Merge branch 'main' into core-index-updated

Author: RafaelGSS

MAINTAINERS_THREAT_MODEL.md

@@ -30,30 +30,32 @@ repositories in the org, like Working groups or subteams.
 > ¹ - All repositories with code that get published or has some impact on nodejs/core
 > ² - Releasers has access to run CI during CI Embargo (Security Release)
 
-| Resource | External people | Contributors - Core/Triagers/WG | Build - Test/Infra/Admin | Admin - TSC/Releasers/Moderation | Security Stewards/Triagers/External | GitHub - Actions/Plugins |
-|-         |-                |-                                |-                         |-                                 |-                                    |-                         |
-| **HackerOne**                | - | -\-\- | -\-\- | aw-  | www   | -\- | 
-| **MITRE**                    | - | -\-\- | -\-\- | a-\- | w-\-  | -\- | 
-| **private/node-private**     | - | -\-\- | www   | aw-  | w-w   | -\- |
-| **private/security-release** | - | -\-\- | -\-\- | a-\- | ww-   | -\- |
-| **private/secrets**          | - | -\-\- | www   | a-\- | -\-\- | -\- |
-| **nodejs/node**              | r | wrr   | rrw   | awa  | rrr   | wr  |
-| **nodejs/deps¹**             | r | rrr   | rrw   | arr  | rrr   | wr  |
-| **nodejs/build** (GH)        | r | rrr   | rrw   | awa  | rrr   | wr  |
-| **nodejs/node-core-utils**   | r | rrr   | rrw   | awa  | rrr   | wr  |
-| **npm account**              | - | -     | -a-   | a-\- | -\-\- | -\- |
-| **Jenkins CI - test**        | r | ww-   | wwa   | -w²- | -\-\- | ww  |
-| **Jenkins CI - release**     | - | -\-\- | -ww   | -w-  | -\-\- | -\- |
-| **Infra - test**             | - | w-\-  | aaa   | ww-  | -w-   | ww  |
-| **Infra - release**          | - | -\-\- | -ww   | -w-  | -\-\- | -\- |
-| **Build infra**              | - | -\-\- | -a-   | -\-\-| -\-\- | -\- |
-| **Website Infra**            | - | -\-\- | -a-   | a-\- | -\-\- | -\- |
-| **Youtube**                  | - | -\-w  | -\-\- | a-\- | -\-\- | -\- |
-| **Zoom**                     | r | rrw   | -\-\- | a-\- | -\-\- | -\- |
-| **1Password**                | - | -\-r  | -\-\- | a-\- | -\-\- | -\- |
-| **Social media accounts**    | - | -\-\- | -\-\- | -\-\-| -\-\- | -\- |
-| **Email** (nodejs-sec)       | r | rrr   | rrr   | awr  | wrr   | rr  |
-| **Email** (io.js aliases)    | r | -\-\- | -a-   | w-\- | -\-\- | -\- |
