inventree/InvenTree
2
0
Fork 0
mirror of https://github.com/inventree/InvenTree.git synced 2025-04-27 19:16:44 +00:00
Code

fix list format (#9376)

Browse Source
This commit is contained in:
Matthias Mair 2025-03-25 10:07:42 +01:00 committed by GitHub
parent b397affa57
commit 5d4b587bf7
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 11 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
docs/docs/concepts/threat_model.md
View File

@ -5,19 +5,21 @@ Deploying InvenTree to production requires to knowledge of the security assumpti
1. The InvenTree server is only available to trusted networks and there are detection mechanisms in place to detect unauthorised access.
1. When exposing to the internet, it is recommended to use a WAF and ensure only trusted IP ranges are allowed to access the server
2. It is recommended to enforce usage of strong traffic encryption along the network path
3. Authentication attempts are rate limited by InvenTree but should be monitored with appropriate monitoring and alerting solutions to detect long-running brute force attacks
1. When exposing to the internet, it is recommended to use a WAF and ensure only trusted IP ranges are allowed to access the server
2. It is recommended to enforce usage of strong traffic encryption along the network path
3. Authentication attempts are rate limited by InvenTree but should be monitored with appropriate monitoring and alerting solutions to detect long-running brute force attacks
2. All users are trusted - therefore user uploaded files can be assumed to be safe. There are basic checks in place to ensure that the files are not using common attack vectors but those are not exhaustive.
3. Superuser permissions are only given to trusted users and not used for daily operations. A superuser account can manipulate or extract all files on the server that the InvenTree server process have access to.
4. All templates and plugins are trusted.
1. It is recommended to only use plugins and templates from trusted sources.
2. It is recommended to review the code of the plugins and templates before using them.
3. Templates and plugins can access all files that the server and worker processes have access to
4. Plugins can access the inventree database and all data in the database
5. Plugins can access all environment variables that are accessible to the server and worker processes
1. It is recommended to only use plugins and templates from trusted sources.
2. It is recommended to review the code of the plugins and templates before using them.
3. Templates and plugins can access all files that the server and worker processes have access to
4. Plugins can access the inventree database and all data in the database
5. Plugins can access all environment variables that are accessible to the server and worker processes
## Possible attack vectors

1
docs/docs/security.md
View File

@ -1,5 +1,6 @@
There a 2 different documents regarding security:
- [Project Security](project/security.md) addresses security measures taken by the InvenTree project around the code base and the project itself
- [Threat Model](concepts/threat_model.md) describes the assumptions made regarding running an instance of InvenTree