Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Commit 33a98c4

Browse filesBrowse files
mhdawsonMylesBorins
mhdawson
authored and
MylesBorins
committed
doc: update threat model based on discussions
Signed-off-by: Michael Dawson <mdawson@devrus.com> PR-URL: #46373 Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
1 parent c7f29b2 commit 33a98c4
Copy full SHA for 33a98c4

File tree

Expand file treeCollapse file tree

1 file changed

+21
-6
lines changed
Open diff view settings
Filter options
Expand file treeCollapse file tree

1 file changed

+21
-6
lines changed
Open diff view settings
Collapse file

‎SECURITY.md‎

Copy file name to clipboardExpand all lines: SECURITY.md
+21-6Lines changed: 21 additions & 6 deletions
  • Display the source diff
  • Display the rich diff
Original file line numberDiff line numberDiff line change
@@ -82,14 +82,22 @@ Vulnerabilities related to this case may be fixed by a documentation update.
8282

8383
**Node.js does NOT trust**:
8484

85-
1. The data from network connections that are created through the use of Node.js
86-
APIs and which is transformed/validated by Node.js before being passed to the
87-
application. This includes:
88-
* HTTP APIs (all flavors) client and server APIs.
85+
1. Data received from the remote end of inbound network connections
86+
that are accepted through the use of Node.js APIs and
87+
which is transformed/validated by Node.js before being passed
88+
to the application. This includes:
89+
* HTTP APIs (all flavors) server APIs.
90+
2. The data received from the remote end of outbound network connections
91+
that are created through the use of Node.js APIs and
92+
which is transformed/validated by Node.js before being passed
93+
to the application EXCEPT in respect to payload length. Node.js trusts
94+
that applications make connections/requests which will avoid payload
95+
sizes that will result in a Denial of Service.
96+
* HTTP APIs (all flavors) client APIs.
8997
* DNS APIs.
90-
2. Consumers of data protected through the use of Node.js APIs (for example
98+
3. Consumers of data protected through the use of Node.js APIs (for example
9199
people who have access to data encrypted through the Node.js crypto APIs).
92-
3. The file content or other I/O that is opened for reading or writing by the
100+
4. The file content or other I/O that is opened for reading or writing by the
93101
use of Node.js APIs (ex: stdin, stdout, stderr).
94102

95103
In other words, if the data passing through Node.js to/from the application
@@ -181,6 +189,13 @@ the community they pose.
181189
no scenario that requires modification of that configuration file is
182190
considered a vulnerability.
183191

192+
#### Uncontrolled Resource Consumption (CWE-400) on outbound connections
193+
194+
* If Node.js is asked to connect to a remote site and return an
195+
artifact, it is not considered a vulnerability if the size of
196+
that artifact is large enough to impact performance and or
197+
cause the runtime to run out of resources.
198+
184199
## Receiving security updates
185200

186201
Security notifications will be distributed via the following methods.

0 commit comments

Comments
0 (0)
Morty Proxy This is a proxified and sanitized view of the page, visit original site.