@@ -82,23 +82,23 @@ Vulnerabilities related to this case may be fixed by a documentation update.
82 82 83 83
**Node.js does NOT trust**:
84 84 85 -
1. Data received from the remote end of inbound network connections
86 -
that are accepted through the use of Node.js APIs and
87 -
which is transformed/validated by Node.js before being passed
88 -
to the application. This includes:
89 -
* HTTP APIs (all flavors) server APIs.
90 -
2. The data received from the remote end of outbound network connections
91 -
that are created through the use of Node.js APIs and
92 -
which is transformed/validated by Node.js before being passed
93 -
to the application EXCEPT with respect to payload length. Node.js trusts
94 -
that applications make connections/requests which will avoid payload
95 -
sizes that will result in a Denial of Service.
96 -
* HTTP APIs (all flavors) client APIs.
97 -
* DNS APIs.
98 -
3. Consumers of data protected through the use of Node.js APIs (for example,
99 -
people who have access to data encrypted through the Node.js crypto APIs).
100 -
4. The file content or other I/O that is opened for reading or writing by the
101 -
use of Node.js APIs (ex: stdin, stdout, stderr).
85 +
* Data received from the remote end of inbound network connections
86 +
that are accepted through the use of Node.js APIs and
87 +
which is transformed/validated by Node.js before being passed
88 +
to the application. This includes:
89 +
* HTTP APIs (all flavors) server APIs.
90 +
* The data received from the remote end of outbound network connections
91 +
that are created through the use of Node.js APIs and
92 +
which is transformed/validated by Node.js before being passed
93 +
to the application EXCEPT with respect to payload length. Node.js trusts
94 +
that applications make connections/requests which will avoid payload
95 +
sizes that will result in a Denial of Service.
96 +
* HTTP APIs (all flavors) client APIs.
97 +
* DNS APIs.
98 +
* Consumers of data protected through the use of Node.js APIs (for example,
99 +
people who have access to data encrypted through the Node.js crypto APIs).
100 +
* The file content or other I/O that is opened for reading or writing by the
101 +
use of Node.js APIs (ex: stdin, stdout, stderr).
102 102 103 103
In other words, if the data passing through Node.js to/from the application
104 104
can trigger actions other than those documented for the APIs, there is likely
@@ -108,23 +108,23 @@ lead to a loss of confidentiality, integrity, or availability.
108 108 109 109
**Node.js trusts everything else**. Examples include:
110 110 111 -
1. The developers and infrastructure that runs it.
112 -
2. The operating system that Node.js is running under and its configuration,
113 -
along with anything under control of the operating system.
114 -
3. The code it is asked to run, including JavaScript, WASM and native code, even
115 -
if said code is dynamically loaded, e.g., all dependencies installed from the
116 -
npm registry.
117 -
The code run inherits all the privileges of the execution user.
118 -
4. Inputs provided to it by the code it is asked to run, as it is the
119 -
responsibility of the application to perform the required input validations,
120 -
e.g. the input to `JSON.parse()`.
121 -
5. Any connection used for inspector (debugger protocol) regardless of being
122 -
opened by command line options or Node.js APIs, and regardless of the remote
123 -
end being on the local machine or remote.
124 -
6. The file system when requiring a module.
125 -
See <https://nodejs.org/api/modules.html#all-together>.
126 -
7. The `node:wasi` module does not currently provide the comprehensive file
127 -
system security properties provided by some WASI runtimes.
111 +
* The developers and infrastructure that runs it.
112 +
* The operating system that Node.js is running under and its configuration,
113 +
along with anything under control of the operating system.
114 +
* The code it is asked to run, including JavaScript, WASM and native code, even
115 +
if said code is dynamically loaded, e.g., all dependencies installed from the
116 +
npm registry.
117 +
The code run inherits all the privileges of the execution user.
118 +
* Inputs provided to it by the code it is asked to run, as it is the
119 +
responsibility of the application to perform the required input validations,
120 +
e.g. the input to `JSON.parse()`.
121 +
* Any connection used for inspector (debugger protocol) regardless of being
122 +
opened by command line options or Node.js APIs, and regardless of the remote
123 +
end being on the local machine or remote.
124 +
* The file system when requiring a module.
125 +
See <https://nodejs.org/api/modules.html#all-together>.
126 +
* The `node:wasi` module does not currently provide the comprehensive file
127 +
system security properties provided by some WASI runtimes.
128 128 129 129
Any unexpected behavior from the data manipulation from Node.js Internal
130 130
functions may be considered a vulnerability if they are exploitable via
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4