Security updates are provided for the latest major version. We recommend always using the latest stable release.
| Version | Supported | Status |
|---|---|---|
| 2.3.x | ✅ Yes | Current (SSRF protected) |
| 2.2.x | Critical fixes only | |
| 2.1.x | ❌ No | Upgrade required |
| < 2.0.0 | ❌ No | Deprecated |
Please do not report security vulnerabilities via public GitHub issues.
Email: datacenter111@gmail.com
Include:
- Clear description of the vulnerability
- Steps to reproduce (code snippets, POC)
- Potential impact assessment
- Your preferred disclosure timeline
- Acknowledgment: Within 48 hours
- Investigation: Security assessment (1-5 days)
- Fix Development: Priority patch release
- Disclosure: Security advisory after fix is deployed
We credit security researchers unless they prefer anonymity.
All HTTP workers (HttpRequestWorker, HttpDownloadWorker, HttpUploadWorker, HttpSyncWorker) include comprehensive SSRF protection:
Blocked Targets:
- Localhost: localhost, 127.0.0.1, ::1, 0.0.0.0
- Private IPv4: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
- Link-Local: 169.254.0.0/16 (includes AWS metadata 169.254.169.254)
- Private IPv6: fc00::/7 (ULA), fe80::/10 (link-local), fd00:ec2::254
- Local Domains: *.localhost, *.local
- Invalid Schemes: Only http:// and https:// allowed
Implementation:
// All HTTP workers validate URLs before making requests
if (!SecurityValidator.validateURL(url)) {
return WorkerResult.Failure("Invalid or unsafe URL")
}Test Coverage: 50+ test cases verify SSRF protection
File Upload Protection:
- Maximum file size: 100MB
- Clear error messages on oversized files
- Prevents OOM crashes
Request/Response Limits:
- Request body: 10MB maximum
- Response body: 50MB maximum
- Configurable via
SecurityValidatorconstants
HTTP Client Management:
- Automatic cleanup in finally blocks
- Prevents resource leaks
- Proper connection pooling
Sensitive Data Logging:
// Query parameters automatically redacted
SecurityValidator.sanitizedURL("https://api.com?key=secret")
// Returns: "https://api.com?[REDACTED]"
// String truncation for logs
SecurityValidator.truncateForLogging(longString, maxLength = 200)File Path Validation:
// Prevents path traversal attacks
SecurityValidator.validateFilePath("/safe/path") // ✅ true
SecurityValidator.validateFilePath("../etc/passwd") // ❌ falseDO:
// Let the library validate URLs
scheduler.enqueue(
id = "api-call",
trigger = TaskTrigger.OneTime(),
workerClassName = "HttpRequestWorker",
inputJson = """{"url":"https://api.example.com"}"""
)DON'T:
// Don't construct URLs from untrusted user input without validation
val userProvidedUrl = getUserInput() // ⚠️ DANGEROUSRECOMMENDATION:
- Whitelist allowed domains
- Validate user input separately
- Use parameterized URLs instead of string concatenation
DO:
// Validate file paths
val sanitizedPath = userPath.replace("..", "")
if (SecurityValidator.validateFilePath(sanitizedPath)) {
// Proceed with file operation
}DON'T:
// Don't use user input directly in file paths
val file = File(userProvidedPath) // ⚠️ Path traversal riskDO:
// Use encrypted storage for sensitive data
val encryptedData = encrypt(sensitiveInfo)
scheduler.enqueue(
workerClassName = "SecureUploadWorker",
inputJson = """{"data":"$encryptedData"}"""
)DON'T:
// Don't pass sensitive data in logs or inputJson without encryption
Logger.d("Password: $password") // ⚠️ NEVER DO THISDO:
// Prefer HTTPS over HTTP
url = "https://secure-api.com" // ✅ Encrypted
// Implement certificate pinning for critical APIs
// (requires custom HTTP client configuration)DON'T:
// Don't use HTTP for sensitive operations
url = "http://api.com/login" // ⚠️ UnencryptedDO:
# Regularly audit dependencies
./gradlew dependencyCheckAnalyze
# Keep KMP WorkManager updated
implementation("dev.brewkits:kmpworkmanager:2.3.2") // ✅ LatestDON'T:
// Don't use outdated versions with known vulnerabilities