+| Resource | External people | Contributors - Core/Triagers/WG | Build - Test/Infra/Admin | Admin - TSC/Releasers/Moderation | Security Stewards/Triagers/External | GitHub - Actions/Plugins | Docker Team |
+|-         |-                |-                                |-                         |-                                 |-                                    |-                         |- |
+| **HackerOne**                | - | -\-\- | -\-\- | aw-  | www   | -\- | - |
+| **MITRE**                    | - | -\-\- | -\-\- | a-\- | w-\-  | -\- | - |
+| **private/node-private**     | - | -\-\- | www   | aw-  | w-w   | -\- | - |
+| **private/security-release** | - | -\-\- | -\-\- | a-\- | ww-   | -\- | - |
+| **private/secrets**          | - | -\-\- | www   | a-\- | -\-\- | -\- | - |
+| **nodejs/node**              | r | wrr   | rrw   | awa  | rrr   | wr  | r |
+| **nodejs/deps¹**             | r | rrr   | rrw   | arr  | rrr   | wr  | r |
+| **nodejs/build** (GH)        | r | rrr   | rrw   | awa  | rrr   | wr  | r |
+| **nodejs/docker-node** (GH)  | r | rrr   | rrr   | awa  | rrr   | wr  | w |
+| **nodejs/node-core-utils**   | r | rrr   | rrw   | awa  | rrr   | wr  | r |
+| **nodejs/nodejs.org**        | r | rrr   | rrr   | awa  | rrr   | wr  | r |
+| **npm account**              | - | -     | -a-   | a-\- | -\-\- | -\- | - |
+| **Jenkins CI - test**        | r | ww-   | wwa   | -w²- | -\-\- | ww  | - |
+| **Jenkins CI - release**     | - | -\-\- | -ww   | -w-  | -\-\- | -\- | - |
+| **Infra - test**             | - | w-\-  | aaa   | ww-  | -w-   | ww  | - |
+| **Infra - release**          | - | -\-\- | -ww   | -w-  | -\-\- | -\- | r |
+| **Build infra**              | - | -\-\- | -a-   | -\-\-| -\-\- | -\- | - |
+| **Website Infra**            | - | -\-\- | -a-   | a-\- | -\-\- | -\- | - |
+| **Youtube**                  | - | -\-w  | -\-\- | a-\- | -\-\- | -\- | - |
+| **Zoom**                     | r | rrw   | -\-\- | a-\- | -\-\- | -\- | - |
+| **1Password**                | - | -\-r  | -\-\- | a-\- | -\-\- | -\- | - |
+| **Social media accounts**    | - | -\-\- | -\-\- | -\-\-| -\-\- | -\- | - |
+| **Email** (nodejs-sec)       | r | rrr   | rrr   | awr  | wrr   | rr  | - |
+| **Email** (io.js aliases)    | r | -\-\- | -a-   | w-\- | -\-\- | -\- | - |
 
