Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Inadvertent disclosure #36155

Closed
wants to merge 10 commits into from
Closed

Conversation

mhdawson
Copy link
Member

Checklist
  • make -j4 test (UNIX), or vcbuild test (Windows) passes
  • documentation is changed or added
  • commit message follows commit guidelines

@nodejs-github-bot
Copy link
Collaborator

nodejs-github-bot commented Nov 17, 2020

Review requested:

  • @nodejs/tsc

@nodejs-github-bot nodejs-github-bot added the c++ Issues and PRs that require attention from people who are familiar with C++. label Nov 17, 2020
@cjihrig
Copy link
Contributor

cjihrig commented Nov 17, 2020

Are the n-api changes here intentional?


* Ask the originator to submit a report through Hacker one as outlined in
[SECURITY.md][security reporting].
* Move the issue to the private repo called `premature-disclosures`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Link to the repository? Or should we keep it without a link on purpose?

Also, I assume it will be a repo on nodejs-private?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've not created the repo yet, but a link makes sense. It should only be accessible to those who have access to private repos within the org

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mmarchini added the link in the first reference, not sure if we need to make all references a link or not.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also, I assume it will be a repo on nodejs-private?

No, its a private repo in the nodejs org as I don't believe we can move issues across organizations.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see. The downside is that folks who have access to private repos in this org but not on the repo we usually use for security releases will have access to the issue. It's probably fine though, it only means some folks in moderation and CommComm will have access to the issue even when they don't have access to security release discussions (which is still better than keeping the issue public).

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mmarchini

which is still better than keeping the issue public

+1

Add process for handling premature disclosure of
a security vulnerability in the public repos.

Signed-off-by: Michael Dawson <[email protected]>
@mhdawson mhdawson force-pushed the inadvertant-disclosure branch from 06b7d65 to 83c1c12 Compare November 18, 2020 18:33
@Flarna Flarna removed the c++ Issues and PRs that require attention from people who are familiar with C++. label Nov 18, 2020
doc/guides/collaborator-guide.md Outdated Show resolved Hide resolved
doc/guides/collaborator-guide.md Outdated Show resolved Hide resolved
Copy link
Member

@mcollina mcollina left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

Copy link
Contributor

@mmarchini mmarchini left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm. I think we need to open a request on nodejs/admin to create the repository, correct?

doc/guides/collaborator-guide.md Outdated Show resolved Hide resolved
@mhdawson
Copy link
Member Author

@mmarchini good call on creating the request in admin. Here is the list: nodejs/admin#573

mhdawson added a commit that referenced this pull request Nov 30, 2020
Add process for handling premature disclosure of
a security vulnerability in the public repos.

Signed-off-by: Michael Dawson <[email protected]>

PR-URL: #36155
Reviewed-By: Matteo Collina <[email protected]>
Reviewed-By: Richard Lau <[email protected]>
Reviewed-By: Mary Marchini <[email protected]>
Reviewed-By: Rich Trott <[email protected]>
@mhdawson
Copy link
Member Author

Landed as 9cf2341

@mhdawson mhdawson closed this Nov 30, 2020
danielleadams pushed a commit that referenced this pull request Dec 7, 2020
Add process for handling premature disclosure of
a security vulnerability in the public repos.

Signed-off-by: Michael Dawson <[email protected]>

PR-URL: #36155
Reviewed-By: Matteo Collina <[email protected]>
Reviewed-By: Richard Lau <[email protected]>
Reviewed-By: Mary Marchini <[email protected]>
Reviewed-By: Rich Trott <[email protected]>
@danielleadams danielleadams mentioned this pull request Dec 7, 2020
cjihrig pushed a commit to cjihrig/node that referenced this pull request Dec 8, 2020
Add process for handling premature disclosure of
a security vulnerability in the public repos.

Signed-off-by: Michael Dawson <[email protected]>

PR-URL: nodejs#36155
Reviewed-By: Matteo Collina <[email protected]>
Reviewed-By: Richard Lau <[email protected]>
Reviewed-By: Mary Marchini <[email protected]>
Reviewed-By: Rich Trott <[email protected]>
targos pushed a commit that referenced this pull request May 1, 2021
Add process for handling premature disclosure of
a security vulnerability in the public repos.

Signed-off-by: Michael Dawson <[email protected]>

PR-URL: #36155
Reviewed-By: Matteo Collina <[email protected]>
Reviewed-By: Richard Lau <[email protected]>
Reviewed-By: Mary Marchini <[email protected]>
Reviewed-By: Rich Trott <[email protected]>
@danielleadams danielleadams mentioned this pull request May 3, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

9 participants