Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

doc: add Node.js Threat Model #45223

Merged
merged 1 commit into from
Nov 21, 2022

Conversation

RafaelGSS
Copy link
Member

Reference: nodejs/security-wg#799
Following up: nodejs/nodejs.org#4896

This is another Security WG initiative. We've been actively working on that and finally, we have something to share.

This document was created aiming to provide context on what will/will not be considered a vulnerability in Node.js, targeting Security Researchers, as well as serve as a guide for application security operations in support of development teams building on top of the Node.js platform.

cc: @nodejs/security @nodejs/security-wg @nodejs/tsc

Co-authored-by: Michael Dawson midawson@redhat.com
Co-authored-by: Facundo Tuesca facundo.tuesca@trailofbits.com
Co-authored-by: Ulises Gascon UlisesGascon@users.noreply.github.com
Co-authored-by: Thomas Gentilhomme gentilhomme.thomas@gmail.com

@nodejs-github-bot nodejs-github-bot added the doc Issues and PRs related to the documentations. label Oct 28, 2022
performance.

If Node.js loads configuration files or runs code by default (without a
specific request from the user), and this is not documented, it is considered a
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We're assessing if that's a blocker for this PR or it can land without a documentation update for now.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My current take is that we are documenting/agreeing on what we should do with vulnerabilty reports. As soon as we agree I'm thinking we should take reports, I don't think we load all that many files and if we don't have them documented and people want to help identify them for us, that's not necessarily bad.

SECURITY.md Outdated Show resolved Hide resolved
SECURITY.md Outdated Show resolved Hide resolved
@Trott

This comment was marked as resolved.

@Trott

This comment was marked as resolved.

SECURITY.md Outdated Show resolved Hide resolved
SECURITY.md Outdated Show resolved Hide resolved
SECURITY.md Outdated Show resolved Hide resolved
@mhdawson mhdawson added the tsc-agenda Issues and PRs to discuss during the meetings of the TSC. label Oct 31, 2022
@mhdawson
Copy link
Member

Putting on TSC agenda for awareness.

Copy link
Member

@mcollina mcollina left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you please list some good examples of vulnerabilities?

SECURITY.md Outdated Show resolved Hide resolved
SECURITY.md Outdated Show resolved Hide resolved
SECURITY.md Outdated Show resolved Hide resolved
@mhdawson
Copy link
Member

mhdawson commented Nov 3, 2022

@RafaelGSS sorry I meant to add the examples as a set of suggested changes but ended up pushing directly.

@mhdawson
Copy link
Member

mhdawson commented Nov 3, 2022

@mcollina added examples as requested.

SECURITY.md Outdated Show resolved Hide resolved
SECURITY.md Outdated Show resolved Hide resolved
SECURITY.md Outdated Show resolved Hide resolved
Co-authored-by: Michael Dawson <midawson@redhat.com>
Co-authored-by: Facundo Tuesca <facundo.tuesca@trailofbits.com>
Co-authored-by: Ulises Gascon <UlisesGascon@users.noreply.github.com>
Co-authored-by: Thomas Gentilhomme <gentilhomme.thomas@gmail.com>
@RafaelGSS RafaelGSS added the commit-queue Add this label to land a pull request using GitHub Actions. label Nov 21, 2022
@nodejs-github-bot nodejs-github-bot removed the commit-queue Add this label to land a pull request using GitHub Actions. label Nov 21, 2022
@nodejs-github-bot nodejs-github-bot merged commit 487fa8a into nodejs:main Nov 21, 2022
@nodejs-github-bot
Copy link
Collaborator

