@@ -124,4 +124,159 @@ Contributions are welcome! Please see our contributing guidelines for more detai
124124
125125## License
126126
127- [License information needed]
127+ [License information needed]
128+
129+ # plugin-0g Security Guide
130+
131+ ## Overview
132+ The `plugin-0g` package implements secure file upload functionality with comprehensive security measures to protect against unauthorized access, malicious file uploads, and potential security vulnerabilities.
133+
134+ ## Security Features
135+
136+ ### 1. File Type Validation
137+ - Restricts uploads to allowed file types only
138+ - Default allowed types: `.pdf`, `.png`, `.jpg`, `.jpeg`, `.doc`, `.docx`
139+ - Configurable via `ZEROG_ALLOWED_EXTENSIONS` environment variable
140+ - Early validation before file processing
141+ - Prevents upload of sensitive files (e .g ., ` .env ` , ` .ssh ` )
142+
143+ ### 2. Size Restrictions
144+ - Default maximum file size : 10MB
145+ - Configurable via ` ZEROG_MAX_FILE_SIZE ` environment variable
146+ - Prevents DoS attacks through large file uploads
147+ - Validates file size before upload processing
148+
149+ ### 3. Path Security
150+ - Prevents directory traversal attacks
151+ - Restricts uploads to designated directory
152+ - Sanitizes file paths
153+ - Configurable upload directory via ` ZEROG_UPLOAD_DIR `
154+ - Special handling for test environments
155+
156+ ### 4. Error Handling
157+ - Detailed error messages for troubleshooting
158+ - Structured logging with context
159+ - Security event monitoring
160+ - Upload metrics tracking
161+ - Cleanup operation monitoring
162+
163+ ## Configuration
164+
165+ ### Environment Variables
166+ ` ` ` env
167+ # Required Settings
168+ ZEROG_MAX_FILE_SIZE=10485760 # Maximum file size in bytes (default: 10MB)
169+ ZEROG_ALLOWED_EXTENSIONS=".pdf,.png,.jpg,.jpeg,.doc,.docx" # Allowed file types
170+ ZEROG_UPLOAD_DIR="/path/to/uploads" # Secure upload directory
171+ ZEROG_ENABLE_VIRUS_SCAN=false # Enable virus scanning (future feature)
172+
173+ # Optional Settings
174+ ZEROG_CLEANUP_INTERVAL=3600 # Cleanup interval in seconds
175+ ` ` `
176+
177+ ### Security Best Practices
178+ 1. ** File Types **
179+ - Only allow necessary file types
180+ - Regularly review allowed extensions
181+ - Consider business requirements
182+
183+ 2. ** Upload Directory **
184+ - Use absolute paths
185+ - Ensure proper permissions
186+ - Regular cleanup of old files
187+ - Monitor disk usage
188+
189+ 3. ** Error Handling **
190+ - Monitor security events
191+ - Review logs regularly
192+ - Set up alerts for suspicious activity
193+
194+ 4. ** Configuration **
195+ - Use environment variables
196+ - Never hardcode sensitive values
197+ - Regular security audits
198+
199+ ## Error Messages
200+
201+ ### File Type Validation
202+ ` ` ` typescript
203+ {
204+ error: "File type validation failed",
205+ details: {
206+ error: "File type not allowed. Allowed types: .pdf, .png, .jpg, .jpeg, .doc, .docx",
207+ filePath: "/path/to/file"
208+ }
209+ }
210+ ` ` `
211+
212+ ### Size Validation
213+ ` ` ` typescript
214+ {
215+ error: "File size validation failed",
216+ details: {
217+ error: "File size exceeds limit of 10485760 bytes",
218+ filePath: "/path/to/file"
219+ }
220+ }
221+ ` ` `
222+
223+ ### Path Validation
224+ ` ` ` typescript
225+ {
226+ error: "File path validation failed",
227+ details: {
228+ error: "Invalid file path: Directory traversal detected",
229+ filePath: "/path/to/file"
230+ }
231+ }
232+ ` ` `
233+
234+ ## Monitoring
235+
236+ ### Security Events
237+ ` ` ` typescript
238+ {
239+ timestamp: number;
240+ event: string;
241+ severity: 'low' | 'medium' | 'high';
242+ details: {
243+ error?: string;
244+ filePath?: string;
245+ // Additional context
246+ }
247+ }
248+ ` ` `
249+
250+ ### Upload Metrics
251+ ` ` ` typescript
252+ {
253+ filePath: string;
254+ size: number;
255+ duration: number;
256+ success: boolean;
257+ error?: string;
258+ }
259+ ` ` `
260+
261+ ## Testing
262+ Run the test suite :
263+ ` ` ` bash
264+ pnpm test
265+ ` ` `
266+
267+ The test suite includes :
268+ - File type validation
269+ - Size limit enforcement
270+ - Path traversal prevention
271+ - Error handling scenarios
272+ - Blockchain upload errors
273+ - Edge cases
274+
275+ ## Contributing
276+ 1. Follow security best practices
277+ 2. Add tests for new features
278+ 3. Update documentation
279+ 4. Run full test suite before submitting PR
280+
281+ ## Security Reporting
282+ Report security vulnerabilities to security @elizaos .com
0 commit comments