doc: add Node.js Threat Model #45223

RafaelGSS · 2022-10-28T13:48:00Z

Reference: nodejs/security-wg#799
Following up: nodejs/nodejs.org#4896

This is another Security WG initiative. We've been actively working on that and finally, we have something to share.

This document was created aiming to provide context on what will/will not be considered a vulnerability in Node.js, targeting Security Researchers, as well as serve as a guide for application security operations in support of development teams building on top of the Node.js platform.

cc: @nodejs/security @nodejs/security-wg @nodejs/tsc

Co-authored-by: Michael Dawson midawson@redhat.com
Co-authored-by: Facundo Tuesca facundo.tuesca@trailofbits.com
Co-authored-by: Ulises Gascon UlisesGascon@users.noreply.github.com
Co-authored-by: Thomas Gentilhomme gentilhomme.thomas@gmail.com

RafaelGSS · 2022-10-28T13:51:07Z

SECURITY.md

+performance.
+
+If Node.js loads configuration files or runs code by default (without a
+specific request from the user), and this is not documented, it is considered a


We're assessing if that's a blocker for this PR or it can land without a documentation update for now.

My current take is that we are documenting/agreeing on what we should do with vulnerabilty reports. As soon as we agree I'm thinking we should take reports, I don't think we load all that many files and if we don't have them documented and people want to help identify them for us, that's not necessarily bad.

SECURITY.md

mhdawson · 2022-10-31T18:34:20Z

Putting on TSC agenda for awareness.

mcollina

Can you please list some good examples of vulnerabilities?

SECURITY.md

mhdawson · 2022-11-03T20:48:47Z

@RafaelGSS sorry I meant to add the examples as a set of suggested changes but ended up pushing directly.

mhdawson · 2022-11-03T20:49:32Z

@mcollina added examples as requested.

SECURITY.md

Co-authored-by: Michael Dawson <midawson@redhat.com> Co-authored-by: Facundo Tuesca <facundo.tuesca@trailofbits.com> Co-authored-by: Ulises Gascon <UlisesGascon@users.noreply.github.com> Co-authored-by: Thomas Gentilhomme <gentilhomme.thomas@gmail.com>

nodejs-github-bot · 2022-11-21T11:13:50Z

Landed in 487fa8a

Refs: nodejs#45223

Refs: #45223 PR-URL: #45558 Reviewed-By: Harshitha K P <harshitha014@gmail.com> Reviewed-By: Darshan Sen <raisinten@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Richard Lau <rlau@redhat.com>

Co-authored-by: Michael Dawson <midawson@redhat.com> Co-authored-by: Facundo Tuesca <facundo.tuesca@trailofbits.com> Co-authored-by: Ulises Gascon <UlisesGascon@users.noreply.github.com> Co-authored-by: Thomas Gentilhomme <gentilhomme.thomas@gmail.com> PR-URL: #45223 Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: Michael Dawson <midawson@redhat.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Rich Trott <rtrott@gmail.com>

Refs: #45223 PR-URL: #45558 Reviewed-By: Harshitha K P <harshitha014@gmail.com> Reviewed-By: Darshan Sen <raisinten@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Richard Lau <rlau@redhat.com>

Co-authored-by: Michael Dawson <midawson@redhat.com> Co-authored-by: Facundo Tuesca <facundo.tuesca@trailofbits.com> Co-authored-by: Ulises Gascon <UlisesGascon@users.noreply.github.com> Co-authored-by: Thomas Gentilhomme <gentilhomme.thomas@gmail.com> PR-URL: nodejs#45223 Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: Michael Dawson <midawson@redhat.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Rich Trott <rtrott@gmail.com>

Refs: nodejs#45223 PR-URL: nodejs#45558 Reviewed-By: Harshitha K P <harshitha014@gmail.com> Reviewed-By: Darshan Sen <raisinten@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Richard Lau <rlau@redhat.com>