daohualiuxiang
/
node
mirror of https://github.com/nodejs/node.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

doc: add note on weakness of permission model 

Malicious JavaScript code can bypass the permission model. Hence, it
does not fulfill the requirements of a security mechanism against
malicious code.

PR-URL: https://github.com/nodejs/node/pull/54268
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
pull/54422/head
Tobias Nießen 2024-08-17 15:03:21 +02:00 committed by GitHub
parent e4f61de14f
commit 97f39eb50a
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 9 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
doc/api/permissions.md
View File

@ -9,6 +9,15 @@ with those resources.
The resource can be entirely allowed or denied, or actions related to it can The resource can be entirely allowed or denied, or actions related to it can
be controlled. For example, file system reads can be allowed while denying be controlled. For example, file system reads can be allowed while denying
writes. writes.
This feature does not protect against malicious code. According to the Node.js
[Security Policy][], Node.js trusts any code it is asked to run.
The permission model implements a "seat belt" approach, which prevents trusted
code from unintentionally changing files or using resources that access has
not explicitly been granted to. It does not provide security guarantees in the
presence of malicious code. Malicious code can bypass the permission model and
execute arbitrary code without the restrictions imposed by the permission
model.
If you find a potential security vulnerability, please refer to our If you find a potential security vulnerability, please refer to our
[Security Policy][]. [Security Policy][].