From 4a6e6a7a21caeb57f0d965271da9e8e19dd9fc24 Mon Sep 17 00:00:00 2001 From: Fabien Potencier Date: Thu, 10 Aug 2023 11:06:16 +0200 Subject: [PATCH] Add a note about Mock classes not considered for security issues --- contributing/code/security.rst | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/contributing/code/security.rst b/contributing/code/security.rst index b8e7bea3f6a..7c57e8929e6 100644 --- a/contributing/code/security.rst +++ b/contributing/code/security.rst @@ -21,6 +21,10 @@ email for confirmation): production (including the web profiler or anything enabled when ``APP_DEBUG`` is set to ``true`` or ``APP_ENV`` set to anything but ``prod``); +* Any security issues found in classes provided to help fo testing that should + never be used in production (like for instance mock classes that contain + ``Mock`` in their name); + * Any fix that can be classified as **security hardening** like route enumeration, login throttling bypasses, denial of service attacks, timing attacks, or lack of ``SensitiveParameter`` attributes.