From 23362c0d7100fee0a38cca29f27311692e478f76 Mon Sep 17 00:00:00 2001 From: RafaelGSS Date: Mon, 27 Jan 2025 18:17:37 -0300 Subject: [PATCH 1/6] doc: add binary generation threat --- MAINTAINERS_THREAT_MODEL.md | 56 +++++++++++++++++++++++++++++++++++++ 1 file changed, 56 insertions(+) diff --git a/MAINTAINERS_THREAT_MODEL.md b/MAINTAINERS_THREAT_MODEL.md index bb27f2186..1fc3ceaf4 100644 --- a/MAINTAINERS_THREAT_MODEL.md +++ b/MAINTAINERS_THREAT_MODEL.md @@ -99,3 +99,59 @@ or inderictly (builds process/testing) | **Social media accounts** | - | N\A | | **Email** (nodejs-sec) | - | N\A | | **Email** (io.js aliases) | - | N\A | + +### Malicious release binary generation in Node.js release/build processes + +In this scenario we asume that a malicious actor will include a malicios code +(malware, malicious dependencies, polluted binaries...) in the release binaries +available through the Nodejs.org downloads. + +**Vectors:** + +* Use priviledge access to GitHub in order to add/modify/pollute the Git History +for the tooling/build repositories (like ansible scripts, etc..) +* Pollute directly machines that are part of the CI/release inventory used by +Jenkins/GH Actions +* Manipulate the CI/release pipelines in Jenkins or GH Actions (add/modify custom +scripts, pollute plugins, overwrite configuration...) +* Swaping out release binaries where they are hosted on nodejs.org web server +* Modifying the cloudflare configuration to change were binaries are served from +* Modifying the vercel website configation + +**Related CWEs:** + +* [CWE-94: Improper Control of Generation of Code ('Code Injection')](https://cwe.mitre.org/data/definitions/94.html) +* [CWE-73: External Control of File Name or Path](https://cwe.mitre.org/data/definitions/73.html) +* [CWE-829: Inclusion of Functionality from Untrusted Control Sphere](https://cwe.mitre.org/data/definitions/829.html) +* [CWE-353: Missing Support for Integrity Check](https://cwe.mitre.org/data/definitions/353.html) +* [CWE-506: Embedded Malicious Code](https://cwe.mitre.org/data/definitions/506.html) + +| Resource | Minimum Access | Description | +|- |- |- | +| **HackerOne** | - | N\A | +| **MITRE** | - | N\A | +| **private/node-private** | - | N\A | +| **private/security-release** | - | N\A | +| **private/secrets** | r | read access to secrets grants access to key resources | +| **nodejs/node** | - | N\A | +| **nodejs/deps¹** | - | N\A | +| **nodejs/build** (GH) | w | write access would allow key scripts, infra to be modified | +| **nodejs/docker-node** | - | - | +| **nodejs/node-core-utils** | - | N\A | +| **npm account** | - | N\A | +| **Jenkins CI - test** | - | N\A | +| **Jenkins CI - release** | w | access to jenkins used for build would allow swapping published binaries | +| **Infra - test** | - | N/A | +| **Infra - release** | w | access to machines used for build would allow swapping published binaries | +| **Build infra** | w | access to machines used for build would allow swapping published binaries | +| **Website Infra** | w | access to machines used for build would allow swapping published binaries | +| **Youtube** | - | N\A | +| **Zoom** | - | N\A | +| **1Password** | r | read access to secrets grants access to key resources | +| **Social media accounts** | - | N\A | +| **Email** (nodejs-sec) | - | N\A | +| **Email** (io.js aliases) | - | N\A | + +Notes: + +* Orka infra is shared, so any orka admin can modify test/relese machines From a71cbbc7250c2b99344ea2afa4a57b0f1025aa78 Mon Sep 17 00:00:00 2001 From: RafaelGSS Date: Mon, 27 Jan 2025 18:47:32 -0300 Subject: [PATCH 2/6] doc: add malicious docker images threat --- MAINTAINERS_THREAT_MODEL.md | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/MAINTAINERS_THREAT_MODEL.md b/MAINTAINERS_THREAT_MODEL.md index 1fc3ceaf4..5278622c5 100644 --- a/MAINTAINERS_THREAT_MODEL.md +++ b/MAINTAINERS_THREAT_MODEL.md @@ -155,3 +155,31 @@ scripts, pollute plugins, overwrite configuration...) Notes: * Orka infra is shared, so any orka admin can modify test/relese machines + +### Malicious docker images + +| Resource | Minimum Access | Description | +|-|-|-| +| **HackerOne** | - | N\A | +| **MITRE** | - | N\A | +| **private/node-private** | - | N\A | +| **private/security-release** | - | N\A | +| **private/secrets** | r | read access to secrets grants access to key resources | +| **nodejs/node** | - | N\A | +| **nodejs/deps¹** | - | N\A | +| **nodejs/build** (GH) | w | write access would allow key scripts, infra to be modified | +| **nodejs/docker-node** | w | modification of Docker files can modify what node.js binaries are in the images +| **nodejs/node-core-utils** | - | N\A | +| **npm account** | - | N\A | +| **Jenkins CI - test** | - | N\A | +| **Jenkins CI - release** | w | access to jenkins used for build would allow swapping published binaries | +| **Infra - test** | - | N/A | +| **Infra - release** | w | access to machines used for build would allow swapping published binaries | +| **Build infra** | w | access to machines used for build would allow swapping published binaries | +| **Website Infra** | w | access to machines used for build would allow swapping published binaries | +| **Youtube** | - | N\A | +| **Zoom** | - | N\A | +| **1Password** | r | read access to secrets grants access to key resources | +| **Social media accounts** | - | N\A | +| **Email** (nodejs-sec) | - | N\A | +| **Email** (io.js aliases) | - | N\A | From 93885510af8de547de459e369c26b04c607310af Mon Sep 17 00:00:00 2001 From: Michael Dawson Date: Mon, 27 Jan 2025 16:57:00 -0500 Subject: [PATCH 3/6] Update MAINTAINERS_THREAT_MODEL.md Co-authored-by: Yagiz Nizipli --- MAINTAINERS_THREAT_MODEL.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/MAINTAINERS_THREAT_MODEL.md b/MAINTAINERS_THREAT_MODEL.md index 5278622c5..7ce43911c 100644 --- a/MAINTAINERS_THREAT_MODEL.md +++ b/MAINTAINERS_THREAT_MODEL.md @@ -102,7 +102,7 @@ or inderictly (builds process/testing) ### Malicious release binary generation in Node.js release/build processes -In this scenario we asume that a malicious actor will include a malicios code +In this scenario we assume that a malicious actor will include a malicios code (malware, malicious dependencies, polluted binaries...) in the release binaries available through the Nodejs.org downloads. From b4fc2f644e1ab394ad0d9d61eeb183e993008c88 Mon Sep 17 00:00:00 2001 From: Rafael Gonzaga Date: Tue, 4 Feb 2025 10:12:07 -0300 Subject: [PATCH 4/6] Apply suggestions from code review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Stewart X Addison <6487691+sxa@users.noreply.github.com> Co-authored-by: Ulises Gascón --- MAINTAINERS_THREAT_MODEL.md | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/MAINTAINERS_THREAT_MODEL.md b/MAINTAINERS_THREAT_MODEL.md index 7ce43911c..d6992cc79 100644 --- a/MAINTAINERS_THREAT_MODEL.md +++ b/MAINTAINERS_THREAT_MODEL.md @@ -102,7 +102,7 @@ or inderictly (builds process/testing) ### Malicious release binary generation in Node.js release/build processes -In this scenario we assume that a malicious actor will include a malicios code +In this scenario we assume that a malicious actor will include a malicious code (malware, malicious dependencies, polluted binaries...) in the release binaries available through the