@@ -82,23 +82,23 @@ Vulnerabilities related to this case may be fixed by a documentation update. |
82 | 82 |
|
83 | 83 | **Node.js does NOT trust**: |
84 | 84 |
|
85 | | -1. Data received from the remote end of inbound network connections |
86 | | -that are accepted through the use of Node.js APIs and |
87 | | -which is transformed/validated by Node.js before being passed |
88 | | -to the application. This includes: |
89 | | -* HTTP APIs (all flavors) server APIs. |
90 | | -2. The data received from the remote end of outbound network connections |
91 | | -that are created through the use of Node.js APIs and |
92 | | -which is transformed/validated by Node.js before being passed |
93 | | -to the application EXCEPT with respect to payload length. Node.js trusts |
94 | | -that applications make connections/requests which will avoid payload |
95 | | -sizes that will result in a Denial of Service. |
96 | | -* HTTP APIs (all flavors) client APIs. |
97 | | -* DNS APIs. |
98 | | -3. Consumers of data protected through the use of Node.js APIs (for example, |
99 | | -people who have access to data encrypted through the Node.js crypto APIs). |
100 | | -4. The file content or other I/O that is opened for reading or writing by the |
101 | | -use of Node.js APIs (ex: stdin, stdout, stderr). |
| 85 | +* Data received from the remote end of inbound network connections |
| 86 | +that are accepted through the use of Node.js APIs and |
| 87 | +which is transformed/validated by Node.js before being passed |
| 88 | +to the application. This includes: |
| 89 | +* HTTP APIs (all flavors) server APIs. |
| 90 | +* The data received from the remote end of outbound network connections |
| 91 | +that are created through the use of Node.js APIs and |
| 92 | +which is transformed/validated by Node.js before being passed |
| 93 | +to the application EXCEPT with respect to payload length. Node.js trusts |
| 94 | +that applications make connections/requests which will avoid payload |
| 95 | +sizes that will result in a Denial of Service. |
| 96 | +* HTTP APIs (all flavors) client APIs. |
| 97 | +* DNS APIs. |
| 98 | +* Consumers of data protected through the use of Node.js APIs (for example, |
| 99 | +people who have access to data encrypted through the Node.js crypto APIs). |
| 100 | +* The file content or other I/O that is opened for reading or writing by the |
| 101 | +use of Node.js APIs (ex: stdin, stdout, stderr). |
102 | 102 |
|
103 | 103 | In other words, if the data passing through Node.js to/from the application |
104 | 104 | can trigger actions other than those documented for the APIs, there is likely |
@@ -108,23 +108,23 @@ lead to a loss of ity, integrity, or availability. |
108 | 108 |
|
109 | 109 | **Node.js trusts everything else**. Examples include: |
110 | 110 |
|
111 | | -1. The developers and infrastructure that runs it. |
112 | | -2. The operating system that Node.js is running under and its configuration, |
113 | | -along with anything under control of the operating system. |
114 | | -3. The code it is asked to run, including JavaScript, WASM and native code, even |
115 | | -if said code is dynamically loaded, e.g., all dependencies installed from the |
116 | | -npm registry. |
117 | | -The code run inherits all the privileges of the execution user. |
118 | | -4. Inputs provided to it by the code it is asked to run, as it is the |
119 | | -responsibility of the application to perform the required input validations, |
120 | | -e.g. the input to `JSON.parse()`. |
121 | | -5. Any connection used for inspector (debugger protocol) regardless of being |
122 | | -opened by command line options or Node.js APIs, and regardless of the remote |
123 | | -end being on the local machine or remote. |
124 | | -6. The file system when requiring a module. |
125 | | -See <https://nodejs.org/api/modules.html#all-together>. |
126 | | -7. The `node:wasi` module does not currently provide the comprehensive file |
127 | | -system security properties provided by some WASI runtimes. |
| 111 | +* The developers and infrastructure that runs it. |
| 112 | +* The operating system that Node.js is running under and its configuration, |
| 113 | +along with anything under control of the operating system. |
| 114 | +* The code it is asked to run, including JavaScript, WASM and native code, even |
| 115 | +if said code is dynamically loaded, e.g., all dependencies installed from the |
| 116 | +npm registry. |
| 117 | +The code run inherits all the privileges of the execution user. |
| 118 | +* Inputs provided to it by the code it is asked to run, as it is the |
| 119 | +responsibility of the application to perform the required input validations, |
| 120 | +e.g. the input to `JSON.parse()`. |
| 121 | +* Any connection used for inspector (debugger protocol) regardless of being |
| 122 | +opened by command line options or Node.js APIs, and regardless of the remote |
| 123 | +end being on the local machine or remote. |
| 124 | +* The file system when requiring a module. |
| 125 | +See <https://nodejs.org/api/modules.html#all-together>. |
| 126 | +* The `node:wasi` module does not currently provide the comprehensive file |
| 127 | +system security properties provided by some WASI runtimes. |
128 | 128 |
|
129 | 129 | Any unexpected behavior from the data manipulation from Node.js Internal |
130 | 130 | functions may be considered a vulnerability if they are exploitable via |
|
0 commit comments