The Node.js community is rapidly growing and thriving with new contributors and increased participation. As the community continues to expand, the focus on security remains critical to its success. With improved security measures in place and more outside participation, Node.js security sustainability is making progress.
In March, Varun Sharma and Ashish Kurmi from StepSecurity joined the Node.js Security Working Group to assist with the OSSF Scorecard initiative. StepSecurity specializes in supply chain security and their addition to the group is a great asset. Also in March, Rafael Gonzaga, Node.js TSC, presented on Node.js security in Florence, Italy. He covered 5 ways you could have hacked Node.js, which focused on how anyone can get involved in Node.js security. In fact, two attendees from the event made their first Pull Requests on the Node.js project. This is the kind of participation and collaboration that Node.js security needs and encourages.
Understanding Permission Models in Node.js
The Node.js Permission Model has been built over the past nine months and has become an essential mechanism for better security. Last month, it was merged into the main, but some vulnerabilities were discovered. As a result, they are now using the Permission Model starting with the Node.js 20 release, which was released on April 18, 2023. The Permission Model allows the restriction of access to specific resources during program execution. The API exists behind an experimental flag (experimental-permission), which, when enabled, restricts access to all available permissions. The ability to access the filesystem, spawn processes, and create worker_threads can all be restricted. To establish a comprehensive roadmap for the Permission Model, they have also created a Permission Model roadmap issue. To find out more, please refer to the info on the first pull request last August and the recent merge into main. Openjs Foundation encourage the community to participate in this exciting development.
Node.js Security Management
The Security Working Group started looking at all dependencies in Node.js in November 2022. They wanted to see if updates are automated or not and, if not, which ones should be prioritized. For example, OpenSSL had docs on how to update it, but no GitHub Action. This work has continued, and most Node.js dependencies are now automated, with 18 out of 21 dependencies being automated currently.
Openjs Foundation is working hard to encourage ecosystem adoption, a crucial component of Node.js security. In March, they collaborated with the Fastify project, reviewing and addressing three reports.
1. CVE-2023-29019 (@fastify/passport)
2. CVE-2023-29020 (@fastify/passport)
3. CVE-2023-27495 (@fastify/csrf-protection)
They anticipate this type of work with ecosystem partners to become increasingly common in the future.
Openjs Foundation created a package called is-my-node-vulnerable to test your specific implementation of Node.js easily. It helps ensure the security of your Node.js installation by checking for known vulnerabilities. It compares the version of Node.js you have installed (process.version) to the Node.js Security Database and alerts you if a vulnerability is found
In conclusion, Node.js security is a collaborative effort that is open to everyone, and with increasing participation and the implementation of new security measures, it will continue to thrive.