implementation("dev.brewkits:kmpworkmanager:1.0.0") // ⚠️ VulnerableVulnerability:
// User provides URL
val url = request.getParameter("url")
// Direct usage without validation
httpClient.get(url) // ⚠️ SSRF vulnerableFix:
// Validate before use
if (SecurityValidator.validateURL(url)) {
httpClient.get(url)
} else {
throw SecurityException("Invalid URL")
}Vulnerability:
// User provides filename
val filename = request.getParameter("file")
// Direct file access
File("/uploads/$filename").read() // ⚠️ Can access ../../../etc/passwdFix:
// Validate and sanitize
val safeName = filename.replace(Regex("[^a-zA-Z0-9._-]"), "")
if (SecurityValidator.validateFilePath(safeName)) {
File("/uploads/$safeName").read()
}Vulnerability:
// Logging sensitive data
Logger.i("User password: $password") // ⚠️ Leaked in logsFix:
// Never log sensitive data
Logger.i("User authenticated successfully") // ✅ SafeVulnerability:
// Deserializing untrusted data
val obj = Json.decodeFromString<Task>(untrustedInput) // ⚠️ RiskFix:
// Validate schema and use safe deserialization
val json = Json { ignoreUnknownKeys = true }
try {
val obj = json.decodeFromString<Task>(input)
// Validate object state
require(obj.isValid()) { "Invalid task" }
} catch (e: Exception) {
// Handle deserialization errors
}<!-- res/xml/network_security_config.xml -->
<network-security-config>
<domain-config cleartextTrafficPermitted="false">
<domain includeSubdomains="true">api.example.com</domain>
<!-- Certificate pinning for critical APIs -->
<pin-set>
<pin digest="SHA-256">base64encodedpublickey==</pin>
</pin-set>
</domain-config>
</network-security-config><!-- AndroidManifest.xml -->
<application
android:networkSecurityConfig="@xml/network_security_config">
</application><!-- Info.plist -->
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key>
<false/>
<key>NSExceptionDomains</key>
<dict>
<key>api.example.com</key>
<dict>
<key>NSIncludesSubdomains</key>
<true/>
<key>NSRequiresCertificateTransparency</key>
<true/>
</dict>
</dict>
</dict>Before deploying to production:
- All HTTP URLs validated with
SecurityValidator.validateURL() - File paths validated with
SecurityValidator.validateFilePath() - No sensitive data in logs or error messages
- User input properly sanitized
- HTTPS used for all external APIs
- Network Security Config (Android) configured
- App Transport Security (iOS) enabled
- Minimum TLS version 1.2+ enforced
- Certificate pinning for critical endpoints (optional)
- All dependencies up to date
- Security audit completed (
dependencyCheckAnalyze) - No known vulnerabilities in dependency tree
- SSRF protection tests passing
- Path traversal tests passing
- Error handling tests passing
- Security edge cases covered
- Security best practices documented for team
- Incident response plan in place
- Security contacts updated
Date: February 2026 Auditor: Internal Security Review
Findings:
| Category | Rating | Notes |
|---|---|---|
| SSRF Protection | ✅ PASS | Comprehensive validation implemented |
| Resource Limits | ✅ PASS | File size limits enforced (100MB) |
| Input Validation | ✅ PASS | Path traversal prevented |
| Data Encryption | Responsibility of host application | |
| Dependency Security | ✅ PASS | All dependencies up to date |
| Error Handling | ✅ PASS | No sensitive data leaked in errors |
Overall Rating: 9/10 - Production Ready
Recommendations:
- ✅ Implemented: SSRF protection
- ✅ Implemented: Resource limits
- ✅ Implemented: Comprehensive tests
- 🔄 Ongoing: Regular dependency audits
- OWASP Top 10
- OWASP Mobile Security
- Android Security Best Practices
- iOS Security Guide
- Kotlin Security
- ✅ Added comprehensive SSRF protection
- ✅ Added 50+ security tests
- ✅ Added file size limits (100MB)
- ✅ Added URL validation documentation
- Added initial security validation
- See CHANGELOG.md for full history
Last Updated: February 16, 2026 Version: 2.3.2 Maintainer: Nguyễn Tuấn Việt (datacenter111@gmail.com)