Skip to content

Commit

Permalink
doc: add check for security reverts
Browse files Browse the repository at this point in the history
- Add step to check that any PRs with breaking changes
  have command line options to revert
- Add info on how to easily add command line option
  to revert a breaking change related to a CVE

Signed-off-by: Michael Dawson <midawson@redhat.com>
PR-URL: nodejs#51376
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com>
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
  • Loading branch information
mhdawson authored and marco-ippolito committed Jan 10, 2024
1 parent 0cd43ea commit ea10bee
Showing 1 changed file with 50 additions and 0 deletions.
50 changes: 50 additions & 0 deletions doc/contributing/security-release-process.md
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,8 @@ The current security stewards are documented in the main Node.js

* [ ] Check that all vulnerabilities are ready for release integration:
* PRs against all affected release lines or cherry-pick clean
* PRs with breaking changes have a
[--security-revert](#Adding-a-security-revert-option) option if possible.
* Approved
* (optional) Approved by the reporter
* Build and send the binary to the reporter according to its architecture
Expand Down Expand Up @@ -223,6 +225,54 @@ out a better way, forward the email you receive to
[Security release stewards](https://github.com/nodejs/node/blob/HEAD/doc/contributing/security-release-process.md#security-release-stewards).
If necessary add the next rotation of the steward rotation.

## Adding a security revert option

Breaking changes are allowed in existing LTS lines in order to fix
important security vulnerabilities. When breaking changes are made
it is important to provide a command line option that restores
the original behaviour.

The existing Node.js codebase supports the command line
option `--security-revert` and has the boilerplate to make additions
for a specific CVE easy.

To add an option to revert for a CVE, for example `CVE-2024-1234`
simply add this line to
[`node_revert.h`](https://github.com/nodejs/node/blob/main/src/node_revert.h)

```c
XX(CVE_2024_1234, "CVE-2024-1234", "Description of cve")
```
This will allow an easy check of whether a reversion has been
requested or not.
In JavaScript code you can check:
```js
if (process.REVERT_CVE_2024_1234);
```

In C/C++ code you can check:

```c
IsReverted(SECURITY_REVERT_CVE_2024_1234)
```
From the command line a user can request the revert by using
the `--security-revert` option as follows:
```console
node --security-revert=CVE-2024-1234
```

If there are multiple security reverts then multiple instances
of --security-revert can be used. For example:

```console
node --security-revert=CVE-2024-1234 --security-revert=CVE-2024-XXXX
```

## When things go wrong

### Incomplete fixes
Expand Down

0 comments on commit ea10bee

Please sign in to comment.