECKING, dependency injection, lazy imports

Progress: 101/148 code quality issues resolved (68%) These do not pose security risks and will be addressed in an architectural refactoring sprint.

New Security Utilities:

• backend/app/utils/url_validation.py: Comprehensive SSRF protection
• backend/app/exceptions.py: Added SSRFProtectionError
• fix_log_injection.py: Automated log injection remediation tool

Updated Security Practices:

• All HTTP requests validated for SSRF
• All logging uses parameterized format (auto-sanitizes)
• All file paths validated for traversal
• All secrets masked in logs
• All postMessage events validate origin

Security test suites created (Phase 6):

• SSRF protection tests: 30+ test cases
• Path validation tests: 15+ test cases
• Log injection tests: 10+ test cases
• Secret masking tests: 5+ test cases
• postMessage origin tests: 5+ test cases

All tests pass with no regressions.

• CodeQL Analysis: Run December 2025
• Remediation Commits: Phases 1-5
• Test Coverage: Phase 6
• Documentation: Phase 7
• Detailed History: /srv/raid0/docker/documents/history/mygarage/security-remediation-2025-12-04.md

Security-related changes are documented in CHANGELOG.md with [SECURITY] tags.

Recent security improvements:

• v2.14.2 (December 2025): Comprehensive CodeQL remediation - Fixed all CRITICAL/HIGH/MEDIUM alerts
  • SSRF protection (2 CRITICAL)
  • Log injection fixes (110+ HIGH)
  • Secret masking (4 HIGH)
  • Path injection (2 HIGH)
  • postMessage origin validation (1 MEDIUM)
• v2.10.0: Added JWT HttpOnly cookies, SameSite protection, secure flag auto-detection
• v2.8.0: Implemented Argon2id password hashing, increased memory cost to 100MB
• v2.6.0: Added rate limiting to authentication endpoints
• v2.4.0: Enhanced CORS configuration, strict MIME type validation

For security-related questions or concerns:

• Security Advisories: Report via GitHub
• General Support: GitHub Issues

For community discussions (non-security topics), use GitHub Discussions.

Thank you for helping keep MyGarage and its users safe!