We release patches for security vulnerabilities for the following versions:
| Version | Supported |
|---|---|
| latest | ✅ |
| < latest | ❌ |
If you discover a security vulnerability within QBox, please report it by emailing the maintainers directly rather than opening a public issue.
Please include:
- A description of the vulnerability
- Steps to reproduce the issue
- Potential impact
- Any suggested fixes (optional)
What to expect:
- Acknowledgment of your report within 48 hours
- Regular updates on the progress of addressing the vulnerability
- Credit in the release notes (unless you prefer to remain anonymous)
QBox uses several internal mechanisms that have security implications:
QBox inspects and modifies Python stack frames to replace references after observation. This is an intentional feature but means:
- Code running in the same process can observe values through QBox
- Frame locals are modified through implementation-specific mechanisms
QBox runs a daemon thread with an asyncio event loop. This thread:
- Executes all coroutines submitted to QBox
- Runs until interpreter shutdown
- Has access to any values passed to coroutines
The optional enable_qbox_isinstance() feature patches builtins.isinstance.
This global modification affects all code in the process.
- Don't wrap sensitive coroutines (e.g., cryptographic operations) in QBox if you're concerned about value inspection
- Use
cancel_on_delete=True(default) to ensure coroutines are cancelled when QBoxes are garbage collected - Be cautious with
enable_qbox_isinstance()in library code - prefer ABC registration withmimic_typeinstead