New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

doc: describe what security issues are #14485

Merged
merged 1 commit into from Sep 7, 2017

Conversation

Projects
None yet
8 participants
@sam-github
Member

sam-github commented Jul 25, 2017

Fix nodejs/security-wg#18

Checklist
Affected core subsystem(s)

doc,security

Show outdated Hide outdated README.md
@Trott

This comment has been minimized.

Show comment
Hide comment
@Trott

Trott Jul 25, 2017

Member

Can we link to a separate doc rather than putting the text right in the README? (Maybe the doc can even live in the security-wg repl?)

Member

Trott commented Jul 25, 2017

Can we link to a separate doc rather than putting the text right in the README? (Maybe the doc can even live in the security-wg repl?)

@sam-github

This comment has been minimized.

Show comment
Hide comment
@sam-github

sam-github Jul 25, 2017

Member

This is an attempt to clarify what kinds of issues will or will not be considered "security vulnerabilities" by the Security Response Team. I lifted much of the text from https://www.python.org/news/security/, because Node.js is not a Web Browser, it does not allow (natively) remote code execution, so has a different security model from Browsers, which has occaisonally created confusion.

Member

sam-github commented Jul 25, 2017

This is an attempt to clarify what kinds of issues will or will not be considered "security vulnerabilities" by the Security Response Team. I lifted much of the text from https://www.python.org/news/security/, because Node.js is not a Web Browser, it does not allow (natively) remote code execution, so has a different security model from Browsers, which has occaisonally created confusion.

Show outdated Hide outdated README.md
@sam-github

This comment has been minimized.

Show comment
Hide comment
@sam-github

sam-github Jul 25, 2017

Member

@Trott we can spread our docs as thin as we like, through multiple github repos (nodejs/node, nodejs/LTS, nodejs/security-wg), and through various files, and wikis, but I don't find that helpful.

This is the point at which people are told where to report security issues, its the point they should be told what to report as well, IMO.

There is no current place in the security-wg repo that this information fits. It doesn't have any relationship to any other info in the README (https://github.com/nodejs/security-wg/blob/master/README.md), and I could just dump the text in a standalone .md file and link to it, but that seems a bit odd to me.

Member

sam-github commented Jul 25, 2017

@Trott we can spread our docs as thin as we like, through multiple github repos (nodejs/node, nodejs/LTS, nodejs/security-wg), and through various files, and wikis, but I don't find that helpful.

This is the point at which people are told where to report security issues, its the point they should be told what to report as well, IMO.

There is no current place in the security-wg repo that this information fits. It doesn't have any relationship to any other info in the README (https://github.com/nodejs/security-wg/blob/master/README.md), and I could just dump the text in a standalone .md file and link to it, but that seems a bit odd to me.

Show outdated Hide outdated README.md
Show outdated Hide outdated README.md
@sam-github

This comment has been minimized.

Show comment
Hide comment
@sam-github

sam-github Jul 31, 2017

Member

I'm going to go through the sec release history and try to find some good examples, as in https://www.python.org/news/security/, that flesh out the kinds of things Node does and does not consider a vulnerability.

Member

sam-github commented Jul 31, 2017

I'm going to go through the sec release history and try to find some good examples, as in https://www.python.org/news/security/, that flesh out the kinds of things Node does and does not consider a vulnerability.

Show outdated Hide outdated README.md
@sam-github

This comment has been minimized.

Show comment
Hide comment
@sam-github

sam-github Aug 1, 2017

Member

possible examples:

8.0.0

  • new Buffer(num) and Buffer(num) will zero-fill new Buffer instances
    [7eb1b4658e]
    #12141.

  • buffer: Zero-fill excess bytes in new Buffer objects created with
    Buffer.concat() while providing a totalLength parameter that exceeds the
    total length of the original Buffer objects being concatenated. (Сковорода
    Никита Андреевич)
    ref: nodejs-private/node-private#64
    ref: 8fb8c46

  • url.resolve may transfer the auth portion of the url when resolving between two full hosts, see #1435.

4.8.3

  • tls:
    • fix rare segmentation faults when using TLS

nodejs/security-wg#35 (comment)

Member

sam-github commented Aug 1, 2017

possible examples:

8.0.0

  • new Buffer(num) and Buffer(num) will zero-fill new Buffer instances
    [7eb1b4658e]
    #12141.

