doc: add constraints for mem leak to threat model #58917
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -109,6 +109,17 @@ does not trust is considered a vulnerability: | |
| the correct use of Node.js APIs. | ||
| * The unavailability of the runtime, including the unbounded degradation of its | ||
| performance. | ||
| * Memory leaks qualify as vulnerabilities when all of the following criteria are met: | ||
| * The API is being correctly used | ||
| * The API doesn't have a warning against its usage in a production environment | ||
| * The API is public and documented | ||
| * The API is on stable (2.0) status | ||
| * The memory leak is significant, causing a DoS fast or in a user-uncontrolled space (for instance, on HTTP parsing) | ||
|
There was a problem hiding this comment. I feel that we still need more restrictions to avoid flagging all the existing memory leaks as vulnerabilities just because they weren't reported as vulnerabilities (for example, #54614 probably satisfies all the criteria and it can be used in server handlers). As long as a buggy API is used in the wrong place, it can cause a DoS fast, and it doesn't have to be a memory leak, so it seems to be a very slippery slope. There was a problem hiding this comment. Would b3b9bbc satisfies that? |
||
| * The memory leak is directly exploitable by an untrusted source without requiring application mistakes | ||
| * The leak cannot be reasonably mitigated through standard operational practices (like process recycling) | ||
| * The leak occurs deterministically under normal usage patterns rather than edge cases | ||
| * The leak occurs at a rate that would cause practical resource exhaustion within X requests or Y hours under | ||
| typical workloads | ||
|
|
||
| If Node.js loads configuration files or runs code by default (without a | ||
| specific request from the user), and this is not documented, it is considered a | ||
|
|
||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.