Skip to content

Commit 5ba7ef6

Browse files
TrottRafaelGSS
Trott
authored and
RafaelGSS
committed
Update SECURITY.md
1 parent 6b4b830 commit 5ba7ef6

File tree

1 file changed

+9
-9
lines changed

1 file changed

+9
-9
lines changed

SECURITY.md

Lines changed: 9 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -93,9 +93,9 @@ Vulnerabilities related to this case may be fixed by a documentation update.
9393
2. The operating system that Node.js is running under and its configuration,
9494
along with anything under control of the operating system.
9595
3. The code it is asked to run including JavaScript and native code, even if
96-
said code is dynamically loaded, e.g. all dependencies installed from the npm registry.
97-
The code run inherits all the privileges of
98-
the execution user.
96+
said code is dynamically loaded, e.g. all dependencies installed from the
97+
npm registry.
98+
The code run inherits all the privileges of the execution user.
9999
4. Inputs provided to it by the code it is asked to run, as it is the
100100
responsibility of the application to perform the required input validations.
101101
5. Any connection used for inspector (debugger protocol) regardless of being
@@ -125,20 +125,20 @@ the community they pose.
125125
in certficates used to connect to an https endpoint. If certificates can be
126126
crafted which result in incorrect validation by the Node.js APIs that is
127127
considered a vulnerability.
128-
128+
129129
#### Inconsistent Interpretation of HTTP Requests (CWE-444)
130-
130+
131131
* Node.js provides APIs to accept http connections. Those APIs parse the
132132
headers received for a connection and pass them on to the application.
133133
Bugs in parsing those headers which can result in request smuggling are
134134
considered vulnerabilities.
135-
135+
136136
#### Missing Cryptographic Step (CWE-325)
137-
137+
138138
* Node.js provides APIs to encrypt data. Bugs that would allow an attacker
139139
to get the orginal data without requiring the encryption key are
140140
considered vulnerabilities.
141-
141+
142142
#### External Control of System or Configuration Setting (CWE-15)
143143

144144
* If Node.js automatically loads a configuration file which is not documented
@@ -163,7 +163,7 @@ the community they pose.
163163
* Node.js trusts the file system in the environment accessible to it.
164164
Therefore, it is not a vulnerability if it accesses/loads files from any path
165165
that is accessible to it.
166-
166+
167167
#### External Control of System or Configuration Setting (CWE-15)
168168

169169
* If Node.js automatically loads a configuration file which is documented

0 commit comments

Comments
 (0)