doc: add binary generation threat (#1433)

RafaelGSS · mhdawson · anonrig · web-flow · commit 58c5dbd5785f · 2025-02-05T17:01:34.000-03:00
* doc: add binary generation threat

* doc: add malicious docker images threat

* Update MAINTAINERS_THREAT_MODEL.md

Co-authored-by: Yagiz Nizipli &lt;yagiz@nizipli.com&gt;

* Apply suggestions from code review

Co-authored-by: Stewart X Addison &lt;6487691+sxa@users.noreply.github.com&gt;
Co-authored-by: Ulises Gascón &lt;ulisesgascongonzalez@gmail.com&gt;

* Apply suggestions from code review

Co-authored-by: Richard Lau &lt;rlau@redhat.com&gt;

* fixup! node-core-utils to w

---------

Co-authored-by: Michael Dawson &lt;mdawson@devrus.com&gt;
Co-authored-by: Yagiz Nizipli &lt;yagiz@nizipli.com&gt;
Co-authored-by: Stewart X Addison &lt;6487691+sxa@users.noreply.github.com&gt;
Co-authored-by: Ulises Gascón &lt;ulisesgascongonzalez@gmail.com&gt;
Co-authored-by: Richard Lau &lt;rlau@redhat.com&gt;
diff --git a/MAINTAINERS_THREAT_MODEL.md b/MAINTAINERS_THREAT_MODEL.md
@@ -100,3 +100,88 @@ or inderictly (builds process/testing)
 | **Social media accounts**    | -     | N\A |
 | **Email** (nodejs-sec)       | -     | N\A |
 | **Email** (io.js aliases)    | -     | N\A |
+
+### Malicious release binary generation in Node.js release/build processes
+
+In this scenario we assume that a malicious actor will include a malicious code
+(malware, malicious dependencies, polluted binaries...) in the release binaries
+available through the Nodejs.org downloads.
+
+**Vectors:**
+
+* Use priviledge access to GitHub in order to add/modify/pollute the Git History
+for the tooling/build repositories (like ansible scripts, etc..)
+* Pollute directly machines that are part of the CI/release inventory used by
+Jenkins/GH Actions
+* Manipulate the CI/release pipelines in Jenkins or GH Actions (add/modify custom
+scripts, pollute plugins, overwrite configuration...)  
+* Swapping out release binaries where they are hosted on nodejs.org web server
+* Modifying the cloudflare configuration to change were binaries are served from
+* Modifying the vercel website configation
+
+**Related CWEs:**
+
+* [CWE-94: Improper Control of Generation of Code ('Code Injection')](https://cwe.mitre.org/data/definitions/94.html)
+* [CWE-73: External Control of File Name or Path](https://cwe.mitre.org/data/definitions/73.html)
+* [CWE-829: Inclusion of Functionality from Untrusted Control Sphere](https://cwe.mitre.org/data/definitions/829.html)
+* [CWE-353: Missing Support for Integrity Check](https://cwe.mitre.org/data/definitions/353.html)
+* [CWE-506: Embedded Malicious Code](https://cwe.mitre.org/data/definitions/506.html)
+
+| Resource | Minimum Access    | Description |
+|-         |-                  |-            |
+| **HackerOne**                | - | N\A |
+| **MITRE**                    | - | N\A |
+| **private/node-private**     | - | N\A |
+| **private/security-release** | - | N\A |
+| **private/secrets**          | r | read access to secrets grants access to key resources |
+| **nodejs/node**              | w | N\A |
+| **nodejs/deps¹**             | - | N\A |
+| **nodejs/build** (GH)        | w | write access would allow key scripts, infra to be modified |
+| **nodejs/docker-node**       | - | - |
+| **nodejs/node-core-utils**   | w | N\A |
+| **npm account**              | - | N\A |
+| **Jenkins CI - test**        | - | N\A |
+| **Jenkins CI - release**     | w | access to jenkins used for build would allow swapping published binaries |
+| **Infra - test**             | - | N/A |
+| **Infra - release**          | w | access to machines used for build would allow swapping published binaries |
+| **Build infra**              | w | access to machines used for build would allow swapping published binaries |
+| **Website Infra**            | w | access to machines used for build would allow swapping published binaries |
+| **Youtube**                  | - | N\A |
+| **Zoom**                     | - | N\A |
+| **1Password**                | r | read access to secrets grants access to key resources |
+| **Social media accounts**    | - | N\A |
+| **Email** (nodejs-sec)       | - | N\A |
+| **Email** (io.js aliases)    | - | N\A |
+
+Notes:
+
+* Orka infra is shared, so any orka admin can modify test/relese machines
+
+### Malicious docker images
+
+| Resource | Minimum Access | Description |
+|-|-|-|
+| **HackerOne**                | - | N\A |
+| **MITRE**                    | - | N\A |
+| **private/node-private**     | - | N\A |
+| **private/security-release** | - | N\A |
+| **private/secrets**          | r | read access to secrets grants access to key resources |
+| **nodejs/node**              | - | N\A |
+| **nodejs/deps¹**             | - | N\A |
+| **nodejs/build** (GH)        | - | N\A |
+| **nodejs/unofficial-builds** (GH)        | w | write access would allow key scripts, infra to be modified |
+| **nodejs/docker-node**       | w | modification of Docker files can modify what node.js binaries are in the images 
+| **nodejs/node-core-utils**   |  - | N\A |
+| **npm account**              | - | N\A |
+| **Jenkins CI - test**        | - | N\A |
+| **Jenkins CI - release**     | - | N\A |
+| **Infra - test**             | - | N/A |
+| **Infra - release**          | - | N\A |
+| **Build infra**              | w | access to machine used for unofficial-builds as server |
+| **Website Infra**            | - | N\A |
+| **Youtube**                  | - | N\A |
+| **Zoom**                     | - | N\A |
+| **1Password**                | r | read access to secrets grants access to key resources |
+| **Social media accounts**    | - | N\A |
+| **Email** (nodejs-sec)       | - | N\A |
+| **Email** (io.js aliases)    | - | N\A |
