Title: doc: clarify build environment is trusted in threat model by mcollina · Pull Request #61865 · nodejs/node · GitHub
Open Graph Title: doc: clarify build environment is trusted in threat model by mcollina · Pull Request #61865 · nodejs/node
X Title: doc: clarify build environment is trusted in threat model by mcollina · Pull Request #61865 · nodejs/node
Description: Summary Add build system attacks to the "Examples of non-vulnerabilities" section in SECURITY.md Clarify that the build environment (environment variables, filesystem, locally installed tools) is a trusted element Command injection via env vars in build scripts (CC, CXX, PKG_CONFIG, RUSTC), path hijacking in build output directories, and file permissions of build artifacts are not considered vulnerabilities This addresses a recurring class of HackerOne reports that claim vulnerabilities in configure.py or other build scripts by manipulating environment variables or the local filesystem. These scenarios require the attacker to already control the build environment, which is a trusted element per the existing threat model.
Open Graph Description: Summary Add build system attacks to the "Examples of non-vulnerabilities" section in SECURITY.md Clarify that the build environment (environment variables, filesystem, locally installed ...
X Description: Summary Add build system attacks to the "Examples of non-vulnerabilities" section in SECURITY.md Clarify that the build environment (environment variables, filesystem, locally in...
Opengraph URL: https://github.com/nodejs/node/pull/61865
X: @github
Domain: github.com
| route-pattern | /:user_id/:repository/pull/:id/files(.:format) |
| route-controller | pull_requests |
| route-action | files |
| fetch-nonce | v2:e377baa4-89d2-8456-f2b9-7e00385273a8 |
| current-catalog-service-hash | ae870bc5e265a340912cde392f23dad3671a0a881730ffdadd82f2f57d81641b |
| request-id | B0C4:3F6F4D:2E1BFC:3E705A:6A4C215A |
| html-safe-nonce | 31dab19c21dbd8d9756067f800c0bc4caa3839ebc7641b773566c422129e4740 |
| visitor-payload | eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiJCMEM0OjNGNkY0RDoyRTFCRkM6M0U3MDVBOjZBNEMyMTVBIiwidmlzaXRvcl9pZCI6IjQ3NTU5MDU0NjQzMjI3NjEwNTAiLCJyZWdpb25fZWRnZSI6ImlhZCIsInJlZ2lvbl9yZW5kZXIiOiJpYWQifQ== |
| visitor-hmac | f478fae63d686482caa8fa3ab45941a021c6aff2ce64d06c232d0c1e3759400f |
| hovercard-subject-tag | pull_request:3294967899 |
| github-keyboard-shortcuts | repository,pull-request-list,pull-request-conversation,pull-request-files-changed,copilot |
| google-site-verification | Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I |
| octolytics-url | https://collector.github.com/github/collect |
| analytics-location | / |
| fb:app_id | 1401488693436528 |
| apple-itunes-app | app-id=1477376905, app-argument=https://github.com/nodejs/node/pull/61865/files |
| twitter:image | https://avatars.githubusercontent.com/u/52195?s=400&v=4 |
| twitter:card | summary_large_image |
| og:image | https://avatars.githubusercontent.com/u/52195?s=400&v=4 |
| og:image:alt | Summary Add build system attacks to the "Examples of non-vulnerabilities" section in SECURITY.md Clarify that the build environment (environment variables, filesystem, locally installed ... |
| og:site_name | GitHub |
| og:type | object |
| hostname | github.com |
| expected-hostname | github.com |
| None | 1b6b16d04026f131a36d57e3b01d0f4d26a51800edf48bf5ed0256e0ac905511 |
| turbo-cache-control | no-preview |
| diff-view | unified |
| go-import | github.com/nodejs/node git https://github.com/nodejs/node.git |
| octolytics-dimension-user_id | 9950313 |
| octolytics-dimension-user_login | nodejs |
| octolytics-dimension-repository_id | 27193779 |
| octolytics-dimension-repository_nwo | nodejs/node |
| octolytics-dimension-repository_public | true |
| octolytics-dimension-repository_is_fork | false |
| octolytics-dimension-repository_network_root_id | 27193779 |
| octolytics-dimension-repository_network_root_nwo | nodejs/node |
| turbo-body-classes | logged-out env-production page-responsive |
| disable-turbo | true |
| browser-stats-url | https://api.github.com/_private/browser/stats |
| browser-errors-url | https://api.github.com/_private/browser/errors |
| release | f95fb36c72adc940ff991c03531114b2245658d0 |
| ui-target | canary-2 |
| theme-color | #1e2327 |
| color-scheme | light dark |
Links:
Viewport: width=device-width