Skip to main content
Category

Node.js Security

Node.js Security Progress Report – Collab Summit Highlights Increased Focus On Security for Node.js

By Blog, Node.js, Node.js Security

There was good progress in September aimed at improving Node.js security, assisted by the Open Source Security Foundation (OpenSSF) grant to OpenJS. The grant helped the team cover an extra 4 reports from HackerOne, helped with 3 security releases, and made important new changes to security processes. And, we attended the OpenJS Collab Summit and got more feedback directly from Node.js members.

6 Fixed Vulnerabilities and 1 Security Release

There were 2 Security Working Group and 2 Release Working Group meetings in September. Based on 4 CVEs from HackerOne, there were 4 releases of Node in the past month, and much of the focus of our security work was here. There were also 3 security releases of Node.js in the following release lines:

Node.js v18.9.1 

Node.js v16.17.1 (LTS)

Node.js v14.20.1 (LTS)

Improving Security Processes

The Node.js team proposed and implemented 2 major changes in the mechanism for fixing CVEs. Since it’s possible that patches can create a new vulnerability, we looked for ways to better communicate back to the original reporter to close the loop. The first change is that we share a diff back to the reporter. This is a visual confirmation of the process. A second change whenever a security report is fixed, the binary will be built and sent to the reporter. We fix a problem, compile it locally, test it, create a binary, and send it (when applicable) to the original reporter through the HackerOne thread. 

OpenJS Collab Summit (Oct 1-2, 2022, Dublin, Ireland)

The Collaborators Summit brings maintainers and contributors together to discuss Node.js. Committees and working groups come together twice per year to make important decisions. In Dublin, there was lots of engagement, and we were able to hear some concerns about including security more explicitly in planning for the future. We were very pleased with the interactions.

Pictures from Collab Summit, thanks to Tony Gorez

Node.js Security Progress Report – Threat Model and Dependency Analysis Improvements

By Blog, Node.js, Node.js Security

August was a big month for improving Node.js security, assisted by the Open Source Security Foundation (OpenSSF) grant to OpenJS. There was work on the Node.js Threat Model, Dependency Analysis that created new automatic notifications, and there will be Node.js Working Group presentations on these topics and more at the upcoming Collaborator Summit in early October.

Threat Model

Threat modeling is a structured approach of identifying and prioritizing potential threats to a system, and determining the value that potential mitigations would have in reducing or neutralizing those threats. – OWASP

Work on the Node.js Threat Model continues with  the goal of listing all the current threats and their mitigation for each environment using Node.js. The Threat Model document will provide context on what will or will not be considered a vulnerability in Node.js, and will serve as a guide for application security operations in support of development teams building on top of the Node.js platform.

Dependency Analysis

A daily workflow has been created to scan Node.js dependencies and look for vulnerabilities. Whenever a vulnerability is found, an issue is created and assessed. Node.js now gets vulnerability reports about dependencies once per day as soon as vulnerabilities are identified, instead of waiting for manual reporting. 

Check out the repo for the status CVEs reported against Node.js dependencies.

Meeting Face to Face

Rafael Gonzaga from the Node.js Security Working Group will be presenting at the OpenJS Foundation Collaborator Summit, held in Dublin, Ireland, Oct 1-2, 2022. He will be presenting on what’s next for Node.js in Diagnostics and Security. Come talk about Node.js security with us!

Node.js Security Progress Report – Permission System Gets Its First Pull Request

By Blog, Node.js, Node.js Security

July was a busy month for improving Node.js security, with reinforcements from the Open Source Security Foundation (OpenSSF) grant to OpenJS! There was the first pull request for the Permission System, a Node.js Security Release, and a new OpenSSL Security Release which meant updates to Node.js v18, v16, and v14, and triaging and fixing HackerOne reports (5 total).

Permission System

Node.js is building a security Permission System to avoid third-party libraries accessing machine resources without user consent. The Permission System got its first pull request in July! The pull request is 1,200 lines and includes the foundation of the Permission Model. There has been good feedback from the community, and the pull request has been shared publicly. This is the starting point; plenty of review and discussion is expected. 

OpenSSL Update

OpenSSL released a major security update on July 5. Node.js responded with our OpenSSL Security Release Assessment, which stated that the OpenSSL release affects Node.js v18, v16, and v14, with one moderate vulnerability on Windows 32-Bit x86. Our Node.js Security Releases were made available on July 7, covering 7 fixes. (A normal update level is 2-3 fixes.) 

It is best practice to have a revert flag for security updates that can include breaking changes. This is for installations that need a temporary work around. For v16 and v14, we had implemented the fixes without the revert flag (–openssl-shared-config) but are working for it to be available in the next Node.js release. 

Node.js tracks OpenSSL releases closely. The document Maintaining OpenSSL shows how we check requirements, extract new OpenSSL sources, and commit them.

Triaging and Fixing

Node.js analyzes and solves reports on HackerOne. The team triages Node.js issues and fixes security vulnerabilities. HackerOne access is required. For security reasons, reports are not disclosed until getting a CVE designation.

Join us!

Node.js is a critical community-led project where we need more people to contribute. If you are interested in lending your security expertise, we would like your participation. Our Security Working Group meets on Thursdays. You can download the calendar info from here: Node.js Project Calendar and find issues for meetings in this repo: nodejs/security-wg.

Progress Report – Strengthening Node.js Security

By Blog, Node.js, Node.js Security, Project Update

In April this year, the OpenJS Foundation announced the Open Source Security Foundation (OpenSSF) had selected Node.js as their initial project to help improve supply chain security. As part of OpenSSF’s Alpha-Omega Project, $300k was committed to bolster the Node.js security team and vulnerability remediation efforts through the rest of 2022. The focus is on supporting better open source security standards and practices. The Alpha-Omega repo for Node.js is here.

Since the announcement, OpenJS has quickly onboarded new OpenSSF security support resources who hit the ground running. Better plans and processes have already started to be built out and are already having an impact.

For example, security processes are being improved through a Security Model that is being discussed in the Security Working Group. The structure has been defined and they are currently working to document assumptions from the Node.js runtime. 

The community is creating a new Threat Model that provides context on what will and will not be considered a vulnerability in Node.js, which will particularly help inform security researchers. It includes all the current threats and their mitigation for each environment using Node.js. Note: This may change over releases.

The community also added vulnerability checking for Node.js dependencies. This is a new script that queries vulnerability databases in order to find if any of Node.js’ dependencies are vulnerable. It runs as part of the continuous integration workflow, and if any new vulnerabilities are found, it automatically opens an issue tagging Node.js’ maintainers and Security Working Group members.

Additionally, the Node.js team fixed the first OpenSSF Project Omega CVE as part of the Node.js July 7, 2022, security release.

Organization

Day-to-day security is run through the triage team who look at HackerOne reports to fix issues and handles the ongoing OpenSSL reports and updates. The turnaround time on fixes has been tightened from about one week to under two days. 

The Security Working Group, which has a broader mandate to look at the future of Node.js security, has been reactivated, meeting every two weeks.

Join us!

Node.js is a critical community-led project where we need more people to contribute. If you are interested in lending your security expertise, we would like your participation. Our Security Working Group meets on Thursdays. You can download the calendar info from here: Node.js Project Calendar.