Skip to content

Security Specifications

This directory contains security requirements and guidelines for Beancount implementations.

Overview

Plain text accounting tools process user-controlled input files. While ledger files are typically local and trusted, implementations MUST handle malformed or malicious input gracefully to prevent:

  • Denial of Service (resource exhaustion)
  • Information disclosure (path traversal)
  • Code execution (plugin sandboxing)

Threat Model

See threat-model.md for the complete threat analysis.

Trust Boundaries

┌─────────────────────────────────────────────────────────┐
│                    User Environment                      │
│  ┌─────────────┐    ┌─────────────┐    ┌─────────────┐ │
│  │ Ledger File │    │  Includes   │    │  Plugins    │ │
│  │  (trusted)  │───▶│ (semi-trust)│───▶│ (untrusted) │ │
│  └─────────────┘    └─────────────┘    └─────────────┘ │
│         │                  │                  │         │
│         ▼                  ▼                  ▼         │
│  ┌─────────────────────────────────────────────────┐   │
│  │              Beancount Implementation            │   │
│  │  ┌─────────┐  ┌─────────┐  ┌─────────────────┐  │   │
│  │  │ Parser  │  │ Loader  │  │ Plugin Runtime  │  │   │
│  │  └─────────┘  └─────────┘  └─────────────────┘  │   │
│  └─────────────────────────────────────────────────┘   │
└─────────────────────────────────────────────────────────┘

Security Topics

Input Handling

Topic Description Spec
Input Limits Size, line length, file count MUST
Memory Limits Memory usage bounds SHOULD
Nesting Limits Recursion depth limits MUST

Parsing

Topic Description Spec
ReDoS Regular expression denial of service MUST
Stack Overflow Parser stack exhaustion MUST

File Includes

Topic Description Spec
Path Traversal Directory escape prevention MUST
Cycles Include cycle detection MUST
Symlinks Symbolic link handling SHOULD

Plugins

Topic Description Spec
Sandboxing Plugin isolation requirements SHOULD
Capabilities Plugin permission model SHOULD

Conformance Levels

Implementations MUST document their security posture:

Level Requirements
Basic Input limits, path traversal protection
Standard Basic + ReDoS protection, cycle detection
Hardened Standard + plugin sandboxing, memory limits

Reporting Vulnerabilities

See SECURITY.md in the repository root.