From 3c9de5f4ddf489e07c68254472ca1442b5f5d75d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tobias=20Nie=C3=9Fen?= Date: Thu, 8 Aug 2024 16:27:37 +0200 Subject: [PATCH] doc: add note on weakness of permission model Malicious JavaScript code can bypass the permission model. Hence, it does not fulfill the requirements of a security mechanism against malicious code. --- doc/api/permissions.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/doc/api/permissions.md b/doc/api/permissions.md index 21e174e9e0ae51..23a31a1df891d0 100644 --- a/doc/api/permissions.md +++ b/doc/api/permissions.md @@ -9,6 +9,8 @@ with those resources. The resource can be entirely allowed or denied, or actions related to it can be controlled. For example, file system reads can be allowed while denying writes. + This feature does not protect against malicious code. According to the Node.js + [Security Policy][], Node.js trusts any code it is asked to run. If you find a potential security vulnerability, please refer to our [Security Policy][]. @@ -150,6 +152,12 @@ There are constraints you need to know before using this system: #### Limitations and Known Issues +* The permission model implements a "seat belt" approach, which prevents trusted + code from unintentionally changing files or using resources that access has + not explicitly been granted to. It does not provide security guarantees in the + presence of malicious code. Malicious code can bypass the permission model and + execute arbitrary code without the restrictions imposed by the permission + model. * Symbolic links will be followed even to locations outside of the set of paths that access has been granted to. Relative symbolic links may allow access to arbitrary files and directories. When starting applications with the