Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

doc: use <ul> instead of <ol> in SECURITY.md #56346

Merged
merged 1 commit into from
Dec 25, 2024
Merged

doc: use <ul> instead of <ol> in SECURITY.md #56346

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
68 changes: 34 additions & 34 deletions SECURITY.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -82,23 +82,23 @@ Vulnerabilities related to this case may be fixed by a documentation update.

**Node.js does NOT trust**:

1. Data received from the remote end of inbound network connections
that are accepted through the use of Node.js APIs and
which is transformed/validated by Node.js before being passed
to the application. This includes:
* HTTP APIs (all flavors) server APIs.
2. The data received from the remote end of outbound network connections
that are created through the use of Node.js APIs and
which is transformed/validated by Node.js before being passed
to the application EXCEPT with respect to payload length. Node.js trusts
that applications make connections/requests which will avoid payload
sizes that will result in a Denial of Service.
* HTTP APIs (all flavors) client APIs.
* DNS APIs.
3. Consumers of data protected through the use of Node.js APIs (for example,
people who have access to data encrypted through the Node.js crypto APIs).
4. The file content or other I/O that is opened for reading or writing by the
use of Node.js APIs (ex: stdin, stdout, stderr).
* Data received from the remote end of inbound network connections
that are accepted through the use of Node.js APIs and
which is transformed/validated by Node.js before being passed
to the application. This includes:
* HTTP APIs (all flavors) server APIs.
* The data received from the remote end of outbound network connections
that are created through the use of Node.js APIs and
which is transformed/validated by Node.js before being passed
to the application EXCEPT with respect to payload length. Node.js trusts
that applications make connections/requests which will avoid payload
sizes that will result in a Denial of Service.
* HTTP APIs (all flavors) client APIs.
* DNS APIs.
* Consumers of data protected through the use of Node.js APIs (for example,
people who have access to data encrypted through the Node.js crypto APIs).
* The file content or other I/O that is opened for reading or writing by the
use of Node.js APIs (ex: stdin, stdout, stderr).

In other words, if the data passing through Node.js to/from the application
can trigger actions other than those documented for the APIs, there is likely
Expand All @@ -108,23 +108,23 @@ lead to a loss of confidentiality, integrity, or availability.

**Node.js trusts everything else**. Examples include:

1. The developers and infrastructure that runs it.
2. The operating system that Node.js is running under and its configuration,
along with anything under control of the operating system.
3. The code it is asked to run, including JavaScript, WASM and native code, even
if said code is dynamically loaded, e.g., all dependencies installed from the
npm registry.
The code run inherits all the privileges of the execution user.
4. Inputs provided to it by the code it is asked to run, as it is the
responsibility of the application to perform the required input validations,
e.g. the input to `JSON.parse()`.
5. Any connection used for inspector (debugger protocol) regardless of being
opened by command line options or Node.js APIs, and regardless of the remote
end being on the local machine or remote.
6. The file system when requiring a module.
See <https://nodejs.org/api/modules.html#all-together>.
7. The `node:wasi` module does not currently provide the comprehensive file
system security properties provided by some WASI runtimes.
* The developers and infrastructure that runs it.
* The operating system that Node.js is running under and its configuration,
along with anything under control of the operating system.
* The code it is asked to run, including JavaScript, WASM and native code, even
if said code is dynamically loaded, e.g., all dependencies installed from the
npm registry.
The code run inherits all the privileges of the execution user.
* Inputs provided to it by the code it is asked to run, as it is the
responsibility of the application to perform the required input validations,
e.g. the input to `JSON.parse()`.
* Any connection used for inspector (debugger protocol) regardless of being
opened by command line options or Node.js APIs, and regardless of the remote
end being on the local machine or remote.
* The file system when requiring a module.
See <https://nodejs.org/api/modules.html#all-together>.
* The `node:wasi` module does not currently provide the comprehensive file
system security properties provided by some WASI runtimes.

Any unexpected behavior from the data manipulation from Node.js Internal
functions may be considered a vulnerability if they are exploitable via
Expand Down
Loading