Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Commit 439b816

Browse filesBrowse files
mcollinaaduh95
mcollina
authored and
aduh95
committed
doc: clarify EventEmitter error handling in threat model
Add documentation explaining that applications are expected to attach 'error' event handlers to EventEmitters that can emit errors, including HTTP streams. Crashes resulting from missing error handlers are not considered denial-of-service vulnerabilities in Node.js. PR-URL: #61701 Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> Reviewed-By: Chengzhong Wu <legendecas@gmail.com> Reviewed-By: Ulises Gascón <ulisesgascongonzalez@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
1 parent adce20c commit 439b816
Copy full SHA for 439b816

1 file changed

+12Lines changed: 12 additions & 0 deletions

File tree

Expand file treeCollapse file tree
Open diff view settings
Filter options
Expand file treeCollapse file tree
Open diff view settings
Collapse file

‎SECURITY.md‎

Copy file name to clipboardExpand all lines: SECURITY.md
+12Lines changed: 12 additions & 0 deletions
  • Display the source diff
  • Display the rich diff
Original file line numberDiff line numberDiff line change
@@ -335,6 +335,18 @@ the community they pose.
335335
proper security boundaries between trusted application logic and untrusted
336336
user input.
337337

338+
#### Unhandled 'error' Events on EventEmitters (CWE-248)
339+
340+
* EventEmitters that can emit `'error'` events require the application to
341+
attach an `'error'` event handler. This includes HTTP streams and other
342+
Node.js core streams. If the application fails to attach an `'error'`
343+
handler, the EventEmitter will throw an uncaught exception, which may
344+
crash the process.
345+
* Crashes resulting from missing `'error'` handlers are not considered
346+
denial-of-service vulnerabilities in Node.js. It is the application's
347+
responsibility to properly handle errors by attaching appropriate
348+
`'error'` event listeners to EventEmitters that may emit errors.
349+
338350
## Assessing experimental features reports
339351

340352
Experimental features are eligible for security reports just like any other

0 commit comments

Comments
0 (0)
Morty Proxy This is a proxified and sanitized view of the page, visit original site.