We currently support the following versions with security updates:
| Version | Supported |
|---|---|
| 0.1.x | ✅ |
If you discover a security vulnerability in lib3mf_rust, please report it responsibly:
- Do NOT open a public issue for security vulnerabilities
- Instead, use one of these secure methods:
- GitHub Security Advisory: Use the Security Advisory feature
- Email: Contact the maintainers directly at the email address listed in the repository
Please include the following information in your report:
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact of the vulnerability
- Any suggested fixes (optional)
- Your contact information for follow-up questions
- Initial Response: We aim to acknowledge receipt within 48 hours
- Status Updates: We will provide updates on the investigation within 7 days
- Fix Timeline: Critical vulnerabilities will be addressed as soon as possible, typically within 30 days
- We request that you do not publicly disclose the vulnerability until we have had a chance to address it
- Once a fix is released, we will publicly acknowledge your responsible disclosure (unless you prefer to remain anonymous)
- We will credit you in the CHANGELOG and release notes
This library is designed with security in mind:
- No unsafe code: The entire codebase uses
#![forbid(unsafe_code)] - Memory safety: All memory management handled by Rust's ownership system
- Type safety: Leverages Rust's type system for correctness
- Input validation: All XML and ZIP data is validated
- Untrusted Input: 3MF files should always be treated as untrusted input
- XML Injection: The parser validates XML structure and rejects malformed data
- ZIP Bombs: Large compressed files are handled, but extremely large files may consume significant memory
- Resource Exhaustion: Very large models may consume substantial memory and CPU
- Test Keys Only: The library includes test decryption keys from the 3MF Consortium test suite
- Production Use: For production applications, use external cryptographic libraries with your own keys
- Never Use Test Keys: The embedded test keys are for conformance testing only and must not be used in production
Known Advisory: RUSTSEC-2023-0071 (RSA timing sidechannel)
- Status: No stable fix available (only RC versions)
- Severity: Medium (5.9 CVSS)
- Impact: Potential key recovery through timing sidechannels in RSA operations
- Mitigation: The RSA dependency is only used for test-only decryption with test keys from the 3MF Consortium test suite. Production applications should implement their own secure decryption using external cryptographic libraries and never use the embedded test keys.
- Tracking: We are monitoring the
rsacrate for stable releases that address this issue.
When using lib3mf_rust in your application:
- Validate Input: Always validate 3MF files from untrusted sources
- Resource Limits: Consider imposing limits on file size and complexity
- Sandboxing: Consider running 3MF parsing in a sandboxed environment for untrusted files
- Error Handling: Always handle parsing errors gracefully
- Update Regularly: Keep the library updated to receive security fixes
The library performs comprehensive validation:
- XML structure validation
- Numeric range checking (triangle indices, vertex references)
- Resource ID validation and circular reference detection
- Color format validation
- UUID format validation
- File path validation within ZIP containers
We maintain vigilant dependency management:
- Regular dependency updates
- Security advisory monitoring
- Minimal dependency footprint
- Well-maintained, trusted dependencies only
We appreciate the security research community's efforts in responsibly disclosing vulnerabilities. Contributors who report valid security issues will be acknowledged in our release notes (unless they prefer anonymity).