meta: clarify the threat model to explain the JSON.parse case

Signed-off-by: Matteo Collina <hello@matteocollina.com> PR-URL: https://github.com/nodejs/node/pull/47276 Reviewed-By: Michaël Zasso <targos@protonmail.com> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: Michael Dawson <midawson@redhat.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
2025-12-06 00:20:08 +01:00 · 2023-03-30 14:40:57 +02:00 · 2023-03-30 14:40:57 +02:00 · 42c4a35952
commit 42c4a35952
parent 18e1f3c3a3
1 changed files with 4 additions and 2 deletions
--- a/SECURITY.md
+++ b/SECURITY.md
@ -116,7 +116,8 @@ lead to a loss of confidentiality, integrity, or availability.
   npm registry.
   The code run inherits all the privileges of the execution user.
 4. Inputs provided to it by the code it is asked to run, as it is the
-   responsibility of the application to perform the required input validations.
+   responsibility of the application to perform the required input validations,
+   e.g. the input to `JSON.parse()`.
 5. Any connection used for inspector (debugger protocol) regardless of being
   opened by command line options or Node.js APIs, and regardless of the remote
   end being on the local machine or remote.
@ -124,7 +125,8 @@ lead to a loss of confidentiality, integrity, or availability.
   See <https://nodejs.org/api/modules.html#all-together>.

 Any unexpected behavior from the data manipulation from Node.js Internal
-functions are considered a vulnerability.
+functions may be considered a vulnerability if they are expoitable via
+untrusted resources.

 In addition to addressing vulnerabilities based on the above, the project works
 to avoid APIs and internal implementations that make it "easy" for application