Skip to main content
Category

Node.js Security

Node.js Security Progress Report –  Permission Model Merged

By Blog, Node.js, Node.js Security

February included several major steps forward in improving Node.js security. We merged the Permission Model which we built over the past 8 months. This will make Node.js more secure by allowing the user to restrict machine resources, such as file system. More information will be provided on Node.js v19.9.0 release. We also merged the security support role, fixed and triaged issues and engaged with multiple working groups. Which means more resources and more clear processes for making Node.js secure.

As always, thank you to OpenSSF and Project Alpha Omega for their continued support.

Permission Model landed in the main branch

The Permission Model was merged into the main branch. There was over 8 months of work leading up to this point. This final month leading up to the merge required a lot of time and effort and discussion. To help clarify next steps and guide the discussion, a roadmap issue (#898) was created to discuss the future of the Permission Model. https://github.com/nodejs/security-wg/issues/898 

The Security Support Role 2023 was also merged last month. There are 6 focus areas that show the goals of this work.

  • Fix and Triage Security Issues
  • Support for Security Releases
  • Node.js Security WG Initiatives
  • Node.js Security Sustainability
  • Improving Security Processes
  • Ecosystem Adoption

More details can be found here: https://github.com/ossf/alpha-omega/blob/main/alpha/engagements/2023/node.js/security-support-role.md 

Node.js database automatic updates

We’ve improved the Node.js database to now automatically update. When there is a new CVE or vulnerability, the database will be updated and anyone has access to that information.

Working group progress

We participated directly with working groups, 9 sessions total. There was excellent attendance for the February Security Working Group meeting. This month, Microsoft joined us and expressed interest in helping with policy around Single Executable Applications.


Be sure to join us for this month’s meetings as well: https://github.com/nodejs/security-wg.

Node.js Security Progress Report – OpenSSF Grant Renewed for 2023, New Ecosystem Focus

By Blog, Node.js, Node.js Security

January was busy with HackerOne reports, vulnerability fixes for OpenSSL and Node.js and security updates due to the upcoming Node.js security release.

In 2022, we started receiving assistance from the Open Source Security Foundation (OpenSSF) Project Alpha-Omega grant to support more resources to help with Node.js security. The grant has been renewed at just under $300,000 for the calendar year. OpenJS Foundation works with NearForm to fulfill the grant goals. 

With so much accomplished last year, we look forward to further improving Node.js security in 2023. Thank you to OpenSSF for their continued support.

Fixing and Triaging 21 Issues

There were 5 new HackerOne reports in January along with 8 vulnerabilities to fix from OpenSSL, and 8 for Node.js due to the upcoming security release. The improved Threat Model is helping to assess priority.

New Node.js CVE Database

Security Working Group initiatives have been making progress. CVEs are now stored in a database that is accessible by all. CVEs had been stored in the Security Working Group repo, but the repo was not perfectly up-to-date. The Node.js database fixes this issue and can be used by vendors.

Google Open Source Security Team (GOSST) Participation

The Google Open Source Security Team (GOSST) participated in the January 19, 2023, Security Working Group meeting. GOSST contributes to OpenSSF Scorecards, and they brought a lot of helpful discussion topics. OpenSSF Scorecards are a cross-industry initiative to improve open source software security, with a focus on metrics, tooling, best practices, developer identity validation and vulnerability disclosures best practices. 

Expanded Ecosystem Focus

Ecosystem adoption is a key component to Node.js security. We are finalizing the Permission Model, and will be looking to increase participation on GitHub when it is finalized and ready for use. The end goal is a smooth process for installing a package with the correct tag.

Most recently, we reviewed and fixed a bug for Fastify that will be released with the Node.js security release. We also did fixes for Undici, an HTTP/1.1 client. 

Early Work on is-my-node-vulnerable

We created a package called is-my-node-vulnerable to make it easy to test your own implementation of Node.js. It helps ensure the security of your Node.js installation by checking for known vulnerabilities. It compares the version of Node.js you have installed (process.version) to the Node.js Security Database and alerts you if a vulnerability is found. So far, we are getting good feedback from the community. We are currently thinking about how to show to vendors and how to get more involvement. 

Join Us!

We had one Security Working Group meeting in December and three Technical Steering Committee meetings. https://github.com/nodejs/security-wg 

Node.js Security Progress Report – More Successful December Outcomes

By Blog, Node.js, Node.js Security

December was a busy month! We handled more reports and more fixes than ever. In fact, we spent most of our time working on fixes, which is exactly as it should be. We are also starting work on ecosystem issues, which will be an important improvement to Node.js security in 2023.

In 2022, we started receiving assistance from the Open Source Security Foundation (OpenSSF) Project Alpha-Omega grant to support more resources to help with Node.js security at the OpenJS Foundation. As always, we are very grateful for this support of open source software. 

We finished the year on a strong note – check out these tweets on @nodejs to see the progress made!

Fixing and triaging 9 issues

5 HackerOne reports were fixed or triaged, 2 previous reports had the fixes disclosed, and 2 ecosystem issues were handled with one having a fix approved and one fixed and released.

Starting new work on ecosystem issues

Ecosystem adoption is a key component to Node.js security. We are finishing the permission model, and will be looking to increase participation on GitHub when it is finalized and ready for use. The end goal is a smooth process for installing a package with the correct tag.

In December, we fixed 2 vulnerabilities for Fastify and one has already been disclosed: https://github.com/fastify/fastify/security/advisories/GHSA-3fjj-p79j-c9hh.

OpenSSL update 

OpenSSL announced a low vulnerability issue that affects OpenSSL 3.x users which means Node.js v18+. We evaluated the issue and disclosed our assessment. This vulnerability doesn’t affect Node.js and will be fixed in regular releases.

Node.js releases

There were 3 regular releases in December. We hope to have the next security release out by the end of January 2023. Stay tuned!

Join us!

We had one Security Working Group meeting in December and three Technical Steering Committee meetings. If you want to get involved, let us know!

Node.js Security Progress Report – Collab Summit Highlights Increased Focus On Security for Node.js

By Blog, Node.js, Node.js Security

There was good progress in September aimed at improving Node.js security, assisted by the Open Source Security Foundation (OpenSSF) grant to OpenJS. The grant helped the team cover an extra 4 reports from HackerOne, helped with 3 security releases, and made important new changes to security processes. And, we attended the OpenJS Collab Summit and got more feedback directly from Node.js members.

6 Fixed Vulnerabilities and 1 Security Release

There were 2 Security Working Group and 2 Release Working Group meetings in September. Based on 4 CVEs from HackerOne, there were 4 releases of Node in the past month, and much of the focus of our security work was here. There were also 3 security releases of Node.js in the following release lines:

Node.js v18.9.1 

Node.js v16.17.1 (LTS)

Node.js v14.20.1 (LTS)

Improving Security Processes

The Node.js team proposed and implemented 2 major changes in the mechanism for fixing CVEs. Since it’s possible that patches can create a new vulnerability, we looked for ways to better communicate back to the original reporter to close the loop. The first change is that we share a diff back to the reporter. This is a visual confirmation of the process. A second change whenever a security report is fixed, the binary will be built and sent to the reporter. We fix a problem, compile it locally, test it, create a binary, and send it (when applicable) to the original reporter through the HackerOne thread. 

OpenJS Collab Summit (Oct 1-2, 2022, Dublin, Ireland)

The Collaborators Summit brings maintainers and contributors together to discuss Node.js. Committees and working groups come together twice per year to make important decisions. In Dublin, there was lots of engagement, and we were able to hear some concerns about including security more explicitly in planning for the future. We were very pleased with the interactions.

Pictures from Collab Summit, thanks to Tony Gorez

Node.js Security Progress Report – Threat Model and Dependency Analysis Improvements

By Blog, Node.js, Node.js Security

August was a big month for improving Node.js security, assisted by the Open Source Security Foundation (OpenSSF) grant to OpenJS. There was work on the Node.js Threat Model, Dependency Analysis that created new automatic notifications, and there will be Node.js Working Group presentations on these topics and more at the upcoming Collaborator Summit in early October.

Threat Model

Threat modeling is a structured approach of identifying and prioritizing potential threats to a system, and determining the value that potential mitigations would have in reducing or neutralizing those threats. – OWASP

Work on the Node.js Threat Model continues with  the goal of listing all the current threats and their mitigation for each environment using Node.js. The Threat Model document will provide context on what will or will not be considered a vulnerability in Node.js, and will serve as a guide for application security operations in support of development teams building on top of the Node.js platform.

Dependency Analysis

A daily workflow has been created to scan Node.js dependencies and look for vulnerabilities. Whenever a vulnerability is found, an issue is created and assessed. Node.js now gets vulnerability reports about dependencies once per day as soon as vulnerabilities are identified, instead of waiting for manual reporting. 