  • buffer: Zero-fill excess bytes in new Buffer objects created with
    Buffer.concat() while providing a totalLength parameter that exceeds the
    total length of the original Buffer objects being concatenated. (Сковорода
    Никита Андреевич)
    ref: nodejs-private/node-private#64
    ref: 8fb8c46

  • url.resolve may transfer the auth portion of the url when resolving between two full hosts, see #1435.

4.8.3

  • tls:
    • fix rare segmentation faults when using TLS

nodejs/security-wg#35 (comment)

Show outdated Hide outdated README.md
Show outdated Hide outdated README.md
Show outdated Hide outdated README.md
Show outdated Hide outdated README.md
@jasnell

This comment has been minimized.

Show comment
Hide comment
@jasnell

jasnell Aug 24, 2017

Member

I think I'd much prefer to see this in a doc/guides document rather than the readme

Member

jasnell commented Aug 24, 2017

I think I'd much prefer to see this in a doc/guides document rather than the readme

@sam-github

This comment has been minimized.

Show comment
Hide comment
@sam-github

sam-github Aug 24, 2017

Member

I think I'd much prefer to see this in a doc/guides document rather than the readme

As I said:

This is the point at which people are told where to report security issues, its the point they should be told what to report as well, IMO.

But its more important that it is doced and easily findable from the place the security reporting email address is descibed, so I'll move it.

Can you give me an explicit location and title?

Member

sam-github commented Aug 24, 2017

I think I'd much prefer to see this in a doc/guides document rather than the readme

As I said:

This is the point at which people are told where to report security issues, its the point they should be told what to report as well, IMO.

But its more important that it is doced and easily findable from the place the security reporting email address is descibed, so I'll move it.

Can you give me an explicit location and title?

@sam-github

This comment has been minimized.

Show comment
Hide comment
@sam-github

sam-github Aug 30, 2017

Member

@jasnell, gentle ping, I know you are juggling eggs ATM

Member

sam-github commented Aug 30, 2017

@jasnell, gentle ping, I know you are juggling eggs ATM

@mhdawson

LGTM

doc: describe what security issues are
PR-URL: #14485
Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>

@sam-github sam-github merged commit 7540821 into nodejs:master Sep 7, 2017

@sam-github sam-github deleted the sam-github:define-vulnerability branch Sep 7, 2017

MylesBorins added a commit that referenced this pull request Sep 10, 2017

doc: describe what security issues are
PR-URL: #14485
Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>

@MylesBorins MylesBorins referenced this pull request Sep 10, 2017

Merged

v8.5.0 proposal #15308

MylesBorins added a commit that referenced this pull request Sep 11, 2017

doc: describe what security issues are
PR-URL: #14485
Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>

MylesBorins added a commit that referenced this pull request Sep 12, 2017

doc: describe what security issues are
PR-URL: #14485
Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>

addaleax added a commit to addaleax/node that referenced this pull request Sep 13, 2017

doc: describe what security issues are
PR-URL: nodejs#14485
Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>

MylesBorins added a commit that referenced this pull request Sep 20, 2017

doc: describe what security issues are
PR-URL: #14485
Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>

@MylesBorins MylesBorins referenced this pull request Sep 20, 2017

Merged

v6.11.4 proposal #15506

MylesBorins added a commit that referenced this pull request Sep 21, 2017

doc: describe what security issues are
PR-URL: #14485
Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>

MylesBorins added a commit that referenced this pull request Sep 26, 2017

doc: describe what security issues are
PR-URL: #14485
Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>

@sam-github sam-github referenced this pull request Oct 10, 2017

Closed

Threat model #51

@tniessen tniessen referenced this pull request Apr 13, 2018

Closed

doc: fix typo in README #20011

2 of 2 tasks complete

tniessen added a commit that referenced this pull request Apr 13, 2018

doc: fix typo in README
PR-URL: #20011
Refs: #14485
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Vse Mozhet Byt <vsemozhetbyt@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>

jasnell added a commit that referenced this pull request Apr 16, 2018

doc: fix typo in README
PR-URL: #20011
Refs: #14485
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Vse Mozhet Byt <vsemozhetbyt@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>

BridgeAR added a commit to BridgeAR/node that referenced this pull request May 1, 2018

doc: fix typo in README
PR-URL: nodejs#20011
Refs: nodejs#14485
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Vse Mozhet Byt <vsemozhetbyt@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment