Skip to content

Security: AndreaBonn/cli-image-paste

Security

SECURITY.md

Language: English | Italiano

See also: README (EN) · README (IT)

Security Policy

Supported Versions

Version Supported
latest

Reporting a Vulnerability

If you discover a security vulnerability in cli-image-paste, please report it responsibly.

Do not open a public GitHub issue for security vulnerabilities.

Instead, please send an email to the maintainer with:

  1. A description of the vulnerability
  2. Steps to reproduce the issue
  3. The potential impact
  4. Any suggested fix (optional)

You can expect an initial response within 72 hours. We will work with you to understand the issue and coordinate a fix before any public disclosure.

Security Considerations

This tool interacts with several system-level components. Users should be aware of the following:

Clipboard Access

  • The tool reads image data from the X11 clipboard using xclip
  • Clipboard contents are saved as temporary files in /tmp
  • Temporary files are automatically cleaned up after 7 days

Keystroke Simulation

  • xdotool is used to type the file path into the active terminal window
  • The tool records and restores window focus during operation
  • Only the generated file path is typed — no other input is simulated

Temporary File Handling

  • Files are created using mktemp with atomic operations to prevent race conditions
  • File permissions are set to 600 (owner read/write only)
  • Predictable filename patterns are mitigated by the random suffix from mktemp
  • Format: /tmp/paste_image_YYYYMMDD_HHMMSS_RANDOM.EXT where RANDOM is a 6-character suffix

Installation

  • The installer may request sudo to install system dependencies via your package manager
  • The main script is installed to ~/.local/bin/ (user space, no root required)
  • GNOME keyboard shortcuts are configured via gsettings (user space)

Logging

  • Logs are stored in ~/.local/state/paste-image/ with user-only permissions
  • Logs contain file paths and timestamps — no clipboard content is logged
  • Log rotation is enforced to prevent unbounded growth (max 500 lines, keeps last 250)
  • Race-condition-safe writes using flock prevent log corruption in concurrent scenarios

Best Practices for Users

  • Review the script before installation: cat install.sh and cat paste-image
  • Keep your system dependencies updated
  • Use a dedicated clipboard manager if you handle sensitive data frequently
  • The tool only operates under X11 — Wayland is not supported
  • Temporary files are automatically cleaned after 7 days
  • Check logs periodically: cat ~/.local/state/paste-image/paste_image.log
  • Run the test suite to verify integrity: bash tests/run_tests.sh

There aren’t any published security advisories