Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add a Threat Model #5526

Merged
merged 4 commits into from
Apr 4, 2024
Merged

Conversation

UlisesGascon
Copy link
Member

@UlisesGascon UlisesGascon commented Mar 10, 2024

This proposal is very open for debate and improvements, it is basically a fork from Node.js one (nodejs/node#45223).

I suggest you to review Node.js one first if you are not familiar with Threat models at all.

The main goal of this Threat Model is to provide a better support for Security Researches and for us on the triage. This Threat model can be considered as the "playbook rules" for reporting vulnerabilities into the project.

Note: Only the Threat Model is in scope of this PR. The security.md has already existing elements that are going to change soon (see: expressjs/security-wg#7), so please keep the focus on the target.

Context
Ref: expressjs/security-wg#3

Your feedback is more than appreciated: @bensternthal @ruddermann @ljharb @lirantal @mcollina @fraxken @expressjs/security-wg @expressjs/security-triage @expressjs/express-tc

@UlisesGascon UlisesGascon added top priority Issues which the TC deem our current highest priorities for the project security labels Mar 10, 2024
@UlisesGascon UlisesGascon requested a review from a team March 10, 2024 18:36
@mcollina
Copy link

I think this is a good starting point.

Copy link

@ljharb ljharb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM overall!

Security.md Outdated

1. Developers and infrastructure responsible for running it.
2. The operating system and JavaScript runtime Express operates under, including its configuration and anything within the control of the operating system.
3. The code it executes, comprising JavaScript and native code, even if dynamically loaded, such as dependencies installed from npm or similar repositories.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it seems strange to trust arbitrary plugins - this can be defended against.

Copy link
Member

@wesleytodd wesleytodd Mar 11, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree here. What exactly do we mean by this in "real terms". Like what would be an outcome we expect to happen when triaging an issues where this would apply? Is it this "Malicious Third-Party Modules (CWE-1357)"?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

not true, express should trust the middleware not to be malicious, otherwise the plugin system would not work and express is not responsible of how a malicious plugin interacts

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah this is why I am not sure I am clear on the distinction here. What you say @marco-ippolito makes sense, but this language is a bit "wide in scope" imo, just want to make sure I understand the goal.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

basically all of the express middleware I've written would be considered malicious from a security view 😃

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I too think its a good point.

Copy link
Member

@wesleytodd wesleytodd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems like a great start! I think this doc needs to move officially into the security wg repo as that is who will maintain it going forward, but we can deal with that in the future.

Security.md Outdated Show resolved Hide resolved
Co-authored-by: Chris de Almeida <ctcpip@users.noreply.github.com>
Security.md Outdated Show resolved Hide resolved
@ctcpip
Copy link
Member

ctcpip commented Mar 11, 2024

this looks great, just some small edit suggestions. also, we should consider moving this to the .github repo, but this can be done later

Co-authored-by: Chris de Almeida <ctcpip@users.noreply.github.com>
Security.md Outdated

#### Prototype Pollution Attacks (CWE-1321)

* Express trusts the inputs provided by application code. Hence, scenarios necessitating control over user input are not considered vulnerabilities unless Express itself fails to sanitize the input properly.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Prototype pollution is not a sanitization issue.

In javascript, you can store arbitrary user-controlled data as a key of a javascript object in a safe way without any need for sanitization. If express is not doing that, it's worth asking why.

Copy link
Member

@wesleytodd wesleytodd Mar 11, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There have been PP attacks which relied on missing input sanitization in the past, not that I am saying you are wrong, just that this can be caused by a few types of things. AFAIK all of those were addressed and closed out. Was this just speculation or trying to help find better wording for this section?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Was this just speculation or trying to help find better wording for this section?

That was trying to clarify the intention behind this paragraph, and it was before I realized that it was copy-pasted from Node.js.

If express had PP issues, which were all addressed and fixed, then it shouldn't be in "not an issue" section, no?

But honestly, I think this document should be written from the ground up based on actual issues reported by people (in github and email). Threat models of a js runtime and js library are very different, and issues that node.js faced before aren't necessarily applicable here. (I also had "wtf" moment reading about uncontrolled paths trying to figure out how it's related to express - do people really report these?)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That was trying to clarify the intention behind this paragraph, and it was before I realized that it was copy-pasted from Node.js.

Cool thanks! Just making sure I understood the intent since I was not sure my reply really addressed it.

then it shouldn't be in "not an issue" section, no? ... Threat models of a js runtime and js library are very different

Yeah that seems like a very relevant point! Hm. @UlisesGascon thoughts on this?

@marco-ippolito
Copy link
Contributor

I guess this is ready to be merged

@UlisesGascon
Copy link
Member Author

I will merge this PR, the follow up can be found at expressjs/security-wg#3 (comment)
and the Threat Model content at https://github.com/expressjs/security-wg/blob/main/tools/docs/ThreatModel.md#the-express-threat-model.

As we plan to do more iterations soon, we just decided in a previous TC meeting to move the initiative to the security wg until is completed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
docs security top priority Issues which the TC deem our current highest priorities for the project
Projects
None yet
Development

Successfully merging this pull request may close these issues.

9 participants