We release security updates for the following versions:

Please do not report security vulnerabilities through public GitHub issues.

If you discover a security vulnerability in tmpltool, please report it by emailing the maintainers. You can find the contact information in the repository.

Please include the following information in your report:

• Description of the vulnerability
• Steps to reproduce the issue
• Potential impact of the vulnerability
• Suggested fix (if you have one)
• Your contact information for follow-up

• Initial Response: We aim to respond to security reports within 48 hours
• Confirmation: We will confirm the vulnerability within 5 business days
• Fix Timeline: We will work on a fix and aim to release a patch within 14 days for critical vulnerabilities
• Disclosure: We will coordinate with you on the disclosure timeline

When using tmpltool, please follow these security best practices:

⚠️ WARNING: Only use --trust mode with templates you completely trust.

# ✗ DANGEROUS - Don't use --trust with untrusted templates
tmpltool --trust untrusted_template.tmpltool

# ✓ SAFE - Use without --trust for untrusted templates
tmpltool untrusted_template.tmpltool

Why? Trust mode disables security restrictions:

• Can read any file on the system (e.g., /etc/passwd, SSH keys)
• Can access parent directories (../)
• Can read sensitive configuration files

Only use --trust when:

• You wrote the template yourself
• You've reviewed and audited the template
• You trust the template source completely
• You need to access system files intentionally

Avoid processing untrusted templates without review:

# ✗ DANGEROUS - Don't process templates from untrusted sources
curl https://untrusted-site.com/template.tmpltool | tmpltool

# ✓ SAFE - Review templates before using them
curl https://trusted-site.com/template.tmpltool -o template.tmpltool
# Review the template
cat template.tmpltool
# Then use it
tmpltool template.tmpltool

What to check in templates:

• File system access attempts
• Unexpected environment variable usage
• Suspicious patterns or obfuscation

Be careful with sensitive environment variables:

# ✗ DANGEROUS - Don't expose secrets in environment
export DATABASE_PASSWORD="secret123"
tmpltool template.tmpltool  # Template could leak this

# ✓ BETTER - Use secure secret management
# Load secrets only when needed and clear them after use

Best practices:

• Don't put secrets in environment variables if possible
• Use dedicated secret management tools
• Clear sensitive env vars after use
• Review templates for filter_env(pattern="*") which could expose all env vars

Default security (without --trust):

• ✓ Only relative paths allowed
• ✓ No access to parent directories (..)
• ✓ No absolute paths (/etc/passwd)
• ✓ Restricted to current working directory

With --trust mode:

• ⚠️ Full filesystem access
• ⚠️ Can read any file the user can access
• ⚠️ No restrictions

When using Docker:

# ✓ SAFE - Mount only necessary directories
docker run --rm -v $(pwd):/workspace -w /workspace tmpltool template.tmpltool

# ✗ DANGEROUS - Don't mount entire filesystem
docker run --rm -v /:/host tmpltool template.tmpltool

tmpltool uses the Tera template engine. While Tera is designed to be safe, be aware that:

• Templates have access to environment variables via get_env()
• Templates can read files via filesystem functions
• Trust mode disables all security restrictions

Filesystem functions enforce security by default:

• read_file() - Restricted to relative paths
• file_exists() - Restricted to relative paths
• list_dir() - Restricted to relative paths
• glob() - Restricted to current directory

Use --trust only when necessary and with caution.

Functions like filter_env(pattern="*") can expose all environment variables. Review templates carefully to ensure they don't leak sensitive information.

Security updates will be:

1. Developed privately
2. Tested thoroughly
3. Released as patch versions (e.g., 1.2.1)
4. Announced in release notes with [SECURITY] tag
5. Added to this SECURITY.md file

We'd like to thank the following people for responsibly disclosing security issues:

Remember: Security is everyone's responsibility. If you see something, say something!