From d59d94468542dc717066ba9fcb562e9171e3cce1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Sun, 10 Mar 2024 19:20:45 +0100 Subject: [PATCH 1/4] docs: add Threat Model --- Security.md | 51 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) diff --git a/Security.md b/Security.md index cdcd7a6e0a..78aa28d5e3 100644 --- a/Security.md +++ b/Security.md @@ -40,6 +40,57 @@ involving the following steps: * Prepare fixes for all releases still under maintenance. These fixes will be released as fast as possible to npm. +## The Express Threat Model + +The Express threat model delineates the trusted elements within the framework, such as the underlying operating system or the runtime. Vulnerabilities necessitating the compromise of these trusted elements lie outside the scope of the Node.js threat model. + +For a vulnerability to be considered, it must adhere to the context of the Express threat model. This implies that it cannot assume the compromise of a trusted element, such as the operating system. + +**Elements Express Does NOT Trust**: + +1. Data received from the remote end of inbound or sent to remote outbound network connections, which are accepted through the use of Express API and transformed/validated by Express before being passed to the application. + +In simpler terms, if the data passing through Express to/from the application can initiate actions beyond those documented for the API, it likely signifies a security vulnerability. Examples of unwanted actions include polluting globals, causing an unrecoverable crash, or any other unexpected side effects jeopardizing confidentiality, integrity, or availability. + +**Elements Express Trusts**: + +1. Developers and infrastructure responsible for running it. +2. The operating system and JavaScript runtime Express operates under, including its configuration and anything within the control of the operating system. +3. The code it executes, comprising JavaScript and native code, even if dynamically loaded, such as dependencies installed from npm or similar repositories. +4. The resources it accesses, such as files, network connections, and other system resources, as long as they are accessed through the documented API. +5. The privileges of the execution user are inherited by the code it runs. +6. Inputs provided by the code it runs, as it is the application's responsibility to conduct necessary input validations, e.g., input to `JSON.parse()`. + +### Examples of Vulnerabilities + +Examples of vulnerabilities can be found in the [Express Security Updates](https://expressjs.com/en/advanced/security-updates.html). + +### Examples of Non-Vulnerabilities + +#### Malicious Third-Party Modules (CWE-1357) + +* Code trusted by Express implies that any scenario requiring a malicious third-party module does not result in a vulnerability in Express. For instance, if an application uses a vulnerable third-party module susceptible to a denial of service attack, it is not considered a vulnerability in Express. + +#### Prototype Pollution Attacks (CWE-1321) + +* Express trusts the inputs provided by application code. Hence, scenarios necessitating control over user input are not considered vulnerabilities unless Express itself fails to sanitize the input properly. + +#### Uncontrolled Search Path Element (CWE-427) + +* Express trusts the runtime environment accessible to it. Therefore, accessing/loading files from any accessible path is not a vulnerability. For example, misconfigurations with `express.static()` are not considered vulnerabilities. [Additional information](https://expressjs.com/en/starter/static-files.html). + +#### External Control of System or Configuration Setting (CWE-15) + +* If Express automatically loads a configuration from the environment, any modification to that environment does not constitute a vulnerability. For example, tampering with the `NODE_ENV` environment variable, causing Express to behave in dev mode instead of production mode, is not considered a vulnerability. [Additional information](https://expressjs.com/en/advanced/best-practice-performance.html#set-node_env-to-production). + +#### Uncontrolled Resource Consumption (CWE-400) on Outbound Connections + +* Express being asked to perform an action impacting the runtime's performance or causing resource exhaustion due to user application code is not a vulnerability. + +#### Vulnerabilities Affecting JavaScript Runtime + +* Express provides a stable API for interacting with most JavaScript runtime versions. Vulnerabilities within the JavaScript runtime itself or those requiring execution on an end-of-life version are not considered vulnerabilities in Express. + ## Comments on this Policy If you have suggestions on how this process could be improved please submit a From 81a9fd26beaa80c217c6de3cd1d6b5967b19d76b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Mon, 11 Mar 2024 20:20:04 +0100 Subject: [PATCH 2/4] docs: update reference Co-authored-by: Chris de Almeida --- Security.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Security.md b/Security.md index 78aa28d5e3..3e7b60eb03 100644 --- a/Security.md +++ b/Security.md @@ -42,7 +42,7 @@ involving the following steps: ## The Express Threat Model -The Express threat model delineates the trusted elements within the framework, such as the underlying operating system or the runtime. Vulnerabilities necessitating the compromise of these trusted elements lie outside the scope of the Node.js threat model. +The Express threat model delineates the trusted elements within the framework, such as the underlying operating system or the runtime. Vulnerabilities necessitating the compromise of these trusted elements lie outside the scope of the Express threat model. For a vulnerability to be considered, it must adhere to the context of the Express threat model. This implies that it cannot assume the compromise of a trusted element, such as the operating system. From 54d3397531afe514136662b189c04d94ad55d619 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Mon, 11 Mar 2024 20:37:38 +0100 Subject: [PATCH 3/4] docs: improve readability Co-authored-by: Chris de Almeida --- Security.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Security.md b/Security.md index 3e7b60eb03..126144e91f 100644 --- a/Security.md +++ b/Security.md @@ -48,7 +48,7 @@ For a vulnerability to be considered, it must adhere to the context of the Expre **Elements Express Does NOT Trust**: -1. Data received from the remote end of inbound or sent to remote outbound network connections, which are accepted through the use of Express API and transformed/validated by Express before being passed to the application. +1. Data received from the remote end of inbound network connections and data sent to the remote end of outbound network connections, which are accepted through the use of the Express API and transformed/validated by Express before being passed to the application. In simpler terms, if the data passing through Express to/from the application can initiate actions beyond those documented for the API, it likely signifies a security vulnerability. Examples of unwanted actions include polluting globals, causing an unrecoverable crash, or any other unexpected side effects jeopardizing confidentiality, integrity, or availability. From 63c95b5a0a9c8af6b926b5a502a6712d29cdb059 Mon Sep 17 00:00:00 2001 From: Ulises Gascon Date: Thu, 4 Apr 2024 12:05:34 +0200 Subject: [PATCH 4/4] docs: add reference to the Threat Model --- Security.md | 49 +------------------------------------------------ 1 file changed, 1 insertion(+), 48 deletions(-) diff --git a/Security.md b/Security.md index 126144e91f..7de954c1af 100644 --- a/Security.md +++ b/Security.md @@ -42,54 +42,7 @@ involving the following steps: ## The Express Threat Model -The Express threat model delineates the trusted elements within the framework, such as the underlying operating system or the runtime. Vulnerabilities necessitating the compromise of these trusted elements lie outside the scope of the Express threat model. - -For a vulnerability to be considered, it must adhere to the context of the Express threat model. This implies that it cannot assume the compromise of a trusted element, such as the operating system. - -**Elements Express Does NOT Trust**: - -1. Data received from the remote end of inbound network connections and data sent to the remote end of outbound network connections, which are accepted through the use of the Express API and transformed/validated by Express before being passed to the application. - -In simpler terms, if the data passing through Express to/from the application can initiate actions beyond those documented for the API, it likely signifies a security vulnerability. Examples of unwanted actions include polluting globals, causing an unrecoverable crash, or any other unexpected side effects jeopardizing confidentiality, integrity, or availability. - -**Elements Express Trusts**: - -1. Developers and infrastructure responsible for running it. -2. The operating system and JavaScript runtime Express operates under, including its configuration and anything within the control of the operating system. -3. The code it executes, comprising JavaScript and native code, even if dynamically loaded, such as dependencies installed from npm or similar repositories. -4. The resources it accesses, such as files, network connections, and other system resources, as long as they are accessed through the documented API. -5. The privileges of the execution user are inherited by the code it runs. -6. Inputs provided by the code it runs, as it is the application's responsibility to conduct necessary input validations, e.g., input to `JSON.parse()`. - -### Examples of Vulnerabilities - -Examples of vulnerabilities can be found in the [Express Security Updates](https://expressjs.com/en/advanced/security-updates.html). - -### Examples of Non-Vulnerabilities - -#### Malicious Third-Party Modules (CWE-1357) - -* Code trusted by Express implies that any scenario requiring a malicious third-party module does not result in a vulnerability in Express. For instance, if an application uses a vulnerable third-party module susceptible to a denial of service attack, it is not considered a vulnerability in Express. - -#### Prototype Pollution Attacks (CWE-1321) - -* Express trusts the inputs provided by application code. Hence, scenarios necessitating control over user input are not considered vulnerabilities unless Express itself fails to sanitize the input properly. - -#### Uncontrolled Search Path Element (CWE-427) - -* Express trusts the runtime environment accessible to it. Therefore, accessing/loading files from any accessible path is not a vulnerability. For example, misconfigurations with `express.static()` are not considered vulnerabilities. [Additional information](https://expressjs.com/en/starter/static-files.html). - -#### External Control of System or Configuration Setting (CWE-15) - -* If Express automatically loads a configuration from the environment, any modification to that environment does not constitute a vulnerability. For example, tampering with the `NODE_ENV` environment variable, causing Express to behave in dev mode instead of production mode, is not considered a vulnerability. [Additional information](https://expressjs.com/en/advanced/best-practice-performance.html#set-node_env-to-production). - -#### Uncontrolled Resource Consumption (CWE-400) on Outbound Connections - -* Express being asked to perform an action impacting the runtime's performance or causing resource exhaustion due to user application code is not a vulnerability. - -#### Vulnerabilities Affecting JavaScript Runtime - -* Express provides a stable API for interacting with most JavaScript runtime versions. Vulnerabilities within the JavaScript runtime itself or those requiring execution on an end-of-life version are not considered vulnerabilities in Express. +We are currently working on a new version of the security model, the most updated version can be found [here](https://github.com/expressjs/security-wg/blob/main/tools/docs/ThreatModel.md) ## Comments on this Policy