October saw steady improvements to Node.js security in multiple areas, assisted by the Open Source Security Foundation (OpenSSF) grant to the OpenJS Foundation.
Key progress included:
- A new document for Node.js Security Best Practices.
- The Node.js Threat Model is coming soon.
- Timely releases of Node.js updates to incorporate OpenSSL security release 3.0.7.
- Automatic dependency updates for the vulnerability assessment.
Read more below about this month’s updates.
Node.js Security Best Practices
Node.js Security Best Practices extends the current threat model and provides guidelines on how to secure a Node.js application. The document explains the attacks and threats mentioned in the Threat Model, and best practices regarding node modules dependencies.
Node.js Threat Model
The Node.js Threat Model document was created with the goal of providing context on what will or will not be considered a vulnerability in Node.js. The document targets Security Researchers, and is intended to serve as a guide for application security operations in support of development teams building on top of the Node.js platform.
During the last weeks of October the Node.js team worked on the next security release which was made available on November 4. More details are available here.The updates are available to the active release lines:
- Node.js v19
- Node.js v18
- Node.js v16
- Node.js v14
We have recently improved our testing of release binaries. In general, when a new release is created, we generate a binary, test it, open it in a console and make sure it works. This process has been improved by running a Python script to run through the full Node.js suite of tests, automating basic testing for Node.js release binaries.
nodejs-dependency-vuln-assessments contains a daily workflow to scan Node.js dependencies and look for public vulnerabilities. Whenever a vulnerability is found, an issue is created and assessed. Recently CVE-2022-37434 was flagged. Since Node.js doesn’t use the inflateGetHeader() method, it’s not affected. It was patched on the zlib Security release of Oct 13, 2022 and even though it does not affect Node.js we are still working on an update. See #45387 for more info.
We recently merged OpenSSL 3.0.7 into all versions of Node.js that use OpenSSL 3 (v18, v19).
The Node.js Security team did an assessment of both OpenSSL and zlib vulnerabilities: https://nodejs.org/en/blog/vulnerability/openssl-and-zlib-vulnerability-assessment/
Automatic Dependency Updates
For the Vulnerability Assessment, there was a recent smaller improvement for updating dependencies. Updating dependencies always had a copy-paste manual step where the new version was copied into the Node.js repo. This manual step is hard to review since it’s often thousands of lines of code of an external dependency. This is now in the process of being automated for a subset of Node’s dependencies. There’s an automated script running weekly which checks for new versions of dependencies. If it finds anything, it opens a pull request replacing the old version with the newer one.
Security Working Group Meetings
There were two meetings in October of the Security Working Group. Minutes for Oct 13 and Oct 27 are available. They are open meetings, and we strongly encourage you to join and share your thoughts.
Recently topics include Best Practices, Vulnerability Assessment, the Threat Model, and the Permissions System. And a lot more.