@@ -82,23 +82,23 @@ Vulnerabilities related to this case may be fixed by a documentation update.
8282
8383** Node.js does NOT trust** :
8484
85- 1 . Data received from the remote end of inbound network connections
86- that are accepted through the use of Node.js APIs and
87- which is transformed/validated by Node.js before being passed
88- to the application. This includes:
89- * HTTP APIs (all flavors) server APIs.
90- 2 . The data received from the remote end of outbound network connections
91- that are created through the use of Node.js APIs and
92- which is transformed/validated by Node.js before being passed
93- to the application EXCEPT with respect to payload length. Node.js trusts
94- that applications make connections/requests which will avoid payload
95- sizes that will result in a Denial of Service.
96- * HTTP APIs (all flavors) client APIs.
97- * DNS APIs.
98- 3 . Consumers of data protected through the use of Node.js APIs (for example,
99- people who have access to data encrypted through the Node.js crypto APIs).
100- 4 . The file content or other I/O that is opened for reading or writing by the
101- use of Node.js APIs (ex: stdin, stdout, stderr).
85+ * Data received from the remote end of inbound network connections
86+ that are accepted through the use of Node.js APIs and
87+ which is transformed/validated by Node.js before being passed
88+ to the application. This includes:
89+ * HTTP APIs (all flavors) server APIs.
90+ * The data received from the remote end of outbound network connections
91+ that are created through the use of Node.js APIs and
92+ which is transformed/validated by Node.js before being passed
93+ to the application EXCEPT with respect to payload length. Node.js trusts
94+ that applications make connections/requests which will avoid payload
95+ sizes that will result in a Denial of Service.
96+ * HTTP APIs (all flavors) client APIs.
97+ * DNS APIs.
98+ * Consumers of data protected through the use of Node.js APIs (for example,
99+ people who have access to data encrypted through the Node.js crypto APIs).
100+ * The file content or other I/O that is opened for reading or writing by the
101+ use of Node.js APIs (ex: stdin, stdout, stderr).
102102
103103In other words, if the data passing through Node.js to/from the application
104104can trigger actions other than those documented for the APIs, there is likely
@@ -108,23 +108,23 @@ lead to a loss of confidentiality, integrity, or availability.
108108
109109** Node.js trusts everything else** . Examples include:
110110
111- 1 . The developers and infrastructure that runs it.
112- 2 . The operating system that Node.js is running under and its configuration,
113- along with anything under control of the operating system.
114- 3 . The code it is asked to run, including JavaScript, WASM and native code, even
115- if said code is dynamically loaded, e.g., all dependencies installed from the
116- npm registry.
117- The code run inherits all the privileges of the execution user.
118- 4 . Inputs provided to it by the code it is asked to run, as it is the
119- responsibility of the application to perform the required input validations,
120- e.g. the input to ` JSON.parse() ` .
121- 5 . Any connection used for inspector (debugger protocol) regardless of being
122- opened by command line options or Node.js APIs, and regardless of the remote
123- end being on the local machine or remote.
124- 6 . The file system when requiring a module.
125- See < https://nodejs.org/api/modules.html#all-together > .
126- 7 . The ` node:wasi ` module does not currently provide the comprehensive file
127- system security properties provided by some WASI runtimes.
111+ * The developers and infrastructure that runs it.
112+ * The operating system that Node.js is running under and its configuration,
113+ along with anything under control of the operating system.
114+ * The code it is asked to run, including JavaScript, WASM and native code, even
115+ if said code is dynamically loaded, e.g., all dependencies installed from the
116+ npm registry.
117+ The code run inherits all the privileges of the execution user.
118+ * Inputs provided to it by the code it is asked to run, as it is the
119+ responsibility of the application to perform the required input validations,
120+ e.g. the input to ` JSON.parse() ` .
121+ * Any connection used for inspector (debugger protocol) regardless of being
122+ opened by command line options or Node.js APIs, and regardless of the remote
123+ end being on the local machine or remote.
124+ * The file system when requiring a module.
125+ See < https://nodejs.org/api/modules.html#all-together > .
126+ * The ` node:wasi ` module does not currently provide the comprehensive file
127+ system security properties provided by some WASI runtimes.
128128
129129Any unexpected behavior from the data manipulation from Node.js Internal
130130functions may be considered a vulnerability if they are exploitable via
0 commit comments