shellhist-forensic is designed to parse untrusted shell command-history files — including those acquired from compromised or actively hostile systems. Hostile input is the expected case, not an edge case. Robustness against crafted history files, malformed records, and garbled encodings is a core design goal, and we take reports of crashes, hangs, or memory-safety issues seriously.

Security fixes are released against the latest published 0.1.x line.

Do not open a public GitHub issue for a security vulnerability.

Report privately, by either:

• GitHub Security Advisories — open a private advisory on the shellhist-forensic repository, or
• Email — albert@securityronin.com.

Please include:

• the affected version and target triple,
• a minimal reproducing history file or byte buffer (a fuzz corpus entry is ideal),
• the observed behaviour (panic, hang, excessive allocation, mis-parse) and the expected behaviour.

We aim to acknowledge a report within a few business days and to coordinate disclosure once a fix is available.

shellhist-forensic is hardened against adversarial input by construction:

• #![forbid(unsafe_code)] across both crates — no unsafe, no C bindings, no FFI, anywhere.
• No panics on malicious input — parsing is lenient (lossy UTF-8) and bounds-checked; a truncated or garbled file degrades to plain lines rather than crashing. Arithmetic is checked or saturating.
• Bounded reads — line and record scanning is bounded; the reader refuses to spin on a non-terminating record.
• Fail loud where it matters — a genuine error surfaces with context rather than as a silent default or a silently-wrong parse.

Continuous fuzzing with cargo-fuzz backs the hardening above. Five targets cover the parsers that consume attacker-controlled bytes:

Panics found by fuzzing are fixed and pinned as regression tests.

For how to run the targets yourself, see CONTRIBUTING.md.