Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Commit 70e88cf

Browse filesBrowse files
mhdawsontargos
mhdawson
authored and
targos
committed
doc: add check for security reverts
- Add step to check that any PRs with breaking changes have command line options to revert - Add info on how to easily add command line option to revert a breaking change related to a CVE Signed-off-by: Michael Dawson <midawson@redhat.com> PR-URL: #51376 Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de>
1 parent 17cb4af commit 70e88cf
Copy full SHA for 70e88cf

File tree

Expand file treeCollapse file tree

1 file changed

+50
-0
lines changed
Open diff view settings
Filter options
Expand file treeCollapse file tree

1 file changed

+50
-0
lines changed
Open diff view settings
Collapse file

‎doc/contributing/security-release-process.md‎

Copy file name to clipboardExpand all lines: doc/contributing/security-release-process.md
+50Lines changed: 50 additions & 0 deletions
  • Display the source diff
  • Display the rich diff
Original file line numberDiff line numberDiff line change
@@ -75,6 +75,8 @@ The current security stewards are documented in the main Node.js
7575
7676
* [ ] Check that all vulnerabilities are ready for release integration:
7777
* PRs against all affected release lines or cherry-pick clean
78+
* PRs with breaking changes have a
79+
[--security-revert](#Adding-a-security-revert-option) option if possible.
7880
* Approved
7981
* (optional) Approved by the reporter
8082
* Build and send the binary to the reporter according to its architecture
@@ -223,6 +225,54 @@ out a better way, forward the email you receive to
223225
[Security release stewards](https://github.com/nodejs/node/blob/HEAD/doc/contributing/security-release-process.md#security-release-stewards).
224226
If necessary add the next rotation of the steward rotation.
225227

228+
## Adding a security revert option
229+
230+
Breaking changes are allowed in existing LTS lines in order to fix
231+
important security vulnerabilities. When breaking changes are made
232+
it is important to provide a command line option that restores
233+
the original behaviour.
234+
235+
The existing Node.js codebase supports the command line
236+
option `--security-revert` and has the boilerplate to make additions
237+
for a specific CVE easy.
238+
239+
To add an option to revert for a CVE, for example `CVE-2024-1234`
240+
simply add this line to
241+
[`node_revert.h`](https://github.com/nodejs/node/blob/main/src/node_revert.h)
242+
243+
```c
244+
XX(CVE_2024_1234, "CVE-2024-1234", "Description of cve")
245+
```
246+
247+
This will allow an easy check of whether a reversion has been
248+
requested or not.
249+
250+
In JavaScript code you can check:
251+
252+
```js
253+
if (process.REVERT_CVE_2024_1234);
254+
```
255+
256+
In C/C++ code you can check:
257+
258+
```c
259+
IsReverted(SECURITY_REVERT_CVE_2024_1234)
260+
```
261+
262+
From the command line a user can request the revert by using
263+
the `--security-revert` option as follows:
264+
265+
```console
266+
node --security-revert=CVE-2024-1234
267+
```
268+
269+
If there are multiple security reverts then multiple instances
270+
of --security-revert can be used. For example:
271+
272+
```console
273+
node --security-revert=CVE-2024-1234 --security-revert=CVE-2024-XXXX
274+
```
275+
226276
## When things go wrong
227277

228278
### Incomplete fixes

0 commit comments

Comments
0 (0)
Morty Proxy This is a proxified and sanitized view of the page, visit original site.