Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 23 additions & 0 deletions SECURITY.md
Original file line number Diff line number Diff line change
Expand Up @@ -221,6 +221,16 @@ then untrusted input must not lead to arbitrary JavaScript code execution.
* The developers and infrastructure that run it.
* The operating system that Node.js is running under and its configuration,
along with anything under the control of the operating system.
* The deployment network environment for the privacy of traffic and routing
decisions, including internal networks through which Node.js traffic passes
and configured HTTP(S) proxy servers. Built-in proxy support is intended to
route traffic through proxies authorized for the deployment, often because a
firewall requires one to access external networks. It is not intended to hide
traffic from network operators or authorities governing the deployment.
Untrusted or unauthorized proxies, as well as deployment policy or legal
compliance controls around proxy use, are the responsibility of the deployment
operator and are outside this threat model. This does not change that data
parsed from network protocol peers is untrusted as described above.
* The code it is asked to run, including JavaScript, WASM and native code, even
if said code is dynamically loaded, e.g., all dependencies installed from the
npm registry or libraries loaded via `node:ffi`.
Expand Down Expand Up @@ -301,6 +311,19 @@ the community they pose.
client consuming unsolicited or misordered responses within the same HTTP/1.1 connection
reuse lifecycle are generally not considered Node.js vulnerabilities.

#### Unauthorized or untrusted HTTP proxy deployments

* Built-in HTTP proxy support is intended for routing outbound requests through
a proxy authorized by the deployment, for example because a firewall requires
one to reach external networks. It is not an anonymity, traffic-hiding, or
policy-evasion feature.
* Reports that depend on using an unauthorized proxy, expecting Node.js to
provide privacy from a configured proxy or internal network, or expecting
Node.js to enforce deployment-specific network policy or legal requirements
are not considered Node.js vulnerabilities. Deployment operators are
responsible for hardening such environments and controlling which proxy
settings are allowed.

#### Malicious Third-Party Modules (CWE-1357)

* Code is trusted by Node.js. Therefore any scenario that requires a malicious
Expand Down
1 change: 1 addition & 0 deletions deps/openssl/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,7 @@ Here is a list of supported architectures for use of ASM in OpenSSL.
| linux | ppc64(*1) | linux-ppc64le | o |
| linux | s390 | linux32-s390x | o |
| linux | s390x | linux64-s390x | o |
| linux | riscv64 | linux64-riscv64 | - |
| mac | ia32 | darwin-i386-cc | - |
| mac | x64 | darwin64-x86-cc | o |
| win | ia32 | VC-WIN32 | - |
Expand Down
3 changes: 2 additions & 1 deletion deps/openssl/config/Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -13,9 +13,10 @@ ASM_ARCHS = aix64-gcc-as BSD-x86 BSD-x86_64 \
darwin64-x86_64-cc darwin-i386-cc darwin64-arm64-cc linux-aarch64 \
linux-armv4 linux-elf linux-x86_64 \
linux-ppc64le linux32-s390x linux64-s390x linux64-mips64\
linux64-riscv64 \
solaris-x86-gcc solaris64-x86_64-gcc VC-WIN64A VC-WIN32

NO_ASM_ARCHS = VC-WIN64-ARM linux64-riscv64 linux64-loongarch64
NO_ASM_ARCHS = VC-WIN64-ARM linux64-loongarch64

CC = gcc
FAKE_GCC = ../config/fake_gcc.pl
Expand Down
Loading
Loading