Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

doc: update threat model based on discussions #46373

Closed
wants to merge 1 commit into from

Conversation

mhdawson
Copy link
Member

Signed-off-by: Michael Dawson [email protected]

@nodejs-github-bot nodejs-github-bot added the doc Issues and PRs related to the documentations. label Jan 26, 2023
@mhdawson
Copy link
Member Author

@RafaelGSS, @mcollina, @jasnell how does this look to you?

@panva panva changed the title doc: update thread model based on discussions doc: update threat model based on discussions Jan 26, 2023
Copy link
Member

@RafaelGSS RafaelGSS left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

Copy link
Member

@mcollina mcollina left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

Comment on lines +194 to +197
* If Node.js is asked to connect to a remote site and return an
artifact, it is not considered a vulnerability if the size of
that artifact is large enough to impact performance and or
cause the runtime to run out of resources.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this actually true? Say I host a malicious server that triggers a hash table collision denial-of-service in node's http client - that's considered a vulnerability, right?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@bnoordhuis I think your example is different in that it does not relate to the size of the artifact returned.

mhdawson added a commit that referenced this pull request Feb 1, 2023
Signed-off-by: Michael Dawson <[email protected]>

PR-URL: #46373
Reviewed-By: Rafael Gonzaga <[email protected]>
Reviewed-By: Matteo Collina <[email protected]>
Reviewed-By: Yagiz Nizipli <[email protected]>
@mhdawson
Copy link
Member Author

mhdawson commented Feb 1, 2023

Landed in 088e470

@mhdawson mhdawson closed this Feb 1, 2023
MylesBorins pushed a commit that referenced this pull request Feb 18, 2023
Signed-off-by: Michael Dawson <[email protected]>

PR-URL: #46373
Reviewed-By: Rafael Gonzaga <[email protected]>
Reviewed-By: Matteo Collina <[email protected]>
Reviewed-By: Yagiz Nizipli <[email protected]>
@MylesBorins MylesBorins mentioned this pull request Feb 19, 2023
danielleadams pushed a commit that referenced this pull request Apr 11, 2023
Signed-off-by: Michael Dawson <[email protected]>

PR-URL: #46373
Reviewed-By: Rafael Gonzaga <[email protected]>
Reviewed-By: Matteo Collina <[email protected]>
Reviewed-By: Yagiz Nizipli <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
doc Issues and PRs related to the documentations.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants