mirror of https://github.com/nodejs/node.git
doc: use `<ul>` instead of `<ol>` in `SECURITY.md`
PR-URL: https://github.com/nodejs/node/pull/56346 Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Qingyu Deng <i@ayase-lab.com> Reviewed-By: Ulises Gascón <ulisesgascongonzalez@gmail.com> Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>pull/56346/head
Antoine du Hamel
parent
7ca753166f
commit
f9fb410f88
68
SECURITY.md
68
SECURITY.md
|
|
@ -82,23 +82,23 @@ Vulnerabilities related to this case may be fixed by a documentation update.
|
|||
|
||||
**Node.js does NOT trust**:
|
||||
|
||||
1. Data received from the remote end of inbound network connections
|
||||
that are accepted through the use of Node.js APIs and
|
||||
which is transformed/validated by Node.js before being passed
|
||||
to the application. This includes:
|
||||
* HTTP APIs (all flavors) server APIs.
|
||||
2. The data received from the remote end of outbound network connections
|
||||
that are created through the use of Node.js APIs and
|
||||
which is transformed/validated by Node.js before being passed
|
||||
to the application EXCEPT with respect to payload length. Node.js trusts
|
||||
that applications make connections/requests which will avoid payload
|
||||
sizes that will result in a Denial of Service.
|
||||
* HTTP APIs (all flavors) client APIs.
|
||||
* DNS APIs.
|
||||
3. Consumers of data protected through the use of Node.js APIs (for example,
|
||||
people who have access to data encrypted through the Node.js crypto APIs).
|
||||
4. The file content or other I/O that is opened for reading or writing by the
|
||||
use of Node.js APIs (ex: stdin, stdout, stderr).
|
||||
* Data received from the remote end of inbound network connections
|
||||
that are accepted through the use of Node.js APIs and
|
||||
which is transformed/validated by Node.js before being passed
|
||||
to the application. This includes:
|
||||
* HTTP APIs (all flavors) server APIs.
|
||||
* The data received from the remote end of outbound network connections
|
||||
that are created through the use of Node.js APIs and
|
||||
which is transformed/validated by Node.js before being passed
|
||||
to the application EXCEPT with respect to payload length. Node.js trusts
|
||||
that applications make connections/requests which will avoid payload
|
||||
sizes that will result in a Denial of Service.
|
||||
* HTTP APIs (all flavors) client APIs.
|
||||
* DNS APIs.
|
||||
* Consumers of data protected through the use of Node.js APIs (for example,
|
||||
people who have access to data encrypted through the Node.js crypto APIs).
|
||||
* The file content or other I/O that is opened for reading or writing by the
|
||||
use of Node.js APIs (ex: stdin, stdout, stderr).
|
||||
|
||||
In other words, if the data passing through Node.js to/from the application
|
||||
can trigger actions other than those documented for the APIs, there is likely
|
||||
|
|
@ -108,23 +108,23 @@ lead to a loss of confidentiality, integrity, or availability.
|
|||
|
||||
**Node.js trusts everything else**. Examples include:
|
||||
|
||||
1. The developers and infrastructure that runs it.
|
||||
2. The operating system that Node.js is running under and its configuration,
|
||||
along with anything under control of the operating system.
|
||||
3. The code it is asked to run, including JavaScript, WASM and native code, even
|
||||
if said code is dynamically loaded, e.g., all dependencies installed from the
|
||||
npm registry.
|
||||
The code run inherits all the privileges of the execution user.
|
||||
4. Inputs provided to it by the code it is asked to run, as it is the
|
||||
responsibility of the application to perform the required input validations,
|
||||
e.g. the input to `JSON.parse()`.
|
||||
5. Any connection used for inspector (debugger protocol) regardless of being
|
||||
opened by command line options or Node.js APIs, and regardless of the remote
|
||||
end being on the local machine or remote.
|
||||
6. The file system when requiring a module.
|
||||
See <https://nodejs.org/api/modules.html#all-together>.
|
||||
7. The `node:wasi` module does not currently provide the comprehensive file
|
||||
system security properties provided by some WASI runtimes.
|
||||
* The developers and infrastructure that runs it.
|
||||
* The operating system that Node.js is running under and its configuration,
|
||||
along with anything under control of the operating system.
|
||||
* The code it is asked to run, including JavaScript, WASM and native code, even
|
||||
if said code is dynamically loaded, e.g., all dependencies installed from the
|
||||
npm registry.
|
||||
The code run inherits all the privileges of the execution user.
|
||||
* Inputs provided to it by the code it is asked to run, as it is the
|
||||
responsibility of the application to perform the required input validations,
|
||||
e.g. the input to `JSON.parse()`.
|
||||
* Any connection used for inspector (debugger protocol) regardless of being
|
||||
opened by command line options or Node.js APIs, and regardless of the remote
|
||||
end being on the local machine or remote.
|
||||
* The file system when requiring a module.
|
||||
See <https://nodejs.org/api/modules.html#all-together>.
|
||||
* The `node:wasi` module does not currently provide the comprehensive file
|
||||
system security properties provided by some WASI runtimes.
|
||||
|
||||
Any unexpected behavior from the data manipulation from Node.js Internal
|
||||
functions may be considered a vulnerability if they are exploitable via
|
||||
|
|
|
|||
Loading…
Reference in New Issue