Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

doc: add check for security reverts #51376

Closed
wants to merge 3 commits into from
Closed

doc: add check for security reverts #51376

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
d1c2716
doc: add check for security reverts
mhdawson Jan 4, 2024
0ac0754
Update doc/contributing/security-release-process.md
mhdawson Jan 5, 2024
6d54240
address comments
mhdawson Jan 5, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
50 changes: 50 additions & 0 deletions doc/contributing/security-release-process.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,8 @@ The current security stewards are documented in the main Node.js

* [ ] Check that all vulnerabilities are ready for release integration:
* PRs against all affected release lines or cherry-pick clean
* PRs with breaking changes have a
[--security-revert](#Adding-a-security-revert-option) option if possible.
* Approved
* (optional) Approved by the reporter
* Build and send the binary to the reporter according to its architecture
Expand Down Expand Up @@ -223,6 +225,54 @@ out a better way, forward the email you receive to
[Security release stewards](https://github.com/nodejs/node/blob/HEAD/doc/contributing/security-release-process.md#security-release-stewards).
If necessary add the next rotation of the steward rotation.

## Adding a security revert option

Breaking changes are allowed in existing LTS lines in order to fix
important security vulnerabilities. When breaking changes are made
it is important to provide a command line option that restores
the original behaviour.

The existing Node.js codebase supports the command line
option `--security-revert` and has the boilerplate to make additions
for a specific CVE easy.

To add an option to revert for a CVE, for example `CVE-2024-1234`
simply add this line to
[`node_revert.h`](https://github.com/nodejs/node/blob/main/src/node_revert.h)

```c
XX(CVE_2024_1234, "CVE-2024-1234", "Description of cve")
```
This will allow an easy check of whether a reversion has been
requested or not.
In JavaScript code you can check:
```js
if (process.REVERT_CVE_2024_1234);
```

In C/C++ code you can check:

```c
IsReverted(SECURITY_REVERT_CVE_2024_1234)
```
From the command line a user can request the revert by using
the `--security-revert` option as follows:
```console
node --security-revert=CVE-2024-1234
```

If there are multiple security reverts then multiple instances
of --security-revert can be used. For example:

```console
node --security-revert=CVE-2024-1234 --security-revert=CVE-2024-XXXX
```

## When things go wrong

### Incomplete fixes
Expand Down