From fb4336051b0f8a65da15adcfc4ec52f7893b4234 Mon Sep 17 00:00:00 2001 From: RafaelGSS Date: Wed, 12 Mar 2025 12:19:29 -0300 Subject: [PATCH 1/2] doc: explicit mention arbitrary code execution as a vuln This request came from Github Open Source Secure and it's always welcome to clarify the policy --- SECURITY.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/SECURITY.md b/SECURITY.md index b8f54307d5ed5b..7b7fa5f6b4a860 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -106,6 +106,10 @@ a security vulnerability. Examples of unwanted actions are polluting globals, causing an unrecoverable crash, or any other unexpected side effects that can lead to a loss of confidentiality, integrity, or availability. +For example, if trusted input (like secure application code) is correct, +then untrusted input must not lead to arbitrary JavaScript code execution or +escape the sandbox. + **Node.js trusts everything else**. Examples include: * The developers and infrastructure that runs it. From 955b00bb1f06f90c0d9b2513df1e264277034210 Mon Sep 17 00:00:00 2001 From: RafaelGSS Date: Fri, 14 Mar 2025 12:38:47 -0300 Subject: [PATCH 2/2] fixup! doc: explicit mention arbitrary code execution as a vuln --- SECURITY.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 7b7fa5f6b4a860..9d008bfbe05e99 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -107,8 +107,7 @@ causing an unrecoverable crash, or any other unexpected side effects that can lead to a loss of confidentiality, integrity, or availability. For example, if trusted input (like secure application code) is correct, -then untrusted input must not lead to arbitrary JavaScript code execution or -escape the sandbox. +then untrusted input must not lead to arbitrary JavaScript code execution. **Node.js trusts everything else**. Examples include: