From 2c95f6e18b966431d52d0e191e95e10875015a8b Mon Sep 17 00:00:00 2001 From: Matteo Collina Date: Thu, 30 Mar 2023 14:40:57 +0200 Subject: [PATCH] meta: clarify the threat model to explain the JSON.parse case MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Matteo Collina PR-URL: https://github.com/nodejs/node/pull/47276 Reviewed-By: Michaël Zasso Reviewed-By: Yagiz Nizipli Reviewed-By: Michael Dawson Reviewed-By: Colin Ihrig Reviewed-By: Tobias Nießen Reviewed-By: Rafael Gonzaga Reviewed-By: Luigi Pinca --- SECURITY.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 0ce5cc03e23c3c..acf83434de4e79 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -116,7 +116,8 @@ lead to a loss of confidentiality, integrity, or availability. npm registry. The code run inherits all the privileges of the execution user. 4. Inputs provided to it by the code it is asked to run, as it is the - responsibility of the application to perform the required input validations. + responsibility of the application to perform the required input validations, + e.g. the input to `JSON.parse()`. 5. Any connection used for inspector (debugger protocol) regardless of being opened by command line options or Node.js APIs, and regardless of the remote end being on the local machine or remote. @@ -124,7 +125,8 @@ lead to a loss of confidentiality, integrity, or availability. See . Any unexpected behavior from the data manipulation from Node.js Internal -functions are considered a vulnerability. +functions may be considered a vulnerability if they are expoitable via +untrusted resources. In addition to addressing vulnerabilities based on the above, the project works to avoid APIs and internal implementations that make it "easy" for application