-
Notifications
You must be signed in to change notification settings - Fork 29.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
doc: add Node.js Threat Model #45223
Conversation
performance. | ||
|
||
If Node.js loads configuration files or runs code by default (without a | ||
specific request from the user), and this is not documented, it is considered a |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We're assessing if that's a blocker for this PR or it can land without a documentation update for now.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My current take is that we are documenting/agreeing on what we should do with vulnerabilty reports. As soon as we agree I'm thinking we should take reports, I don't think we load all that many files and if we don't have them documented and people want to help identify them for us, that's not necessarily bad.
fc174c7
to
11b5dfb
Compare
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
11b5dfb
to
2626cbd
Compare
Putting on TSC agenda for awareness. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you please list some good examples of vulnerabilities?
@RafaelGSS sorry I meant to add the examples as a set of suggested changes but ended up pushing directly. |
@mcollina added examples as requested. |
5ba7ef6
to
0216617
Compare
Co-authored-by: Michael Dawson <[email protected]> Co-authored-by: Facundo Tuesca <[email protected]> Co-authored-by: Ulises Gascon <[email protected]> Co-authored-by: Thomas Gentilhomme <[email protected]>
2da87c8
to
8e7ea63
Compare
Landed in 487fa8a |
Refs: #45223 PR-URL: #45558 Reviewed-By: Harshitha K P <[email protected]> Reviewed-By: Darshan Sen <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Richard Lau <[email protected]>
Co-authored-by: Michael Dawson <[email protected]> Co-authored-by: Facundo Tuesca <[email protected]> Co-authored-by: Ulises Gascon <[email protected]> Co-authored-by: Thomas Gentilhomme <[email protected]> PR-URL: #45223 Reviewed-By: Matteo Collina <[email protected]> Reviewed-By: Yagiz Nizipli <[email protected]> Reviewed-By: Michael Dawson <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Rich Trott <[email protected]>
Refs: #45223 PR-URL: #45558 Reviewed-By: Harshitha K P <[email protected]> Reviewed-By: Darshan Sen <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Richard Lau <[email protected]>
Co-authored-by: Michael Dawson <[email protected]> Co-authored-by: Facundo Tuesca <[email protected]> Co-authored-by: Ulises Gascon <[email protected]> Co-authored-by: Thomas Gentilhomme <[email protected]> PR-URL: nodejs#45223 Reviewed-By: Matteo Collina <[email protected]> Reviewed-By: Yagiz Nizipli <[email protected]> Reviewed-By: Michael Dawson <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Rich Trott <[email protected]>
Refs: nodejs#45223 PR-URL: nodejs#45558 Reviewed-By: Harshitha K P <[email protected]> Reviewed-By: Darshan Sen <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Richard Lau <[email protected]>
Co-authored-by: Michael Dawson <[email protected]> Co-authored-by: Facundo Tuesca <[email protected]> Co-authored-by: Ulises Gascon <[email protected]> Co-authored-by: Thomas Gentilhomme <[email protected]> PR-URL: #45223 Reviewed-By: Matteo Collina <[email protected]> Reviewed-By: Yagiz Nizipli <[email protected]> Reviewed-By: Michael Dawson <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Rich Trott <[email protected]>
Refs: #45223 PR-URL: #45558 Reviewed-By: Harshitha K P <[email protected]> Reviewed-By: Darshan Sen <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Richard Lau <[email protected]>
Co-authored-by: Michael Dawson <[email protected]> Co-authored-by: Facundo Tuesca <[email protected]> Co-authored-by: Ulises Gascon <[email protected]> Co-authored-by: Thomas Gentilhomme <[email protected]> PR-URL: #45223 Reviewed-By: Matteo Collina <[email protected]> Reviewed-By: Yagiz Nizipli <[email protected]> Reviewed-By: Michael Dawson <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Rich Trott <[email protected]>
Refs: #45223 PR-URL: #45558 Reviewed-By: Harshitha K P <[email protected]> Reviewed-By: Darshan Sen <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Richard Lau <[email protected]>
Co-authored-by: Michael Dawson <[email protected]> Co-authored-by: Facundo Tuesca <[email protected]> Co-authored-by: Ulises Gascon <[email protected]> Co-authored-by: Thomas Gentilhomme <[email protected]> PR-URL: #45223 Reviewed-By: Matteo Collina <[email protected]> Reviewed-By: Yagiz Nizipli <[email protected]> Reviewed-By: Michael Dawson <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Rich Trott <[email protected]>
Refs: #45223 PR-URL: #45558 Reviewed-By: Harshitha K P <[email protected]> Reviewed-By: Darshan Sen <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Richard Lau <[email protected]>
Co-authored-by: Michael Dawson <[email protected]> Co-authored-by: Facundo Tuesca <[email protected]> Co-authored-by: Ulises Gascon <[email protected]> Co-authored-by: Thomas Gentilhomme <[email protected]> PR-URL: #45223 Reviewed-By: Matteo Collina <[email protected]> Reviewed-By: Yagiz Nizipli <[email protected]> Reviewed-By: Michael Dawson <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Rich Trott <[email protected]>
Refs: #45223 PR-URL: #45558 Reviewed-By: Harshitha K P <[email protected]> Reviewed-By: Darshan Sen <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Richard Lau <[email protected]>
Co-authored-by: Michael Dawson <[email protected]> Co-authored-by: Facundo Tuesca <[email protected]> Co-authored-by: Ulises Gascon <[email protected]> Co-authored-by: Thomas Gentilhomme <[email protected]> PR-URL: #45223 Reviewed-By: Matteo Collina <[email protected]> Reviewed-By: Yagiz Nizipli <[email protected]> Reviewed-By: Michael Dawson <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Rich Trott <[email protected]>
Refs: #45223 PR-URL: #45558 Reviewed-By: Harshitha K P <[email protected]> Reviewed-By: Darshan Sen <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Richard Lau <[email protected]>
Reference: nodejs/security-wg#799
Following up: nodejs/nodejs.org#4896
This is another Security WG initiative. We've been actively working on that and finally, we have something to share.
This document was created aiming to provide context on what will/will not be considered a vulnerability in Node.js, targeting Security Researchers, as well as serve as a guide for application security operations in support of development teams building on top of the Node.js platform.
cc: @nodejs/security @nodejs/security-wg @nodejs/tsc
Co-authored-by: Michael Dawson [email protected]
Co-authored-by: Facundo Tuesca [email protected]
Co-authored-by: Ulises Gascon [email protected]
Co-authored-by: Thomas Gentilhomme [email protected]