This document describes security considerations for PTA Standards and how to report security issues.
Security considerations for PTA Standards include:
- Specification Security - Security implications of specified behaviors
- Reference Implementation - Build tools and test harness
- Documentation - Preventing misleading security guidance
Implementations should be aware of:
| Risk | Description | Mitigation |
|---|---|---|
| DoS via complex input | Deeply nested structures, long lines | Impose limits |
| Path traversal | include directives with ../ |
Validate paths |
| Unicode issues | Homoglyph attacks, RTL override | Normalize input |
| Memory exhaustion | Very large files | Stream processing |
| Risk | Description | Mitigation |
|---|---|---|
| Sensitive data exposure | Account numbers, balances | Encryption at rest |
| Injection attacks | Metadata in external systems | Sanitize output |
| Information leakage | Error messages reveal paths | Generic errors |
The include directive poses risks:
; Potentially dangerous
include "/etc/passwd" ; Absolute paths outside project
include "../../../secret.bean" ; Path traversal
include "https://evil.com/x" ; Remote includes (if supported)
Recommendations for implementations:
- Restrict includes to project directory
- Disallow absolute paths by default
- Require explicit opt-in for remote includes
- Validate paths before opening
If you find a security issue in the specification itself:
- Do NOT open a public issue
- Open a GitHub Security Advisory (private)
- Include:
- Description of the issue
- Potential impact
- Suggested fix (if any)
Security issues in specific implementations should be reported to those projects directly. This specification project is not responsible for implementation security.
Security issues in our build tools and test harness:
- Open a GitHub Security Advisory
- Or contact maintainers directly
| Stage | Timeline |
|---|---|
| Acknowledgment | 48 hours |
| Initial assessment | 1 week |
| Fix development | 2-4 weeks |
| Disclosure | After fix, or 90 days |
We follow coordinated disclosure:
- Reporter notifies us privately
- We assess and develop fix
- We coordinate disclosure timing with reporter
- Public disclosure after fix is available
Credit is given to reporters unless they prefer anonymity.
Security-related specification changes are:
- Marked clearly in changelog
- Announced via security mailing list
- Given expedited review when needed
We recommend implementations:
- Limit maximum file size
- Limit maximum line length
- Limit include depth
- Limit directive count
- Timeout on parsing
- Canonicalize paths
- Check for traversal attempts
- Restrict to allowed directories
- Use allowlists over denylists
- Avoid exposing full file paths
- Sanitize user input in errors
- Log security events
- Fail securely
- Keep dependencies updated
- Audit dependency trees
- Use lockfiles
- Monitor for CVEs
| Section | Security Relevance |
|---|---|
include directive |
Path traversal, remote includes |
plugin directive |
Code execution |
| Metadata fields | Injection if exported |
| Account names | Unicode normalization |
| Decimal handling | Precision attacks |
- Malicious input files
- Malicious include targets
- Resource exhaustion
- Information disclosure
- Compromised development environment
- Physical access attacks
- Social engineering
- Network attacks (unless remote includes)
| Date | Change |
|---|---|
| 2024-XX-XX | Initial security policy |