We release patches for security vulnerabilities in the following versions:
| Version | Supported |
|---|---|
| 1.0.x | ✅ |
| < 1.0 | ❌ |
We take the security of SolidCableMongoidAdapter seriously. If you believe you have found a security vulnerability, please report it to us as described below.
- Do not open a public GitHub issue for security vulnerabilities
- Do not discuss the vulnerability in public forums, social media, or mailing lists until it has been addressed
Email: Send details to sscotto@gmail.com
Subject line: [SECURITY] SolidCableMongoidAdapter: Brief Description
Include:
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact
- Suggested fix (if available)
- Your contact information for follow-up
- Acknowledgment: We will acknowledge receipt of your vulnerability report within 48 hours
- Assessment: We will assess the vulnerability and determine its severity within 5 business days
- Updates: We will keep you informed of our progress toward a fix
- Credit: We will credit you in the security advisory (unless you prefer to remain anonymous)
- Disclosure: Once a fix is available, we will:
- Release a patched version
- Publish a security advisory on GitHub
- Notify users through appropriate channels
- Critical vulnerabilities: Patch within 7 days
- High severity: Patch within 30 days
- Medium/Low severity: Patch in next regular release
When using SolidCableMongoidAdapter in production:
- Use Replica Sets: Always configure MongoDB as a replica set with authentication enabled
- Network Security:
- Use TLS/SSL for MongoDB connections
- Restrict MongoDB network access using firewalls
- Use VPC/private networks in cloud environments
- Authentication: Enable MongoDB authentication with strong passwords
- Authorization: Use role-based access control (RBAC)
- Audit Logging: Enable MongoDB audit logs for compliance
production:
adapter: solid_mongoid
# Use environment variables for sensitive configuration
# Never commit credentials to version control# config/mongoid.yml
production:
clients:
default:
# Use ENV variables, never hardcode credentials
uri: <%= ENV['MONGODB_URI'] %>
options:
# Enable TLS/SSL
ssl: true
ssl_verify: true
ssl_cert: <%= ENV['MONGODB_CERT_PATH'] %>
ssl_key: <%= ENV['MONGODB_KEY_PATH'] %>
ssl_ca_cert: <%= ENV['MONGODB_CA_CERT_PATH'] %>- Input Validation: Always validate and sanitize channel names and message payloads
- Authorization: Implement proper authorization checks in your Action Cable channels
- Rate Limiting: Implement rate limiting for WebSocket connections
- Monitoring: Monitor for unusual patterns in message volume or subscription activity
- Message Expiration: Configure appropriate TTL values to avoid data retention issues
- Sensitive Data: Avoid broadcasting sensitive information; encrypt if necessary
- Collection Access: Restrict access to the Action Cable messages collection
# config/cable.yml
production:
adapter: solid_mongoid
collection_name: "action_cable_messages"
expiration: 300 # 5 minutes - adjust based on your needs
require_replica_set: true # Enforce replica set requirement
# config/mongoid.yml
production:
clients:
default:
uri: <%= ENV['MONGODB_URI'] %>
options:
max_pool_size: 50
min_pool_size: 5
ssl: true
ssl_verify: true
auth_source: admin
replica_set: rs0
read:
mode: :primary_preferred
write:
w: 1Messages are persisted in MongoDB with TTL-based expiration. Ensure your expiration setting aligns with your data retention policies and compliance requirements.
Resume tokens are stored in memory only and are lost on process restart. This is by design to prevent replay attacks and ensure clean state on restart.
The MongoDB user must have appropriate permissions for Change Streams:
findon the collectionchangeStreamon the database
When Change Streams are unavailable, the adapter falls back to polling. This mode is less efficient and should not be used in production. Always use a replica set configuration.
- 2025-02: Initial security review completed
- No known vulnerabilities at this time
If you have questions about security that are not sensitive in nature, please open a public GitHub issue with the security label.
For sensitive security concerns, always use the private reporting method described above.