Skip to content

doc: add binary generation threat #1433

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 6 commits into from
Feb 5, 2025
Merged

doc: add binary generation threat #1433

Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
23362c0
doc: add binary generation threat
RafaelGSS Jan 27, 2025
a71cbbc
doc: add malicious docker images threat
RafaelGSS Jan 27, 2025
9388551
Update MAINTAINERS_THREAT_MODEL.md
mhdawson Jan 27, 2025
b4fc2f6
Apply suggestions from code review
RafaelGSS Feb 4, 2025
744541a
Apply suggestions from code review
RafaelGSS Feb 4, 2025
7eb420c
fixup! node-core-utils to w
RafaelGSS Feb 4, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
85 changes: 85 additions & 0 deletions MAINTAINERS_THREAT_MODEL.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -99,3 +99,88 @@ or inderictly (builds process/testing)
| **Social media accounts** | - | N\A |
| **Email** (nodejs-sec) | - | N\A |
| **Email** (io.js aliases) | - | N\A |

### Malicious release binary generation in Node.js release/build processes

In this scenario we assume that a malicious actor will include a malicious code
(malware, malicious dependencies, polluted binaries...) in the release binaries
available through the Nodejs.org downloads.

**Vectors:**

* Use priviledge access to GitHub in order to add/modify/pollute the Git History
for the tooling/build repositories (like ansible scripts, etc..)
* Pollute directly machines that are part of the CI/release inventory used by
Jenkins/GH Actions
* Manipulate the CI/release pipelines in Jenkins or GH Actions (add/modify custom
scripts, pollute plugins, overwrite configuration...)
* Swapping out release binaries where they are hosted on nodejs.org web server
* Modifying the cloudflare configuration to change were binaries are served from
* Modifying the vercel website configation

**Related CWEs:**

* [CWE-94: Improper Control of Generation of Code ('Code Injection')](https://cwe.mitre.org/data/definitions/94.html)
* [CWE-73: External Control of File Name or Path](https://cwe.mitre.org/data/definitions/73.html)
* [CWE-829: Inclusion of Functionality from Untrusted Control Sphere](https://cwe.mitre.org/data/definitions/829.html)
* [CWE-353: Missing Support for Integrity Check](https://cwe.mitre.org/data/definitions/353.html)
* [CWE-506: Embedded Malicious Code](https://cwe.mitre.org/data/definitions/506.html)

| Resource | Minimum Access | Description |
|- |- |- |
| **HackerOne** | - | N\A |
| **MITRE** | - | N\A |
| **private/node-private** | - | N\A |
| **private/security-release** | - | N\A |
| **private/secrets** | r | read access to secrets grants access to key resources |
| **nodejs/node** | w | N\A |
| **nodejs/deps¹** | - | N\A |
| **nodejs/build** (GH) | w | write access would allow key scripts, infra to be modified |
| **nodejs/docker-node** | - | - |
| **nodejs/node-core-utils** | w | N\A |
| **npm account** | - | N\A |
| **Jenkins CI - test** | - | N\A |
| **Jenkins CI - release** | w | access to jenkins used for build would allow swapping published binaries |
| **Infra - test** | - | N/A |
| **Infra - release** | w | access to machines used for build would allow swapping published binaries |
| **Build infra** | w | access to machines used for build would allow swapping published binaries |
| **Website Infra** | w | access to machines used for build would allow swapping published binaries |
| **Youtube** | - | N\A |
| **Zoom** | - | N\A |
| **1Password** | r | read access to secrets grants access to key resources |
| **Social media accounts** | - | N\A |
| **Email** (nodejs-sec) | - | N\A |
| **Email** (io.js aliases) | - | N\A |

Notes:

* Orka infra is shared, so any orka admin can modify test/relese machines

### Malicious docker images

| Resource | Minimum Access | Description |
|-|-|-|
| **HackerOne** | - | N\A |
| **MITRE** | - | N\A |
| **private/node-private** | - | N\A |
| **private/security-release** | - | N\A |
| **private/secrets** | r | read access to secrets grants access to key resources |
| **nodejs/node** | - | N\A |
| **nodejs/deps¹** | - | N\A |
| **nodejs/build** (GH) | - | N\A |
| **nodejs/unofficial-builds** (GH) | w | write access would allow key scripts, infra to be modified |
| **nodejs/docker-node** | w | modification of Docker files can modify what node.js binaries are in the images
| **nodejs/node-core-utils** | - | N\A |
| **npm account** | - | N\A |
| **Jenkins CI - test** | - | N\A |
| **Jenkins CI - release** | - | N\A |
| **Infra - test** | - | N/A |
| **Infra - release** | - | N\A |
| **Build infra** | w | access to machine used for unofficial-builds as server |
| **Website Infra** | - | N\A |
| **Youtube** | - | N\A |
| **Zoom** | - | N\A |
| **1Password** | r | read access to secrets grants access to key resources |
| **Social media accounts** | - | N\A |
| **Email** (nodejs-sec) | - | N\A |
| **Email** (io.js aliases) | - | N\A |