Security

Overview

docxio enforces security at multiple layers: Rust compiler guarantees, input validation, output sanitization, and CI auditing.

No unsafe code

unsafe_code = "deny" is enforced across all workspace crates. The Rust compiler rejects any unsafe blocks at compile time.

Input validation

Document trees are validated before processing:

Limit	Value	Purpose
Max sections	1,000	Prevent excessive memory allocation
Max blocks	100,000	Bound processing time
Max nesting depth	64	Prevent stack overflow
Max JSON size	50 MB	Limit WASM memory usage

Attribute values (colors, sizes, dimensions, spacing, borders) are validated and clamped to OOXML spec-compliant ranges by the docxio-ooxml::sanitize module.

XML escaping

All user-provided text is escaped via quick-xml before embedding in OOXML. docxio never uses string concatenation to build XML -- all XML is produced through the quick-xml Writer API.

ZIP safety

When processing template .docx files:

Compressed input size limit: 20 MB
Total uncompressed size limit: 200 MB
Path traversal validation: ZIP entry paths are checked for .. and absolute path attacks
Entry count limits: Prevents zip bomb attacks

OOXML sanitization

The sanitize module in docxio-ooxml validates and clamps:

Colors: Must be valid 6-character hex or named colors
Font sizes: Clamped to valid half-point ranges
Dimensions: Twip and EMU values bounded to prevent overflow
Spacing: Before/after/line values clamped to spec limits
Border values: Style, size, and color validated

Dependency auditing

CI runs on every push:

cargo audit -- checks for known vulnerabilities in Rust dependencies
cargo deny check -- enforces license compliance and blocks banned crates
GitHub Actions pinned to commit SHAs to prevent supply chain attacks

Overflow protection

overflow-checks = true is enabled in release builds. Arithmetic overflow panics instead of wrapping silently.

Known limitations

PDF export is not yet functional and should not be used in production
Template patching with structured slots performs lightweight XML serialization outside the WASM boundary. For maximum safety, prefer the full WASM render path
The WASM boundary serializes the full document tree as JSON. Extremely large documents (>50 MB JSON) may cause memory issues in the WASM runtime

Reporting vulnerabilities

If you discover a security vulnerability, please report it responsibly. Do not open a public issue. Instead, email the maintainers directly or use GitHub's private vulnerability reporting feature.

Overview​

No unsafe code​

Input validation​

XML escaping​

ZIP safety​

OOXML sanitization​

Dependency auditing​

Overflow protection​

Known limitations​

Reporting vulnerabilities​