We actively support the following versions of Zenoo RPC with security updates:
| Version | Supported |
|---|---|
| 1.2.x | ✅ |
| 1.1.x | ✅ |
| 1.0.x | ✅ |
| < 1.0 | ❌ |
We take security vulnerabilities seriously. If you discover a security vulnerability in Zenoo RPC, please report it responsibly.
Please do NOT report security vulnerabilities through public GitHub issues.
Instead, please report security vulnerabilities by emailing:
Security Contact: justin.le.1105@gmail.com
When reporting a vulnerability, please include:
- Description: A clear description of the vulnerability
- Impact: The potential impact and severity
- Reproduction: Step-by-step instructions to reproduce the issue
- Environment: Version of Zenoo RPC, Python version, OS, etc.
- Proof of Concept: If applicable, include a minimal proof of concept
- Suggested Fix: If you have ideas for how to fix the issue
Subject: [SECURITY] SQL Injection vulnerability in query builder
Description:
The query builder does not properly sanitize user input when building
Odoo domain filters, potentially allowing SQL injection attacks.
Impact:
An attacker could potentially execute arbitrary SQL queries on the
Odoo database, leading to data theft or corruption.
Reproduction:
1. Create a query with user-controlled input
2. Include SQL injection payload in the filter value
3. Execute the query
Environment:
- Zenoo RPC version: 1.2.0
- Python version: 3.11.0
- Odoo version: 16.0
- OS: Ubuntu 22.04
Proof of Concept:
[Include minimal code example]
Suggested Fix:
Implement proper input validation and parameterized queries.
We aim to respond to security reports according to the following timeline:
- Initial Response: Within 24 hours
- Confirmation: Within 72 hours
- Fix Development: Within 2 weeks for critical issues
- Release: As soon as possible after fix is ready
- Public Disclosure: 90 days after fix is released
When using Zenoo RPC in production, please follow these security best practices:
- Use strong, unique passwords for Odoo accounts
- Implement proper access controls and user permissions
- Regularly rotate API credentials
- Use environment variables for sensitive configuration
# ✅ Good: Use environment variables
import os
client = ZenooClient(
host=os.getenv("ODOO_HOST"),
port=int(os.getenv("ODOO_PORT", "8069"))
)
await client.login(
database=os.getenv("ODOO_DATABASE"),
username=os.getenv("ODOO_USERNAME"),
password=os.getenv("ODOO_PASSWORD")
)
# ❌ Bad: Hardcoded credentials
client = ZenooClient("production-server.com")
await client.login("production_db", "admin", "password123")- Always use HTTPS in production
- Validate SSL certificates
- Use proper firewall rules
- Consider VPN for database access
# ✅ Good: Secure HTTPS connection
client = ZenooClient(
"https://odoo.company.com",
port=443,
verify_ssl=True
)
# ❌ Bad: Insecure HTTP or disabled SSL verification
client = ZenooClient(
"http://odoo.company.com", # HTTP instead of HTTPS
verify_ssl=False # Disabled SSL verification
)- Validate all user inputs
- Use parameterized queries
- Sanitize data before processing
- Implement rate limiting
# ✅ Good: Input validation
def validate_partner_data(data):
if not isinstance(data.get("name"), str):
raise ValueError("Name must be a string")
if len(data["name"]) > 100:
raise ValueError("Name too long")
if "email" in data and not is_valid_email(data["email"]):
raise ValueError("Invalid email format")
# ❌ Bad: No validation
await client.create("res.partner", user_input) # Direct user input- Don't expose sensitive information in error messages
- Log security events appropriately
- Implement proper exception handling
# ✅ Good: Safe error handling
try:
result = await client.search("res.partner", domain)
except AuthenticationError:
logger.warning("Authentication failed for user %s", username)
raise ValueError("Invalid credentials") # Generic message
except Exception as e:
logger.error("Unexpected error: %s", str(e))
raise ValueError("Operation failed") # Don't expose details
# ❌ Bad: Exposing sensitive information
try:
result = await client.search("res.partner", domain)
except Exception as e:
raise e # Exposes internal details- Keep dependencies up to date
- Regularly audit for vulnerabilities
- Use dependency scanning tools
- Pin dependency versions
# Check for vulnerabilities
pip audit
# Update dependencies
pip install --upgrade zenoo-rpc
# Use requirements.txt with pinned versions
zenoo-rpc==1.2.0
httpx==0.24.1
pydantic==2.0.0Zenoo RPC includes several built-in security features:
- HTTPS/TLS support with certificate validation
- Connection timeout and retry mechanisms
- Secure session management
- Pydantic model validation
- Type checking and sanitization
- Domain filter validation
- Custom exception hierarchy
- Secure error messages
- Comprehensive logging
- Built-in rate limiting capabilities
- Configurable thresholds
- Circuit breaker patterns
When we receive a security report, we follow this process:
- Acknowledge the report within 24 hours
- Investigate and confirm the vulnerability
- Develop a fix in a private repository
- Test the fix thoroughly
- Release a security update
- Notify users about the update
- Publish details after users have had time to update
Security updates are released as patch versions (e.g., 1.2.1) and include:
- Fix for the vulnerability
- Updated dependencies if needed
- Security advisory with details
- Migration guide if breaking changes are required
We recognize security researchers who responsibly disclose vulnerabilities:
No vulnerabilities have been reported yet.
For security-related questions or concerns:
- Security Email: justin.le.1105@gmail.com
- General Issues: GitHub Issues
- Documentation: Security Guide
Note: This security policy is subject to change. Please check back regularly for updates.