diff --git a/doc/contributing/security-release-process.md b/doc/contributing/security-release-process.md index fa94d25e6fc..44087820699 100644 --- a/doc/contributing/security-release-process.md +++ b/doc/contributing/security-release-process.md @@ -75,6 +75,8 @@ The current security stewards are documented in the main Node.js * [ ] Check that all vulnerabilities are ready for release integration: * PRs against all affected release lines or cherry-pick clean + * PRs with breaking changes have a + [--security-revert](#Adding-a-security-revert-option) option if possible. * Approved * (optional) Approved by the reporter * Build and send the binary to the reporter according to its architecture @@ -223,6 +225,54 @@ out a better way, forward the email you receive to [Security release stewards](https://github.com/nodejs/node/blob/HEAD/doc/contributing/security-release-process.md#security-release-stewards). If necessary add the next rotation of the steward rotation. +## Adding a security revert option + +Breaking changes are allowed in existing LTS lines in order to fix +important security vulnerabilities. When breaking changes are made +it is important to provide a command line option that restores +the original behaviour. + +The existing Node.js codebase supports the command line +option `--security-revert` and has the boilerplate to make additions +for a specific CVE easy. + +To add an option to revert for a CVE, for example `CVE-2024-1234` +simply add this line to +[`node_revert.h`](https://github.com/nodejs/node/blob/main/src/node_revert.h) + +```c + XX(CVE_2024_1234, "CVE-2024-1234", "Description of cve") +``` + +This will allow an easy check of whether a reversion has been +requested or not. + +In JavaScript code you can check: + +```js +if (process.REVERT_CVE_2024_1234); +``` + +In C/C++ code you can check: + +```c +IsReverted(SECURITY_REVERT_CVE_2024_1234) +``` + +From the command line a user can request the revert by using +the `--security-revert` option as follows: + +```console +node --security-revert=CVE-2024-1234 +``` + +If there are multiple security reverts then multiple instances +of --security-revert can be used. For example: + +```console +node --security-revert=CVE-2024-1234 --security-revert=CVE-2024-XXXX +``` + ## When things go wrong ### Incomplete fixes