Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

doc: add Node.js Security Best Practices #4896

Merged

Conversation

RafaelGSS
Copy link
Member

@RafaelGSS RafaelGSS commented Oct 27, 2022

Reference nodejs/security-wg#819.

One of Security WG's initiatives is to create a best practices document for end-users. We've been actively working on that and finally, we have something to share.

This document intends to extend the current threat model(under development) and provide extensive guidelines on how to secure a Node.js application. The target audience is Node.js users/developers.

I think is important to have @nodejs/tsc eyes here as well.

@nodejs/security-wg Thanks to everyone who helped in that journey (I'll include all of you as Co-Author soon as I get your handles)

Co-authored-by: Ulises Gascon [email protected]
Co-authored-by: Thomas Gentilhomme [email protected]
Co-authored-by: Facundo Tuesca [email protected]
Co-authored-by: Michael Dawson [email protected]
Co-authored-by: Andrew Hart [email protected]
Co-authored-by: Zbyszek Tenerowicz [email protected]
Co-authored-by: Yagiz Nizipli [email protected]

@RafaelGSS RafaelGSS force-pushed the guides/nodejs-security-best-practices branch from 9a68d3e to 6b4a9fc Compare October 27, 2022 16:53
Copy link
Member

@mcollina mcollina left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

amazing!

Copy link
Member

@mhdawson mhdawson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@Trott
Copy link
Member

Trott commented Oct 27, 2022

This document recommends some experimental features (frozen intrinsics and policy) and doesn't mention that policies are experimental. At a minimum, I think we should mention that policy is experimental. But more broadly, do we want to encourage the use of experimental features in production for security purposes?

@nodejs/security

@Trott
Copy link
Member

Trott commented Oct 27, 2022

This is a really valuable document which a lot of effort clearly went into. Nice work!

@RafaelGSS
Copy link
Member Author

This document recommends some experimental features (frozen intrinsics and policy) and doesn't mention that policies are experimental. At a minimum, I think we should mention that policy is experimental. But more broadly, do we want to encourage the use of experimental features in production for security purposes?

@nodejs/security

That's a valid concern. I think we can recommend its usage but mention at the end of the document the expectations when using an experimental feature. Something like:

Node.js has an experimental¹ policy mechanism to declare the loaded resource as untrusted or trusted.

Experimental Features in Production

The use of experimental features in production isn't recommended, because we can't guarantee they are secure <-- probably reword it

What do you think?

Copy link
Member

@anonrig anonrig left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm, great job everybody!

@RafaelGSS RafaelGSS force-pushed the guides/nodejs-security-best-practices branch from 6b4a9fc to 8071fa5 Compare October 27, 2022 23:50
@Trott
Copy link
Member

Trott commented Oct 28, 2022

What do you think?

Something like that would work for me.

@ShogunPanda
Copy link

This is incredible!
Nice job everybody!

@RafaelGSS RafaelGSS requested review from bmeck, feross and UlisesGascon and removed request for bmeck and feross October 31, 2022 14:56
Co-authored-by: Ulises Gascon <[email protected]>
Co-authored-by: Thomas Gentilhomme <[email protected]>
Co-authored-by: Facundo Tuesca <[email protected]>
Co-authored-by: Michael Dawson <[email protected]>
Co-authored-by: Andrew Hart <[email protected]>
Co-authored-by: Zbyszek Tenerowicz <[email protected]>
Co-authored-by: Yagiz Nizipli <[email protected]>
@RafaelGSS RafaelGSS force-pushed the guides/nodejs-security-best-practices branch from e74fdc0 to 5c4e35b Compare October 31, 2022 15:03
@RafaelGSS RafaelGSS requested review from feross and Trott and removed request for UlisesGascon and feross November 1, 2022 22:59
@Trott
Copy link
Member

Trott commented Nov 2, 2022

@nodejs/documentation

Copy link
Member

@UlisesGascon UlisesGascon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@RafaelGSS RafaelGSS requested review from Trott and bmeck November 4, 2022 13:35
Copy link
Member

@deian deian left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is awesome y'all!

Comment on lines +104 to +121
### Exposure of Sensitive Information to an Unauthorized Actor (CWE-552)

All the files and folders included in the current directory are pushed to the
npm registry during the package publication.

There are some mechanism to control this behavior by defining a blocklist with
`.npmignore` and `.gitignore` or by defining an allowlist in the `package.json`

**Mitigations**

* Using `npm publish --dry-run` list all the files to publish. Ensure to review the
content before publishing the package.
* It’s also important to create and maintain ignore files such as `.gitignore` and
`.npmignore`.
Throughout these files, you can specify which files/folders should not be published.
The [files property][] in `package.json` allows the inverse operation
-- allowed list.
* In case of an exposure, make sure to [unpublish the package][].
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is fantastic but doesn't seem like a node concern so much as it is an npm concern. (Of course, the line is blurry and this is absolutely something folks should be concerned about.) The broader problem of exposing sensitive information definitely is; would it make sense to either expand this section to talk about these class of bugs or rename the section to be about publishing code?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think these bullets do not necessarily need to be separated or in a unique category as mitigations could exist as a solution in multiple vectors with the same action. This already points out that it is about "the current directory are pushed to the npm registry during the package publication." so idk if there needs to be a full expansion on this. Discussing every attack vector isn't really the purpose of a best practices doc normally.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wasn't suggesting being exhaustive. I was trying to say there is a disconnect between the title (which is about a broad category of attacks) and the content (which is narrow and about a particular npm workflow). I think just adding a sentence at the start (I can just suggest something when back on the computer) would bride the gap.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not quite sure if I get your point. The suggestion to expand it to other registries is definitely a thing, but I'd include it in a second PR.

locale/en/docs/guides/security/index.md Outdated Show resolved Hide resolved
locale/en/docs/guides/security/index.md Outdated Show resolved Hide resolved
locale/en/docs/guides/security/index.md Outdated Show resolved Hide resolved
locale/en/docs/guides/security/index.md Show resolved Hide resolved
locale/en/docs/guides/security/index.md Show resolved Hide resolved
Comment on lines +243 to +244
Like all runtimes, Node.js is vulnerable to these attacks if your projects runs
on a shared machine.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure why the shared machine is relevant here? Do you mean because Node.js uses libc and the libc could be vulnerable?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, it's because when sharing resources with other processes, the memory can be violated.

@deian
Copy link
Member

deian commented Nov 5, 2022

I left some notes, but of course feel free to ignore! :-) Really cool to see this!

@anonrig
Copy link
Member

anonrig commented Nov 16, 2022

Anybody from @nodejs/nodejs-tr want to translate this document?

SEWeiTung added a commit that referenced this pull request Nov 17, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.