SimaticML Decoder is an Alpha-status, single-maintainer project. Only the latest release on PyPI and the main branch are supported:
- Latest release version (see PyPI: https://pypi.org/project/simaticml-decoder/)
mainbranch (pre-release, development)
No long-term support (LTS) branches or backports are provided.
The decoder is designed to safely process untrusted SimaticML exports. Key security commitments:
- Accepts regular UTF-8
.xmlfiles only; rejects direct and discovered symlinks,.s7dcl,.s7res, and other file types. - Rejects symlinks, junctions, reparse points, and mount points during directory discovery:
- Windows: Handle-anchored traversal via native NT handles; child files are opened relative to parent directory handles, never by re-resolving paths.
- POSIX: File descriptor relative operations (
os.supports_dir_fd) andO_NOFOLLOWflags. Platforms without these features reject directory input outright.
Enforced per-document and per-tree to prevent resource exhaustion:
- File size: 10 MiB per file
- Tree cardinality: 10,000 XML files max, 32 directory levels max
- XML structure: 100,000 elements max, 256 nesting levels max, 100 attributes per element max, 1 MiB text per element max
- Networks: 1,000
FlgNetnetworks per document max
Inputs are rejected entirely, never truncated.
Default diagnostics use:
- Stable diagnostic codes (never raw parser output)
- Basenames only (no absolute paths)
- Single-line bounded detail (no control characters)
Folding and emission failures are isolated per file so processing can continue on valid files in the same batch.
Do not open a public GitHub issue for security vulnerabilities.
Report security vulnerabilities privately via GitHub's security advisory form:
https://github.com/Czarnak/simaticml-decoder/security/advisories/new
Provide:
- Description of the vulnerability
- Steps to reproduce (if applicable)
- Potential impact
As a solo-maintained Alpha project, there is no formal SLA. However, the maintainer will:
- Confirm receipt and triage within a reasonable timeframe
- Provide a fix or mitigation plan for confirmed vulnerabilities
- Credit you in the fix commit if desired
For general questions about security, open an issue on GitHub (not a security advisory).