◐ Shell
clean mode source ↗

doc: use `<ul>` instead of `<ol>` in `SECURITY.md` · nodejs/node@bc756da

@@ -82,23 +82,23 @@ Vulnerabilities related to this case may be fixed by a documentation update.

82828383

**Node.js does NOT trust**:

848485-

1. Data received from the remote end of inbound network connections

86-

that are accepted through the use of Node.js APIs and

87-

which is transformed/validated by Node.js before being passed

88-

to the application. This includes:

89-

* HTTP APIs (all flavors) server APIs.

90-

2. The data received from the remote end of outbound network connections

91-

that are created through the use of Node.js APIs and

92-

which is transformed/validated by Node.js before being passed

93-

to the application EXCEPT with respect to payload length. Node.js trusts

94-

that applications make connections/requests which will avoid payload

95-

sizes that will result in a Denial of Service.

96-

* HTTP APIs (all flavors) client APIs.

97-

* DNS APIs.

98-

3. Consumers of data protected through the use of Node.js APIs (for example,

99-

people who have access to data encrypted through the Node.js crypto APIs).

100-

4. The file content or other I/O that is opened for reading or writing by the

101-

use of Node.js APIs (ex: stdin, stdout, stderr).

85+

* Data received from the remote end of inbound network connections

86+

that are accepted through the use of Node.js APIs and

87+

which is transformed/validated by Node.js before being passed

88+

to the application. This includes:

89+

* HTTP APIs (all flavors) server APIs.

90+

* The data received from the remote end of outbound network connections

91+

that are created through the use of Node.js APIs and

92+

which is transformed/validated by Node.js before being passed

93+

to the application EXCEPT with respect to payload length. Node.js trusts

94+

that applications make connections/requests which will avoid payload

95+

sizes that will result in a Denial of Service.

96+

* HTTP APIs (all flavors) client APIs.

97+

* DNS APIs.

98+

* Consumers of data protected through the use of Node.js APIs (for example,

99+

people who have access to data encrypted through the Node.js crypto APIs).

100+

* The file content or other I/O that is opened for reading or writing by the

101+

use of Node.js APIs (ex: stdin, stdout, stderr).

102102103103

In other words, if the data passing through Node.js to/from the application

104104

can trigger actions other than those documented for the APIs, there is likely

@@ -108,23 +108,23 @@ lead to a loss of confidentiality, integrity, or availability.

108108109109

**Node.js trusts everything else**. Examples include:

110110111-

1. The developers and infrastructure that runs it.

112-

2. The operating system that Node.js is running under and its configuration,

113-

along with anything under control of the operating system.

114-

3. The code it is asked to run, including JavaScript, WASM and native code, even

115-

if said code is dynamically loaded, e.g., all dependencies installed from the

116-

npm registry.

117-

The code run inherits all the privileges of the execution user.

118-

4. Inputs provided to it by the code it is asked to run, as it is the

119-

responsibility of the application to perform the required input validations,

120-

e.g. the input to `JSON.parse()`.

121-

5. Any connection used for inspector (debugger protocol) regardless of being

122-

opened by command line options or Node.js APIs, and regardless of the remote

123-

end being on the local machine or remote.

124-

6. The file system when requiring a module.

125-

See <https://nodejs.org/api/modules.html#all-together>.

126-

7. The `node:wasi` module does not currently provide the comprehensive file

127-

system security properties provided by some WASI runtimes.

111+

* The developers and infrastructure that runs it.

112+

* The operating system that Node.js is running under and its configuration,

113+

along with anything under control of the operating system.

114+

* The code it is asked to run, including JavaScript, WASM and native code, even

115+

if said code is dynamically loaded, e.g., all dependencies installed from the

116+

npm registry.

117+

The code run inherits all the privileges of the execution user.

118+

* Inputs provided to it by the code it is asked to run, as it is the

119+

responsibility of the application to perform the required input validations,

120+

e.g. the input to `JSON.parse()`.

121+

* Any connection used for inspector (debugger protocol) regardless of being

122+

opened by command line options or Node.js APIs, and regardless of the remote

123+

end being on the local machine or remote.

124+

* The file system when requiring a module.

125+

See <https://nodejs.org/api/modules.html#all-together>.

126+

* The `node:wasi` module does not currently provide the comprehensive file

127+

system security properties provided by some WASI runtimes.

128128129129

Any unexpected behavior from the data manipulation from Node.js Internal

130130

functions may be considered a vulnerability if they are exploitable via