doc: explicit mention arbitrary code execution as a vuln #57426

RafaelGSS · 2025-03-12T15:21:02Z

This request came from Github Open Source Secure and it's always welcome to clarify the policy

nodejs-github-bot · 2025-03-12T15:21:07Z

Review requested:

@nodejs/tsc

legendecas · 2025-03-12T18:04:57Z

SECURITY.md

@@ -106,6 +106,10 @@ a security vulnerability. Examples of unwanted actions are polluting globals,
 causing an unrecoverable crash, or any other unexpected side effects that can
 lead to a loss of confidentiality, integrity, or availability.

+For example, if trusted input (like secure application code) is correct,
+then untrusted input must not lead to arbitrary JavaScript code execution or
+escape the sandbox.


Is the term "sandbox" appropriate in this security context?

https://github.com/nodejs/node/blob/main/doc/contributing/security-model-strategy.md#document-the-security-model stated that Node.js is not a sandbox.

doc: explicit mention arbitrary code execution as a vuln

fb43360

This request came from Github Open Source Secure and it's always welcome to clarify the policy

nodejs-github-bot added the doc Issues and PRs related to the documentations. label Mar 12, 2025

marco-ippolito approved these changes Mar 12, 2025

View reviewed changes

legendecas reviewed Mar 12, 2025

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

doc: explicit mention arbitrary code execution as a vuln #57426

doc: explicit mention arbitrary code execution as a vuln #57426

RafaelGSS commented Mar 12, 2025

nodejs-github-bot commented Mar 12, 2025

legendecas Mar 12, 2025

doc: explicit mention arbitrary code execution as a vuln #57426

Are you sure you want to change the base?

doc: explicit mention arbitrary code execution as a vuln #57426

Conversation

RafaelGSS commented Mar 12, 2025

nodejs-github-bot commented Mar 12, 2025

legendecas Mar 12, 2025

Choose a reason for hiding this comment