DO NOT open a public GitHub issue for security vulnerabilities. Instead, please report them responsibly to:
Email: security@rethunk.tech
Response SLA: We aim to respond to security reports within 24 hours.
When reporting a vulnerability, please include:
- Description of the vulnerability
- Affected component(s) and version(s)
- Steps to reproduce (if applicable)
- Potential impact
- Suggested fix (optional)
TraceTrim is an active development project. Security updates are applied to:
| Version | Support Status | Update Cadence |
|---|---|---|
| Latest | Active | Continuous |
Only the latest version receives security updates. Users are encouraged to upgrade to the latest release for security patches.
- Clipboard content validation — All clipboard content validated before processing
- UTF-8 validation prevents binary data corruption
- Size limits (default: 1MB) prevent memory exhaustion
- Content sanitization removes potentially dangerous patterns
- Stack trace patterns — Strictly validated regex patterns
- No dynamic regex construction
- No evaluation of matched content
- Safe frame deduplication logic
- Go language — Memory-safe language with garbage collection
- Bounds checking — Protobuf runtime prevents buffer overflows
- Resource limits — Configurable content size limits
- Proper cleanup — Defer statements ensure resource release
- Cross-platform library —
golang.design/x/clipboardhandles platform differences - No privileged operations — No root/admin access required
- Clipboard permissions — Only requires standard application permissions
- No network access — Application operates entirely locally
- Safe error reporting — No sensitive data in error messages
- Graceful degradation — Errors don't expose system information
- Content sanitization — Errors don't include clipboard content snippets
- Resource cleanup — Errors trigger proper cleanup/shutdown
- Unit tests — All modules have >80% test coverage
- Integration tests — End-to-end clipboard and parsing tests
- Fuzzing — Input validation tested against malformed clipboard content
- Linting —
go vetandgolangci-lintcatch common mistakes - Vulnerability scanning —
govulncheckchecks for known vulnerabilities
None currently known. Reports are welcome via security@rethunk.tech.
TraceTrim dependencies:
- golang.design/x/clipboard — Cross-platform clipboard library
- Standard Go library — Core functionality only
Security checks:
go mod verify— Verify module checksumsgo mod tidy— Remove unused dependenciesgovulncheck ./...— Scan for known vulnerabilities- Dependabot — Automated vulnerability alerts (if enabled)
| Vector | Risk | Mitigation |
|---|---|---|
| Memory Exhaustion | High | Content size limits, bounded processing, proper cleanup |
| Pattern Injection | Medium | Strict regex validation, no dynamic compilation |
| Malformed UTF-8 | Medium | UTF-8 validation before processing |
| Rapid Content Changes | Low | Polling-based approach handles gracefully |
| Resource Leaks | Low | Defer statements, error handling |
| Race Conditions | Low | Single-threaded clipboard monitoring |
- Network attacks — No network access; local-only operation
- File system attacks — Config file only; no arbitrary file I/O
- Privilege escalation — Runs with user permissions only; no elevation
- Code injection — No dynamic code execution; regex only
- Clipboard hijacking — Application reads/writes only; no control over other apps
- Key logging — No keystroke monitoring; clipboard-only
- GUI injection — No UI rendering; terminal/pipe only
- Permissions — Grant clipboard access permissions normally for any clipboard app
- Clipboard content — Be aware clipboard content may be temporarily visible
- Script mode — Use
--script-modefor processing sensitive traces in pipelines - Keep updated — Upgrade to latest version for security patches
- Regex safety — Patterns are pre-compiled; no dynamic regex from user input
- Size limits — Always enforce configurable size limits on clipboard content
- Error handling — Errors are safe; no content leaked in messages
- Testing — Add tests for new stack trace formats including edge cases
- ✅ Original error messages (unchanged)
- ✅ All unique stack frames (deduplicated only)
- ✅ Indentation and formatting (preserved exactly)
- ✅ Non-stack-trace content (unchanged)
- ✅ File paths and line numbers (unchanged)
- ❌ Consecutive duplicate frames only (same function + file + line)
- ❌ Nothing else; all content is safe
- Stack traces are parsed as plain text
- No code extraction or execution
- No evaluation of content
- No system commands from traces
clipboard-polling-interval: 500ms # Reasonable polling rate
clipboard-max-content-size: 1048576 # 1MB limit
parser-min-stack-lines: 2 # Avoid false positives
auto-detect-script-mode: true # Detect non-interactive use
show-timestamp: true # Logging for audit trail- Config file is optional; defaults are safe
- No credentials in config (would be ignored)
- File permissions respected (config readable by user)
- Syntax errors trigger fallback to defaults
In the event of a confirmed security vulnerability:
- Impact assessment (severity, affected versions, scope)
- Fix development (in private branch if critical)
- Testing with regression tests
- Security update release (version bump, changelogs)
- User notification (security advisory if critical)
- Post-incident review (prevent similar issues)
Before using TraceTrim in production:
- Understand clipboard content being processed
- Configure size limits appropriate for environment
- Test with sample stack traces first
- Review logs for any errors or anomalies
- Keep application updated to latest version
- Configure script mode if processing in pipelines
- Security Issues: security@rethunk.tech
- General Support: support@rethunk.tech
- Website: https://rethunk.tech
Last updated: 2026-04-28