 Repos under nodejs which do not include code, are not covered as they cannot lead to the threats listed.
 pkgjs.org is excluded as it does not include code/repos that make it into Node.js binaries
@@ -86,6 +88,7 @@ or inderictly (builds process/testing)
 | **nodejs/deps¹**             | Write | If you have write access to Node.js dependencies you can hide malicious code and publish a new version, eventually the automation will create a PR to sync to nodejs/core and this code might pass without supervision |
 | **nodejs/build** (GH)        | -     | N\A |
 | **nodejs/node-core-utils**   | Write | User must have _Write_ access to nodejs/node to open a attack vector|
+| **nodejs/nodejs.org**        | -     | N\A |
 | **npm account**              | Write | Because you can change the node-core-utils/branch-diff code to inject malicious code |
 | **Jenkins CI - test**        | -     | N\A |
 | **Jenkins CI - release**     | -     | N\A |
@@ -99,3 +102,90 @@ or inderictly (builds process/testing)
 | **Social media accounts**    | -     | N\A |
 | **Email** (nodejs-sec)       | -     | N\A |
 | **Email** (io.js aliases)    | -     | N\A |
+
+### Malicious release binary generation in Node.js release/build processes
+
+In this scenario we assume that a malicious actor will include a malicious code
+(malware, malicious dependencies, polluted binaries...) in the release binaries
+available through the Nodejs.org downloads.
+
+**Vectors:**
+
+* Use priviledge access to GitHub in order to add/modify/pollute the Git History
+for the tooling/build repositories (like ansible scripts, etc..)
+* Pollute directly machines that are part of the CI/release inventory used by
+Jenkins/GH Actions
+* Manipulate the CI/release pipelines in Jenkins or GH Actions (add/modify custom
+scripts, pollute plugins, overwrite configuration...)  
+* Swapping out release binaries where they are hosted on nodejs.org web server
+* Modifying the cloudflare configuration to change were binaries are served from
+* Modifying the vercel website configation
+
+**Related CWEs:**
+
+* [CWE-94: Improper Control of Generation of Code ('Code Injection')](https://cwe.mitre.org/data/definitions/94.html)
+* [CWE-73: External Control of File Name or Path](https://cwe.mitre.org/data/definitions/73.html)
+* [CWE-829: Inclusion of Functionality from Untrusted Control Sphere](https://cwe.mitre.org/data/definitions/829.html)
+* [CWE-353: Missing Support for Integrity Check](https://cwe.mitre.org/data/definitions/353.html)
+* [CWE-506: Embedded Malicious Code](https://cwe.mitre.org/data/definitions/506.html)
+
+| Resource | Minimum Access    | Description |
+|-         |-                  |-            |
+| **HackerOne**                | - | N\A |
+| **MITRE**                    | - | N\A |
+| **private/node-private**     | - | N\A |
+| **private/security-release** | - | N\A |
+| **private/secrets**          | r | read access to secrets grants access to key resources |
+| **nodejs/node**              | w | N\A |
+| **nodejs/deps¹**             | - | N\A |
+| **nodejs/build** (GH)        | w | write access would allow key scripts, infra to be modified |
+| **nodejs/docker-node**       | - | - |
+| **nodejs/node-core-utils**   | w | N\A |
+| **nodejs/nodejs.org**        | - | N\A |
+| **npm account**              | - | N\A |
+| **Jenkins CI - test**        | - | N\A |
+| **Jenkins CI - release**     | w | access to jenkins used for build would allow swapping published binaries |
+| **Infra - test**             | - | N/A |
+| **Infra - release**          | w | access to machines used for build would allow swapping published binaries |
+| **Build infra**              | w | access to machines used for build would allow swapping published binaries |
+| **Website Infra**            | w | access to machines used for build would allow swapping published binaries |
+| **Youtube**                  | - | N\A |
+| **Zoom**                     | - | N\A |
+| **1Password**                | r | read access to secrets grants access to key resources |
+| **Social media accounts**    | - | N\A |
+| **Email** (nodejs-sec)       | - | N\A |
+| **Email** (io.js aliases)    | - | N\A |
+
+Notes:
+
+* Orka infra is shared, so any orka admin can modify test/relese machines
+
+### Malicious docker images
+
+| Resource | Minimum Access | Description |
+|-|-|-|
+| **HackerOne**                | - | N\A |
+| **MITRE**                    | - | N\A |
+| **private/node-private**     | - | N\A |
+| **private/security-release** | - | N\A |
+| **private/secrets**          | r | read access to secrets grants access to key resources |
+| **nodejs/node**              | - | N\A |
+| **nodejs/deps¹**             | - | N\A |
+| **nodejs/build** (GH)        | - | N\A |
+| **nodejs/unofficial-builds** (GH)        | w | write access would allow key scripts, infra to be modified |
+| **nodejs/docker-node**       | w | modification of Docker files can modify what node.js binaries are in the images 
+| **nodejs/node-core-utils**   | - | N\A |
+| **nodejs/nodejs.org**        | - | N\A |
+| **npm account**              | - | N\A |
+| **Jenkins CI - test**        | - | N\A |
+| **Jenkins CI - release**     | - | N\A |
+| **Infra - test**             | - | N/A |
+| **Infra - release**          | - | N\A |
+| **Build infra**              | w | access to machine used for unofficial-builds as server |
+| **Website Infra**            | - | N\A |
+| **Youtube**                  | - | N\A |
+| **Zoom**                     | - | N\A |
+| **1Password**                | r | read access to secrets grants access to key resources |
+| **Social media accounts**    | - | N\A |
+| **Email** (nodejs-sec)       | - | N\A |
+| **Email** (io.js aliases)    | - | N\A |

