node/doc/contributing/security-model-strategy.md

# Security Model Strategy

A clear security model, with features like permissions and policy enforcement,
is a
[top technical priority](https://github.com/nodejs/node/blob/HEAD/doc/contributing/technical-priorities.md#permissionspoliciessecurity-model)
of Node.js.

## High-level approach

* Document the security model
* Document threat models and current state of the art
* Support experimentation on features like permissions and policies
* Add a security component in Node.js certification covering
  the Node.js security model

### Document the security model

The current security model for Node.js is not yet well documented.
At a high level it is:

* Node.js does not provide a sandbox, both the JavaScript and
  native code which is run is trusted to not be malicious.
* The project works to help code running on top of Node.js to avoid
  making mistakes, but not doing so is not considered a
  vulnerability in Node.js. Just because you can build something
  vulnerable with the APIs does not mean there is a vulnerability
  in Node.js itself.

The project has a goal to better document the security model
and this section will be expanded when that happens.

Once the security model is documented the project will work
to add a security component in Node.js certification covering
the Node.js security model.

### Document threat models and current state of the art

Node.js is used in several different use cases and the
threats may be different in each use case. The project
should document the threat models and use that to
help define the security model in the context of each
of these use cases.

This section will be expanded as the use case/threat
models are defined. The initial list includes:

* Server
* Desktop application
* Cli
* Single executable application
* CI/CD pipeline components

### Support experimentation on features like permissions

The project is not currently planning to provide supported
sandbox functionality, but wants to support experimentation on
related features like permission enforcement.

Features in this category should:

* be opt-in, and additional overhead when not enabled must be low
* limit change in core to just what is needed to enable experimentation
doc: initial version of security-model-strategy.md Added initial strategy based on discussion in the next-10 mini-summit - https://github.com/nodejs/next-10/blob/main/meetings/summit-apr-2022.md Signed-off-by: Michael Dawson <mdawson@devrus.com> PR-URL: https://github.com/nodejs/node/pull/42709 Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com> Reviewed-By: Darshan Sen <raisinten@gmail.com> Reviewed-By: Akhil Marsonya <akhil.marsonya27@gmail.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> Reviewed-By: Bryan English <bryan@bryanenglish.com> 2022-04-13 00:03:01 +08:00			`# Security Model Strategy`

			`A clear security model, with features like permissions and policy enforcement,`
			`is a`
doc: fixup after rename of primary nodejs branch Signed-off-by: Michael Dawson <mdawson@devrus.com> PR-URL: https://github.com/nodejs/node/pull/43453 Reviewed-By: LiviaMedeiros <livia@cirno.name> Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de> 2022-06-17 03:57:30 +08:00			`[top technical priority](https://github.com/nodejs/node/blob/HEAD/doc/contributing/technical-priorities.md#permissionspoliciessecurity-model)`
doc: initial version of security-model-strategy.md Added initial strategy based on discussion in the next-10 mini-summit - https://github.com/nodejs/next-10/blob/main/meetings/summit-apr-2022.md Signed-off-by: Michael Dawson <mdawson@devrus.com> PR-URL: https://github.com/nodejs/node/pull/42709 Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com> Reviewed-By: Darshan Sen <raisinten@gmail.com> Reviewed-By: Akhil Marsonya <akhil.marsonya27@gmail.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> Reviewed-By: Bryan English <bryan@bryanenglish.com> 2022-04-13 00:03:01 +08:00			`of Node.js.`

			`## High-level approach`

			`* Document the security model`
			`* Document threat models and current state of the art`
			`* Support experimentation on features like permissions and policies`
			`* Add a security component in Node.js certification covering`
			`the Node.js security model`

			`### Document the security model`

			`The current security model for Node.js is not yet well documented.`
			`At a high level it is:`

			`* Node.js does not provide a sandbox, both the JavaScript and`
			`native code which is run is trusted to not be malicious.`
			`* The project works to help code running on top of Node.js to avoid`
			`making mistakes, but not doing so is not considered a`
			`vulnerability in Node.js. Just because you can build something`
			`vulnerable with the APIs does not mean there is a vulnerability`
			`in Node.js itself.`

			`The project has a goal to better document the security model`
			`and this section will be expanded when that happens.`

			`Once the security model is documented the project will work`
			`to add a security component in Node.js certification covering`
			`the Node.js security model.`

			`### Document threat models and current state of the art`

			`Node.js is used in several different use cases and the`
			`threats may be different in each use case. The project`
			`should document the threat models and use that to`
			`help define the security model in the context of each`
			`of these use cases.`

			`This section will be expanded as the use case/threat`
			`models are defined. The initial list includes:`

			`* Server`
			`* Desktop application`
			`* Cli`
			`* Single executable application`
			`* CI/CD pipeline components`

doc: remove mentions of policy model from security info PR-URL: https://github.com/nodejs/node/pull/53249 Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com> Reviewed-By: Michael Dawson <midawson@redhat.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> Reviewed-By: Ulises Gascón <ulisesgascongonzalez@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> 2024-06-08 08:39:52 +08:00			`### Support experimentation on features like permissions`
doc: initial version of security-model-strategy.md Added initial strategy based on discussion in the next-10 mini-summit - https://github.com/nodejs/next-10/blob/main/meetings/summit-apr-2022.md Signed-off-by: Michael Dawson <mdawson@devrus.com> PR-URL: https://github.com/nodejs/node/pull/42709 Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com> Reviewed-By: Darshan Sen <raisinten@gmail.com> Reviewed-By: Akhil Marsonya <akhil.marsonya27@gmail.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> Reviewed-By: Bryan English <bryan@bryanenglish.com> 2022-04-13 00:03:01 +08:00
			`The project is not currently planning to provide supported`
			`sandbox functionality, but wants to support experimentation on`
doc: remove mentions of policy model from security info PR-URL: https://github.com/nodejs/node/pull/53249 Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com> Reviewed-By: Michael Dawson <midawson@redhat.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> Reviewed-By: Ulises Gascón <ulisesgascongonzalez@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> 2024-06-08 08:39:52 +08:00			`related features like permission enforcement.`
doc: initial version of security-model-strategy.md Added initial strategy based on discussion in the next-10 mini-summit - https://github.com/nodejs/next-10/blob/main/meetings/summit-apr-2022.md Signed-off-by: Michael Dawson <mdawson@devrus.com> PR-URL: https://github.com/nodejs/node/pull/42709 Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com> Reviewed-By: Darshan Sen <raisinten@gmail.com> Reviewed-By: Akhil Marsonya <akhil.marsonya27@gmail.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> Reviewed-By: Bryan English <bryan@bryanenglish.com> 2022-04-13 00:03:01 +08:00
			`Features in this category should:`

			`* be opt-in, and additional overhead when not enabled must be low`
			`* limit change in core to just what is needed to enable experimentation`