Landed in 487fa8a

tniessen added a commit to tniessen/node that referenced this pull request Nov 21, 2022
nodejs-github-bot pushed a commit that referenced this pull request Nov 21, 2022
Refs: #45223
PR-URL: #45558
Reviewed-By: Harshitha K P <harshitha014@gmail.com>
Reviewed-By: Darshan Sen <raisinten@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Richard Lau <rlau@redhat.com>
ruyadorno pushed a commit that referenced this pull request Nov 21, 2022
Co-authored-by: Michael Dawson <midawson@redhat.com>
Co-authored-by: Facundo Tuesca <facundo.tuesca@trailofbits.com>
Co-authored-by: Ulises Gascon <UlisesGascon@users.noreply.github.com>
Co-authored-by: Thomas Gentilhomme <gentilhomme.thomas@gmail.com>
PR-URL: #45223
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
ruyadorno pushed a commit that referenced this pull request Nov 21, 2022
Refs: #45223
PR-URL: #45558
Reviewed-By: Harshitha K P <harshitha014@gmail.com>
Reviewed-By: Darshan Sen <raisinten@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Richard Lau <rlau@redhat.com>
marco-ippolito pushed a commit to marco-ippolito/node that referenced this pull request Nov 23, 2022
Co-authored-by: Michael Dawson <midawson@redhat.com>
Co-authored-by: Facundo Tuesca <facundo.tuesca@trailofbits.com>
Co-authored-by: Ulises Gascon <UlisesGascon@users.noreply.github.com>
Co-authored-by: Thomas Gentilhomme <gentilhomme.thomas@gmail.com>
PR-URL: nodejs#45223
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
marco-ippolito pushed a commit to marco-ippolito/node that referenced this pull request Nov 23, 2022
Refs: nodejs#45223
PR-URL: nodejs#45558
Reviewed-By: Harshitha K P <harshitha014@gmail.com>
Reviewed-By: Darshan Sen <raisinten@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Richard Lau <rlau@redhat.com>
@ruyadorno ruyadorno mentioned this pull request Nov 24, 2022
danielleadams pushed a commit that referenced this pull request Dec 30, 2022
Co-authored-by: Michael Dawson <midawson@redhat.com>
Co-authored-by: Facundo Tuesca <facundo.tuesca@trailofbits.com>
Co-authored-by: Ulises Gascon <UlisesGascon@users.noreply.github.com>
Co-authored-by: Thomas Gentilhomme <gentilhomme.thomas@gmail.com>
PR-URL: #45223
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
danielleadams pushed a commit that referenced this pull request Dec 30, 2022
Refs: #45223
PR-URL: #45558
Reviewed-By: Harshitha K P <harshitha014@gmail.com>
Reviewed-By: Darshan Sen <raisinten@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Richard Lau <rlau@redhat.com>
danielleadams pushed a commit that referenced this pull request Dec 30, 2022
Co-authored-by: Michael Dawson <midawson@redhat.com>
Co-authored-by: Facundo Tuesca <facundo.tuesca@trailofbits.com>
Co-authored-by: Ulises Gascon <UlisesGascon@users.noreply.github.com>
Co-authored-by: Thomas Gentilhomme <gentilhomme.thomas@gmail.com>
PR-URL: #45223
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
danielleadams pushed a commit that referenced this pull request Dec 30, 2022
Refs: #45223
PR-URL: #45558
Reviewed-By: Harshitha K P <harshitha014@gmail.com>
Reviewed-By: Darshan Sen <raisinten@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Richard Lau <rlau@redhat.com>
danielleadams pushed a commit that referenced this pull request Jan 3, 2023
Co-authored-by: Michael Dawson <midawson@redhat.com>
Co-authored-by: Facundo Tuesca <facundo.tuesca@trailofbits.com>
Co-authored-by: Ulises Gascon <UlisesGascon@users.noreply.github.com>
Co-authored-by: Thomas Gentilhomme <gentilhomme.thomas@gmail.com>
PR-URL: #45223
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
danielleadams pushed a commit that referenced this pull request Jan 3, 2023
Refs: #45223
PR-URL: #45558
Reviewed-By: Harshitha K P <harshitha014@gmail.com>
Reviewed-By: Darshan Sen <raisinten@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Richard Lau <rlau@redhat.com>
danielleadams pushed a commit that referenced this pull request Jan 4, 2023
Co-authored-by: Michael Dawson <midawson@redhat.com>
Co-authored-by: Facundo Tuesca <facundo.tuesca@trailofbits.com>
Co-authored-by: Ulises Gascon <UlisesGascon@users.noreply.github.com>
Co-authored-by: Thomas Gentilhomme <gentilhomme.thomas@gmail.com>
PR-URL: #45223
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
danielleadams pushed a commit that referenced this pull request Jan 4, 2023
Refs: #45223
PR-URL: #45558
Reviewed-By: Harshitha K P <harshitha014@gmail.com>
Reviewed-By: Darshan Sen <raisinten@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Richard Lau <rlau@redhat.com>
danielleadams pushed a commit that referenced this pull request Jan 5, 2023
Co-authored-by: Michael Dawson <midawson@redhat.com>
Co-authored-by: Facundo Tuesca <facundo.tuesca@trailofbits.com>
Co-authored-by: Ulises Gascon <UlisesGascon@users.noreply.github.com>
Co-authored-by: Thomas Gentilhomme <gentilhomme.thomas@gmail.com>
PR-URL: #45223
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
danielleadams pushed a commit that referenced this pull request Jan 5, 2023
Refs: #45223
PR-URL: #45558
Reviewed-By: Harshitha K P <harshitha014@gmail.com>
Reviewed-By: Darshan Sen <raisinten@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Richard Lau <rlau@redhat.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
doc Issues and PRs related to the documentations.
Projects
None yet
Development

Successfully merging this pull request may close these issues.