meetings/2025-01-30.md

@@ -0,0 +1,52 @@
+# Node.js  Security team Meeting 2025-01-30
+
+## Links
+
+* **Recording**:  https://www.youtube.com/watch?v=iEgHs7V6BvU
+* **GitHub Issue**: https://github.com/nodejs/security-wg/issues/1431
+* **Minutes Google Doc**: https://docs.google.com/document/d/10qmMTdpDWZDf04mNObBWQTKK_xlZa2zify7x6CiVsO4/edit?tab=t.0
+
+## Present
+
+* Rafael Gonzaga: @RafaelGSS
+* Michael Dawson: @mhdawson
+* Thomas GENTILHOMME: @fraxken
+* Robert W
+
+## Agenda
+
+## Announcements
+
+*Extracted from **security-wg-agenda** labelled issues and pull requests from the **nodejs org** prior to the meeting.
+
+- [X] Vulnerability Review - https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues
+  * Nothing new this week
+
+- [X] OpenSSF Scorecard Monitor Review - https://github.com/nodejs/security-wg/issues?q=is%3Aissue+OpenSSF+Scorecard+Report+Updated%21+
+  * No update this week
+
+### nodejs/node
+
+* src: add WDAC integration (Windows) [#54364](https://github.com/nodejs/node/pull/54364)
+  * Remaining feedback has been addressed on the PR
+  * Discussion on how to move forward.
+
+### nodejs/security-wg
+
+* Node.js maintainers: Threat Model [#1333](https://github.com/nodejs/security-wg/issues/1333)
+  * Rafael will sync the progress from this meeting with Github once other PRs gets landed
+
+* Audit build process for dependencies [#1037](https://github.com/nodejs/security-wg/issues/1037)
+  * Michael, next step is looking at updaters for amaro and cjs-module-lexer
+
+* Automate security release process [#860](https://github.com/nodejs/security-wg/issues/860)
+  * Excellent progress since Dec 24. A blog post is being created to share with OpenJS Foundation (part of OpenSSF)
+
+## Q&A, Other
+
+## Upcoming Meetings
+
+* **Node.js Project Calendar**: <https://nodejs.org/calendar>
+
+Click `+GoogleCalendar` at the bottom right to add to your own Google calendar.
+

vuln/core/139.json

@@ -5,6 +5,7 @@
   "vulnerable": "18.x || 20.x || 21.x",
   "patched": "^18.20.1 || ^20.12.1 || ^21.7.2",
   "ref": "https://nodejs.org/en/blog/vulnerability/april-2024-security-releases/",
+  "description": "Assertion failed in node::http2::Http2Session::~Http2Session() leads to HTTP/2 server crash",
   "overview": "An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client triggering the Http2Session destructor while header frames are still being processed (and stored in memory) causing a race condition.",
   "affectedEnvironments": [
     "all"

vuln/core/140.json

@@ -5,6 +5,7 @@
   "vulnerable": "18.x || 20.x || 21.x",
   "patched": "^18.20.1 || ^20.12.1 || ^21.7.2",
   "ref": "https://nodejs.org/en/blog/vulnerability/april-2024-security-releases/",
+  "description": "HTTP Request Smuggling via Content Length Obfuscation",
   "overview": "The team has identified a critical vulnerability in the http server of the most recent version of Node, where malformed headers can lead to HTTP request smuggling. Specifically, if a space is placed before a content-length header, it is not interpreted correctly, enabling attackers to smuggle in a second request within the body of the first.",
   "affectedEnvironments": [
     "all"

vuln/core/142.json

@@ -5,6 +5,7 @@
   "vulnerable": "20.x || 22.x",
   "patched": "^20.15.1 || ^22.4.1",
   "ref": "https://nodejs.org/en/blog/vulnerability/july-2024-security-releases/",
+  "description": "fs.fchown/fchmod bypasses permission model",
   "overview": "A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-write flag is used.\n\nNode.js Permission Model do not operate on file descriptors, however, operations such as `fs.fchown` or `fs.fchmod` can use a \"read-only\" file descriptor to change the owner and permissions of a file.\n\nThis vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 21.\n\nPlease note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.",
   "affectedEnvironments": [
     "all"

