Skip to content

Commit

Permalink
Update SECURITY.md
Browse files Browse the repository at this point in the history
  • Loading branch information
Trott authored and RafaelGSS committed Nov 9, 2022
1 parent 6b4b830 commit 5ba7ef6
Showing 1 changed file with 9 additions and 9 deletions.
18 changes: 9 additions & 9 deletions SECURITY.md
Original file line number Diff line number Diff line change
Expand Up @@ -93,9 +93,9 @@ Vulnerabilities related to this case may be fixed by a documentation update.
2. The operating system that Node.js is running under and its configuration,
along with anything under control of the operating system.
3. The code it is asked to run including JavaScript and native code, even if
said code is dynamically loaded, e.g. all dependencies installed from the npm registry.
The code run inherits all the privileges of
the execution user.
said code is dynamically loaded, e.g. all dependencies installed from the
npm registry.
The code run inherits all the privileges of the execution user.
4. Inputs provided to it by the code it is asked to run, as it is the
responsibility of the application to perform the required input validations.
5. Any connection used for inspector (debugger protocol) regardless of being
Expand Down Expand Up @@ -125,20 +125,20 @@ the community they pose.
in certficates used to connect to an https endpoint. If certificates can be
crafted which result in incorrect validation by the Node.js APIs that is
considered a vulnerability.

#### Inconsistent Interpretation of HTTP Requests (CWE-444)

* Node.js provides APIs to accept http connections. Those APIs parse the
headers received for a connection and pass them on to the application.
Bugs in parsing those headers which can result in request smuggling are
considered vulnerabilities.

#### Missing Cryptographic Step (CWE-325)

* Node.js provides APIs to encrypt data. Bugs that would allow an attacker
to get the orginal data without requiring the encryption key are
considered vulnerabilities.

#### External Control of System or Configuration Setting (CWE-15)

* If Node.js automatically loads a configuration file which is not documented
Expand All @@ -163,7 +163,7 @@ the community they pose.
* Node.js trusts the file system in the environment accessible to it.
Therefore, it is not a vulnerability if it accesses/loads files from any path
that is accessible to it.

#### External Control of System or Configuration Setting (CWE-15)

* If Node.js automatically loads a configuration file which is documented
Expand Down

0 comments on commit 5ba7ef6

Please sign in to comment.