Critical: Versions prior to 2.17.230 expose passwords in process listings. Upgrade immediately.

Please DO NOT file public GitHub issues for security vulnerabilities.

Report security vulnerabilities privately via:

1. GitHub Security Advisories (preferred)

   • Go to: https://github.com/vrognas/positron-svn/security/advisories
   • Click "Report a vulnerability"
   • Provide detailed information

2. Email

   • Send to: [repository maintainer email]
   • Subject: "SECURITY: [brief description]"
   • Include: version, steps to reproduce, impact assessment

• Initial response: Within 48 hours
• Impact assessment: Within 7 days
• Fix timeline: Based on severity
  • Critical: 1-3 days
  • High: 7-14 days
  • Medium: 30 days
  • Low: Next release cycle

• Extension version (Help → About in VS Code)
• SVN version (svn --version)
• Operating system and version
• Steps to reproduce the vulnerability
• Potential impact (who is affected, what data is at risk)
• Any suggested fixes (optional)

v2.17.230+ implements multiple layers of credential security:

• Credentials written to ~/.subversion/auth/ (mode 600)
• Never passed via command-line arguments
• Not visible in process listings (ps, top, etc.)
• Automatically managed by SVN

• All error messages sanitized before logging
• Removes: passwords, tokens, file paths, URLs, IP addresses
• Configurable debug mode for troubleshooting

• Passwords stored in OS keychain (encrypted)
  • macOS: Keychain Access
  • Windows: Credential Manager
  • Linux: Secret Service (gnome-keyring, KWallet)
• Never stored in plaintext in extension settings

• Visible confirmation of auth method in use
• Examples:
  • [auth: SSH key] - Most secure (svn+ssh://)
  • [auth: password via credential cache] - Secure
  • [auth: none - public repository] - No auth needed

• Risk: Local file system access
• Mitigation: File permissions restrict to user only
• Residual risk: LOW - requires local shell access
• CVSS 3.1: 3.2 (Low)

• Extension relies on system SVN client
• Vulnerabilities in SVN client affect extension
• Mitigation: Keep SVN updated (svn --version)

• Extension cannot prevent:
  • Weak repository passwords
  • Compromised SVN server
  • Man-in-the-middle attacks on HTTP URLs
• Mitigation: Use HTTPS or svn+ssh:// URLs

• Setting svn.debug.disableSanitization: true exposes credentials in logs
• Mitigation:
  • Prominent warning shown
  • One-click disable option
  • Never enable in production

Priority order (most secure first):

1. SSH Key Authentication ⭐ BEST

   Repository URL: svn+ssh://[email protected]/repo
   Setup: ssh-keygen, ssh-copy-id
   Security: Public key cryptography, no password transmission
   

2. HTTPS with Credential Cache ⭐ RECOMMENDED

   Repository URL: https://svn.example.com/repo
   Setup: Extension prompts for password, saves to cache
   Security: Encrypted transmission, cached credentials (mode 600)
   

3. HTTP (Local Networks Only)

   Repository URL: http://svn.local/repo
   Security: Unencrypted - only for trusted local networks
   

Recommended settings in .vscode/settings.json:

{
  // NEVER enable debug sanitization in production
  "svn.debug.disableSanitization": false,

  // Reduce attack surface
  "svn.sourceControl.countUnversioned": false,
  "svn.detectExternals": false,

  // Security-conscious defaults
  "svn.commit.checkEmptyMessage": true
}

For GitHub Actions, GitLab CI, etc.:

# ❌ NEVER do this:
- run: svn checkout https://svn.example.com/repo --username user --password ${{ secrets.SVN_PASSWORD }}

# ✅ Use SSH keys instead:
- name: Setup SSH key
  run: |
    mkdir -p ~/.ssh
    echo "${{ secrets.SVN_SSH_KEY }}" > ~/.ssh/id_rsa
    chmod 600 ~/.ssh/id_rsa
- run: svn checkout svn+ssh://svn.example.com/repo

1. Use SSH keys for all repositories

   ssh-keygen -t ed25519 -C "[email protected]"
   ssh-copy-id [email protected]

2. Enable automatic updates

   • Extension auto-updates via VS Code marketplace
   • Update SVN client regularly: brew upgrade subversion (macOS) or package manager

3. Protect credential cache

   # Verify permissions
   ls -la ~/.subversion/auth/svn.simple/
   # Should show: -rw------- (600)

4. Use multi-factor authentication

   • Enable MFA on your SVN server if supported
   • Use time-based passwords (TOTP) where available

SECURITY:

• FIXED: Password exposure in process list (CVSS 7.5 → 3.2)
  • Credentials no longer passed via --password command-line flag
  • Implemented SVN native credential cache
  • Credentials written to ~/.subversion/auth/ with mode 600

ADDED:

• Error sanitization system
  • Automatic redaction of passwords, tokens, paths, URLs
  • Debug mode with prominent security warnings
• Authentication method indicators
  • [auth: SSH key] - SSH key authentication
  • [auth: password via credential cache] - Cached password
  • [auth: none - public repository] - No authentication
• SecretStorage integration
  • OS keychain support (Keychain/Credential Manager/Secret Service)
  • Encrypted password storage

IMPROVED:

• Enhanced auth error messages with troubleshooting guidance
• Debug mode warnings prevent accidental credential exposure

VULNERABILITY:

• Passwords visible in process listings
• Credentials exposed in:
  • ps aux output (Linux/macOS)
  • Task Manager (Windows)
  • Container logs (Docker, Kubernetes)
  • CI/CD build logs
  • System audit logs

Impact: Any user on system could read passwords during 2-30 second window

Mitigation: Upgrade to v2.17.230 or later immediately

• Discovered: 2025-11-18
• Fixed in: v2.17.230
• Severity: HIGH (CVSS 7.5)
• Description: Passwords passed via --password flag visible in process list
• Affected versions: All versions < 2.17.230
• Mitigation: Upgrade to v2.17.230+

• SVN Security Best Practices
• OWASP Credential Management
• VS Code Security Guidelines

• Debug Authentication Guide - Troubleshooting auth issues
• LESSONS_LEARNED.md - Architecture security insights
• ARCHITECTURE_ANALYSIS.md - Security design decisions

• GDPR: Extension does not collect or transmit user data
• CCPA: No personal data shared with third parties
• SOC 2: Credentials stored in OS-provided secure storage only

All authentication operations logged (credentials redacted):

[repo]$ svn update --username alice [auth: password via credential cache]

Logs never contain:

• Actual passwords or tokens
• Full file system paths
• Repository URLs with embedded credentials

Extension security validated via:

1. Unit tests: 45+ test cases for credential handling
2. Integration tests: Process list verification
3. Manual security audit: Credential exposure testing
4. Static analysis: ESLint security rules
5. Dependency scanning: npm audit (0 production vulnerabilities)

For security-related questions (non-vulnerabilities):

• GitHub Discussions: https://github.com/vrognas/positron-svn/discussions
• Email: [repository maintainer email]

For security vulnerabilities:

• Use GitHub Security Advisories ONLY (see "Reporting a Vulnerability" above)

Last updated: 2025-11-20 Security version: 2.17.230