| Version | Supported |
|---|---|
| 0.1.x | ✅ |
| < 0.1 | ❌ |
If you discover a security vulnerability in Fluvie, please report it responsibly.
- Do NOT open a public GitHub issue for security vulnerabilities
- Email the maintainer directly at the email listed in the pubspec.yaml
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgment within 48 hours
- Status update within 7 days
- Fix timeline depends on severity
Security issues we care about:
- Code execution vulnerabilities
- Path traversal in file operations
- Injection vulnerabilities in FFmpeg commands
- Memory safety issues
- Dependency vulnerabilities
- FFmpeg's own security issues (report to FFmpeg project)
- Denial of service through large files (expected behavior)
- Issues requiring physical device access
Fluvie constructs FFmpeg commands internally. User-provided paths and filenames are used in these commands. The library:
- Does not shell-escape user input (FFmpeg is called directly via Process.start)
- Validates file paths where possible
- Uses temporary directories for intermediate files
Fluvie reads and writes files during rendering:
- Input: Images, videos, audio files
- Output: Rendered video files
- Temporary: Frame data during encoding
Ensure your application validates user-provided file paths before passing them to Fluvie.
On web, FFmpeg runs in a sandboxed WebAssembly environment with limited file system access through a virtual file system.