Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

wasi: clearly document sandboxing & file system security status #50396

Closed
wants to merge 1 commit into from

Conversation

guybedford
Copy link
Contributor

@guybedford guybedford commented Oct 25, 2023

Currently we use the term "sandbox" in the node:wasi documentation, which can be misconstrued as forming a security model.

This PR firstly removes the usage of the term "sandbox" and then also updates the docs to include a warning that WASI in Node.js is not a secure capability system and that this is not part of the Node.js threat model. This is very similar to what we already do for the VM module in being clear it does not provide a comprehensive security model for running untrusted code.

Finally, this PR adds a new section on Security to the WASI docs. If we improve the security properties in future, this versioned security documentation can form part of the contract of the implementation so that we can treat the addition of any security guarantees in future as a feature. Perhaps we never get there but it at least leaves the door open to that.

In terms of what would be required to claim our implementation does in fact provide secure sandboxing - the main issue right now is that the filesystem sandboxing is escapable via timing approaches with symlinks. The way to solve this from a security perspective would be to expose the openat primitive in libuv and use that to build a secure model. I created a discussion issue for this in libuv/libuv#4167. This would have a slight performance cost, but would form the correct primitive to provide a secure filesystem sandbox.

@nodejs-github-bot
Copy link
Collaborator

Review requested:

  • @nodejs/wasi

@nodejs-github-bot nodejs-github-bot added doc Issues and PRs related to the documentations. wasi Issues and PRs related to the WebAssembly System Interface. labels Oct 25, 2023
Copy link
Member

@mhdawson mhdawson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

their own custom `env`, `preopens`, `stdin`, `stdout`, `stderr`, and `exit`
capabilities.

**The current Node.js threat model does not provide secure sandboxing as is
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we could mention it in the SECURITY.md file

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As far as I can tell, this is already covered by the existing thread model definition in SECURITY.md for Node.js, unless we want to explicitly call out WASI there?

@guybedford guybedford added the commit-queue Add this label to land a pull request using GitHub Actions. label Oct 31, 2023
@nodejs-github-bot nodejs-github-bot added commit-queue-failed An error occurred while landing this pull request using GitHub Actions. and removed commit-queue Add this label to land a pull request using GitHub Actions. labels Oct 31, 2023
@nodejs-github-bot
Copy link
Collaborator

Commit Queue failed
- Loading data for nodejs/node/pull/50396
✔  Done loading data for nodejs/node/pull/50396
----------------------------------- PR info ------------------------------------
Title      wasi: clearly document sandboxing & file system security status (#50396)
   ⚠  Could not retrieve the email or name of the PR author's from user's GitHub profile!
Branch     guybedford:wasi-security -> nodejs:main
Labels     doc, wasi
Commits    1
 - wasi: clearly document sandboxing & file system security status
Committers 1
 - Guy Bedford 
PR-URL: https://github.com/nodejs/node/pull/50396
Reviewed-By: Michael Dawson 
Reviewed-By: James M Snell 
------------------------------ Generated metadata ------------------------------
PR-URL: https://github.com/nodejs/node/pull/50396
Reviewed-By: Michael Dawson 
Reviewed-By: James M Snell 
--------------------------------------------------------------------------------
   ⚠  Commits were pushed since the last approving review:
   ⚠  - wasi: clearly document sandboxing & file system security status
   ℹ  This PR was created on Wed, 25 Oct 2023 18:50:44 GMT
   ✔  Approvals: 2
   ✔  - Michael Dawson (@mhdawson) (TSC): https://github.com/nodejs/node/pull/50396#pullrequestreview-1698108476
   ✔  - James M Snell (@jasnell) (TSC): https://github.com/nodejs/node/pull/50396#pullrequestreview-1702811418
   ✔  Last GitHub CI successful
   ℹ  Green GitHub CI is sufficient
--------------------------------------------------------------------------------
   ✔  Aborted `git node land` session in /home/runner/work/node/node/.ncu
https://github.com/nodejs/node/actions/runs/6713160160

guybedford added a commit that referenced this pull request Oct 31, 2023
PR-URL: #50396
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
@guybedford
Copy link
Contributor Author

Landed in ffb326c.

@guybedford guybedford closed this Oct 31, 2023
@guybedford guybedford deleted the wasi-security branch October 31, 2023 23:08
@guybedford guybedford removed the commit-queue-failed An error occurred while landing this pull request using GitHub Actions. label Oct 31, 2023
alexfernandez pushed a commit to alexfernandez/node that referenced this pull request Nov 1, 2023
PR-URL: nodejs#50396
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
anonrig pushed a commit to anonrig/node that referenced this pull request Nov 9, 2023
PR-URL: nodejs#50396
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
targos pushed a commit that referenced this pull request Nov 11, 2023
PR-URL: #50396
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
targos pushed a commit that referenced this pull request Nov 14, 2023
PR-URL: #50396
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
UlisesGascon pushed a commit that referenced this pull request Dec 11, 2023
PR-URL: #50396
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
@UlisesGascon UlisesGascon mentioned this pull request Dec 12, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
doc Issues and PRs related to the documentations. wasi Issues and PRs related to the WebAssembly System Interface.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants