Skip to content

Commit

Permalink
meta: clarify the threat model to explain the JSON.parse case
Browse files Browse the repository at this point in the history
Signed-off-by: Matteo Collina <[email protected]>
PR-URL: #47276
Reviewed-By: Michaël Zasso <[email protected]>
Reviewed-By: Yagiz Nizipli <[email protected]>
Reviewed-By: Michael Dawson <[email protected]>
Reviewed-By: Colin Ihrig <[email protected]>
Reviewed-By: Tobias Nießen <[email protected]>
Reviewed-By: Rafael Gonzaga <[email protected]>
Reviewed-By: Luigi Pinca <[email protected]>
  • Loading branch information
mcollina authored and RafaelGSS committed Apr 5, 2023
1 parent 9f9a3d5 commit 0985548
Showing 1 changed file with 4 additions and 2 deletions.
6 changes: 4 additions & 2 deletions SECURITY.md
Original file line number Diff line number Diff line change
Expand Up @@ -116,15 +116,17 @@ lead to a loss of confidentiality, integrity, or availability.
npm registry.
The code run inherits all the privileges of the execution user.
4. Inputs provided to it by the code it is asked to run, as it is the
responsibility of the application to perform the required input validations.
responsibility of the application to perform the required input validations,
e.g. the input to `JSON.parse()`.
5. Any connection used for inspector (debugger protocol) regardless of being
opened by command line options or Node.js APIs, and regardless of the remote
end being on the local machine or remote.
6. The file system when requiring a module.
See <https://nodejs.org/api/modules.html#all-together>.

Any unexpected behavior from the data manipulation from Node.js Internal
functions are considered a vulnerability.
functions may be considered a vulnerability if they are expoitable via
untrusted resources.

In addition to addressing vulnerabilities based on the above, the project works
to avoid APIs and internal implementations that make it "easy" for application
Expand Down

0 comments on commit 0985548

Please sign in to comment.