# Security Policy

## Security Measures

GetMD implements comprehensive security measures following WordPress best practices and OWASP guidelines.

### Export Download Security

The export download functionality (`AdminPage::handle_export_download()`) implements **4 layers of security**:

#### 1. Nonce Verification (CSRF Protection)
- **Location**: `admin/AdminPage.php:289-296`
- **Method**: `wp_verify_nonce()` with action `'summix_export_download_' . $export_id`
- **Purpose**: Prevents Cross-Site Request Forgery (CSRF) attacks
- **Implementation**: Nonces are generated in `RestAPI::get_download_url()` and verified before any sensitive operations
- **Failure Response**: HTTP 403 Forbidden

```php
if ( ! wp_verify_nonce( $nonce, 'summix_export_download_' . $export_id ) ) {
    wp_die( 'Security check failed.', 'Download Failed', [ 'response' => 403 ] );
}
```

#### 2. Capability Check (Authorization)
- **Location**: `admin/AdminPage.php:302-310`
- **Method**: `current_user_can( 'export' )`
- **Purpose**: Ensures only users with export permissions can access downloads
- **WordPress Capability**: `'export'` (available to Administrators and Editors by default)
- **Failure Response**: HTTP 403 Forbidden

```php
if ( ! current_user_can( 'export' ) ) {
    wp_die( 'You do not have permission to download exports.', 'Permission Denied', [ 'response' => 403 ] );
}
```

#### 3. Ownership Verification
- **Location**: `admin/AdminPage.php:335-343`
- **Method**: User ID comparison + admin override
- **Purpose**: Prevents users from accessing exports created by others
- **Admin Override**: Users with `'manage_options'` capability can access any export
- **Failure Response**: HTTP 403 Forbidden

```php
if ( get_current_user_id() !== (int) $export->user_id && ! current_user_can( 'manage_options' ) ) {
    wp_die( 'You do not have permission to download this export.', 'Permission Denied', [ 'response' => 403 ] );
}
```

#### 4. Path Traversal Prevention
- **Location**: `admin/AdminPage.php:359-374`
- **Method**: `realpath()` + `wp_normalize_path()` + basedir validation
- **Purpose**: Prevents path traversal attacks (e.g., `../../etc/passwd`)
- **Validation**: Ensures file path is within WordPress uploads directory
- **Failure Response**: HTTP 403 Forbidden

```php
$uploads  = wp_upload_dir();
$basedir  = wp_normalize_path( $uploads['basedir'] );
$realpath = wp_normalize_path( realpath( $file_path ) );

if ( strpos( $realpath, trailingslashit( $basedir ) ) !== 0 ) {
    wp_die( 'Invalid file path.', 'Download Failed', [ 'response' => 403 ] );
}
```

### Input Sanitization

All user inputs are sanitized before use:

- **Export ID**: `absint()` - Ensures positive integer
- **Nonce**: `sanitize_text_field()` + `wp_unslash()` - Removes slashes and sanitizes
- **Filename**: `sanitize_file_name()` - Prevents header injection and malicious filenames

### REST API Security

All REST API endpoints implement permission callbacks:

- **Permission Check**: `check_export_permission()` method
- **Required Capability**: `'export'`
- **Authentication**: WordPress REST API authentication (nonces, cookies, application passwords)

### Database Security

All database queries use prepared statements:

```php
$wpdb->prepare( "SELECT * FROM $table_name WHERE id = %d", $export_id )
```

This prevents SQL injection attacks.

### Output Escaping

All dynamic output is escaped using appropriate WordPress functions:

- `esc_html()` - For HTML content
- `esc_attr()` - For HTML attributes
- `esc_url()` - For URLs
- `wp_kses_post()` - For post content with allowed HTML

## Security Testing

### Automated Testing
- PHPUnit tests verify security functionality
- Integration tests cover authorization and validation
- CI/CD pipeline runs security checks on all commits

### Manual Testing
Recommended security tests:

1. **CSRF Test**: Attempt download without valid nonce
2. **Authorization Test**: Attempt download as user without export capability
3. **Ownership Test**: Attempt to download another user's export
4. **Path Traversal Test**: Attempt to access files outside uploads directory
5. **SQL Injection Test**: Test database queries with malicious input

## Reporting a Vulnerability

If you discover a security vulnerability, please email:

**security@summix.io**

Please include:

1. Description of the vulnerability
2. Steps to reproduce
3. Potential impact
4. Suggested fix (if available)

We will respond within 48 hours and provide updates on the fix timeline.

## Security Changelog

### Version 0.1.3 (2025-11-12)
- Enhanced security documentation with inline comments
- Added this SECURITY.md file for transparency

### Version 0.1.2 (2025-10-28)
- Initial WordPress.org submission
- All security measures already implemented

### Version 0.1.0 (2025-10-26)
- Initial implementation with comprehensive security:
  - Nonce verification for download handler
  - Capability checks
  - Ownership verification
  - Path traversal prevention
  - Input sanitization
  - Output escaping

## Compliance

This plugin follows:

- [WordPress Security Best Practices](https://developer.wordpress.org/plugins/security/)
- [OWASP Top 10](https://owasp.org/www-project-top-ten/)
- [WordPress Plugin Handbook - Security](https://developer.wordpress.org/plugins/security/)
- [WordPress Coding Standards](https://developer.wordpress.org/coding-standards/)

## Security Audit History

| Date | Version | Auditor | Findings | Status |
|------|---------|---------|----------|--------|
| 2025-10-26 | 0.1.0 | CodeRabbit | Critical: Path validation needed | ✅ Fixed |
| 2025-10-26 | 0.1.0 | CodeRabbit | Sanitization improvements | ✅ Fixed |
| 2025-11-12 | 0.1.3 | WordPress.org | Documentation clarity | ✅ Enhanced |

## Credits

Security implementation by the Summix.io team, following WordPress and industry best practices.