vuln/core/143.json

@@ -5,6 +5,7 @@
   "vulnerable": "18.x || 20.x || 22.x",
   "patched": "^18.20.4 || ^20.15.1 || ^22.4.1",
   "ref": "https://nodejs.org/en/blog/vulnerability/july-2024-security-releases/",
+  "description": "Bypass incomplete fix of CVE-2024-27980",
   "overview": "The CVE-2024-27980 was identified as an incomplete fix for the BatBadBut vulnerability. This vulnerability arises from improper handling of batch files with all possible extensions on Windows via `child_process.spawn` / `child_process.spawnSync`. A malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled.\n\nThis vulnerability affects all users of `child_process.spawn` and `child_process.spawnSync` on Windows in all active release lines.",
   "affectedEnvironments": [
     "win32"

vuln/core/144.json

@@ -5,6 +5,7 @@
   "vulnerable": "20.x || 22.x",
   "patched": "^20.15.1 || ^22.4.1",
   "ref": "https://nodejs.org/en/blog/vulnerability/july-2024-security-releases/",
+  "description": "fs.lstat bypasses permission model",
   "overview": "A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-read flag is used.\nThis flaw arises from an inadequate permission model that fails to restrict file stats through the `fs.lstat` API. As a result, malicious actors can retrieve stats from files that they do not have explicit read access to.\n\nThis vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 22.\n\nPlease note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.",
   "affectedEnvironments": [
     "all"

vuln/core/145.json

@@ -5,6 +5,7 @@
   "vulnerable": "18.x || 20.x || 22.x",
   "patched": "^18.20.4 || ^20.15.1 || ^22.4.1",
   "ref": "https://nodejs.org/en/blog/vulnerability/july-2024-security-releases/",
+  "description": "Bypass network import restriction via data URL",
   "overview": "A security flaw in Node.js allows a bypass of network import restrictions.\nBy embedding non-network imports in data URLs, an attacker can execute arbitrary code, compromising system security.\n\nVerified on various platforms, the vulnerability is mitigated by forbidding data URLs in network imports.\n\nExploiting this flaw can violate network import security, posing a risk to developers and servers.",
   "affectedEnvironments": [
     "all"

vuln/core/146.json

@@ -5,9 +5,10 @@
   "vulnerable": "20.x || 22.x",
   "patched": "^20.15.1 || ^22.4.1",
   "ref": "https://nodejs.org/en/blog/vulnerability/july-2024-security-releases/",
+  "description": "Permission model improperly processes UNC paths",
   "overview": "The Permission Model assumes that any path starting with two backslashes \\\\ has a four-character prefix that can be ignored, which is not always true. This subtle bug leads to vulnerable edge cases.\n\nThis vulnerability affects Windows users of the Node.js Permission Model in version v20.x and v22.x",
   "affectedEnvironments": [
     "all"
   ],
-  "severity": "unknown"
+  "severity": "low"
 }

vuln/core/147.json

@@ -5,7 +5,8 @@
   "vulnerable": "20.x || 22.x || 23.x",
   "patched": "^20.18.2 || ^22.13.1 || ^23.6.1",
   "ref": "https://nodejs.org/en/blog/vulnerability/january-2025-security-releases/",
-  "overview": "With the aid of the diagnostics_channel utility, an event can be hooked into whenever a worker thread is created. This is not limited only to workers but also exposes internal workers, where an instance of them can be fetched, and its constructor can be grabbed and reinstated for malicious usage. \n\nThis vulnerability affects Permission Model users (--permission) on Node.js v20, v22, and v23",
+  "description": "Worker permission bypass via InternalWorker leak in diagnostics",
+  "overview": "With the aid of the diagnostics_channel utility, an event can be hooked into whenever a worker thread is created. This is not limited only to workers but also exposes internal workers, where an instance of them can be fetched, and its constructor can be grabbed and reinstated for malicious usage. \n\nThis vulnerability affects Permission Model users (--permission) on Node.js v20, v22, and v23.",
   "affectedEnvironments": [
     "all"
   ],