Check out the repo for the status CVEs reported against Node.js dependencies.

Meeting Face to Face

Rafael Gonzaga from the Node.js Security Working Group will be presenting at the OpenJS Foundation Collaborator Summit, held in Dublin, Ireland, Oct 1-2, 2022. He will be presenting on what’s next for Node.js in Diagnostics and Security. Come talk about Node.js security with us!

Node.js Security Progress Report – Permission System Gets Its First Pull Request

By Blog, Node.js, Node.js Security

July was a busy month for improving Node.js security, with reinforcements from the Open Source Security Foundation (OpenSSF) grant to OpenJS! There was the first pull request for the Permission System, a Node.js Security Release, and a new OpenSSL Security Release which meant updates to Node.js v18, v16, and v14, and triaging and fixing HackerOne reports (5 total).

Permission System

Node.js is building a security Permission System to avoid third-party libraries accessing machine resources without user consent. The Permission System got its first pull request in July! The pull request is 1,200 lines and includes the foundation of the Permission Model. There has been good feedback from the community, and the pull request has been shared publicly. This is the starting point; plenty of review and discussion is expected. 

OpenSSL Update

OpenSSL released a major security update on July 5. Node.js responded with our OpenSSL Security Release Assessment, which stated that the OpenSSL release affects Node.js v18, v16, and v14, with one moderate vulnerability on Windows 32-Bit x86. Our Node.js Security Releases were made available on July 7, covering 7 fixes. (A normal update level is 2-3 fixes.) 

It is best practice to have a revert flag for security updates that can include breaking changes. This is for installations that need a temporary work around. For v16 and v14, we had implemented the fixes without the revert flag (–openssl-shared-config) but are working for it to be available in the next Node.js release. 

Node.js tracks OpenSSL releases closely. The document Maintaining OpenSSL shows how we check requirements, extract new OpenSSL sources, and commit them.

Triaging and Fixing

Node.js analyzes and solves reports on HackerOne. The team triages Node.js issues and fixes security vulnerabilities. HackerOne access is required. For security reasons, reports are not disclosed until getting a CVE designation.

Join us!

Node.js is a critical community-led project where we need more people to contribute. If you are interested in lending your security expertise, we would like your participation. Our Security Working Group meets on Thursdays. You can download the calendar info from here: Node.js Project Calendar and find issues for meetings in this repo: nodejs/security-wg.

Progress Report – Strengthening Node.js Security

By Blog, Node.js, Node.js Security, Project Update

In April this year, the OpenJS Foundation announced the Open Source Security Foundation (OpenSSF) had selected Node.js as their initial project to help improve supply chain security. As part of OpenSSF’s Alpha-Omega Project, $300k was committed to bolster the Node.js security team and vulnerability remediation efforts through the rest of 2022. The focus is on supporting better open source security standards and practices. The Alpha-Omega repo for Node.js is here.

Since the announcement, OpenJS has quickly onboarded new OpenSSF security support resources who hit the ground running. Better plans and processes have already started to be built out and are already having an impact.

For example, security processes are being improved through a Security Model that is being discussed in the Security Working Group. The structure has been defined and they are currently working to document assumptions from the Node.js runtime. 

The community is creating a new Threat Model that provides context on what will and will not be considered a vulnerability in Node.js, which will particularly help inform security researchers. It includes all the current threats and their mitigation for each environment using Node.js. Note: This may change over releases.

The community also added vulnerability checking for Node.js dependencies. This is a new script that queries vulnerability databases in order to find if any of Node.js’ dependencies are vulnerable. It runs as part of the continuous integration workflow, and if any new vulnerabilities are found, it automatically opens an issue tagging Node.js’ maintainers and Security Working Group members.

Additionally, the Node.js team fixed the first OpenSSF Project Omega CVE as part of the Node.js July 7, 2022, security release.

Organization

Day-to-day security is run through the triage team who look at HackerOne reports to fix issues and handles the ongoing OpenSSL reports and updates. The turnaround time on fixes has been tightened from about one week to under two days. 

The Security Working Group, which has a broader mandate to look at the future of Node.js security, has been reactivated, meeting every two weeks.

Join us!

Node.js is a critical community-led project where we need more people to contribute. If you are interested in lending your security expertise, we would like your participation. Our Security Working Group meets on Thursdays. You can download the calendar info from here: Node.js Project Calendar.