Nodejs.org downloads. @@ -114,7 +114,7 @@ for the tooling/build repositories (like ansible scripts, etc..) Jenkins/GH Actions * Manipulate the CI/release pipelines in Jenkins or GH Actions (add/modify custom scripts, pollute plugins, overwrite configuration...) -* Swaping out release binaries where they are hosted on nodejs.org web server +* Swapping out release binaries where they are hosted on nodejs.org web server * Modifying the cloudflare configuration to change were binaries are served from * Modifying the vercel website configation @@ -167,16 +167,17 @@ Notes: | **private/secrets** | r | read access to secrets grants access to key resources | | **nodejs/node** | - | N\A | | **nodejs/deps¹** | - | N\A | -| **nodejs/build** (GH) | w | write access would allow key scripts, infra to be modified | +| **nodejs/build** (GH) | - | N\A | +| **nodejs/unofficial-builds** (GH) | w | write access would allow key scripts, infra to be modified | | **nodejs/docker-node** | w | modification of Docker files can modify what node.js binaries are in the images | **nodejs/node-core-utils** | - | N\A | | **npm account** | - | N\A | | **Jenkins CI - test** | - | N\A | -| **Jenkins CI - release** | w | access to jenkins used for build would allow swapping published binaries | +| **Jenkins CI - release** | - | N\A | | **Infra - test** | - | N/A | -| **Infra - release** | w | access to machines used for build would allow swapping published binaries | -| **Build infra** | w | access to machines used for build would allow swapping published binaries | -| **Website Infra** | w | access to machines used for build would allow swapping published binaries | +| **Infra - release** | - | N\A | +| **Build infra** | w | access to machine used for unofficial-builds as server | +| **Website Infra** | - | N\A | | **Youtube** | - | N\A | | **Zoom** | - | N\A | | **1Password** | r | read access to secrets grants access to key resources | From 744541a40f0ee57de3c4b461757eb1365d62a3f5 Mon Sep 17 00:00:00 2001 From: Rafael Gonzaga Date: Tue, 4 Feb 2025 10:12:26 -0300 Subject: [PATCH 5/6] Apply suggestions from code review Co-authored-by: Richard Lau --- MAINTAINERS_THREAT_MODEL.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/MAINTAINERS_THREAT_MODEL.md b/MAINTAINERS_THREAT_MODEL.md index d6992cc79..7fc343662 100644 --- a/MAINTAINERS_THREAT_MODEL.md +++ b/MAINTAINERS_THREAT_MODEL.md @@ -133,7 +133,7 @@ scripts, pollute plugins, overwrite configuration...) | **private/node-private** | - | N\A | | **private/security-release** | - | N\A | | **private/secrets** | r | read access to secrets grants access to key resources | -| **nodejs/node** | - | N\A | +| **nodejs/node** | w | N\A | | **nodejs/deps¹** | - | N\A | | **nodejs/build** (GH) | w | write access would allow key scripts, infra to be modified | | **nodejs/docker-node** | - | - | From 7eb420c3638c9183dae35c0c87874227911fb311 Mon Sep 17 00:00:00 2001 From: RafaelGSS Date: Tue, 4 Feb 2025 15:28:20 -0300 Subject: [PATCH 6/6] fixup! node-core-utils to w --- MAINTAINERS_THREAT_MODEL.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/MAINTAINERS_THREAT_MODEL.md b/MAINTAINERS_THREAT_MODEL.md index 7fc343662..6c6fae258 100644 --- a/MAINTAINERS_THREAT_MODEL.md +++ b/MAINTAINERS_THREAT_MODEL.md @@ -137,7 +137,7 @@ scripts, pollute plugins, overwrite configuration...) | **nodejs/deps¹** | - | N\A | | **nodejs/build** (GH) | w | write access would allow key scripts, infra to be modified | | **nodejs/docker-node** | - | - | -| **nodejs/node-core-utils** | - | N\A | +| **nodejs/node-core-utils** | w | N\A | | **npm account** | - | N\A | | **Jenkins CI - test** | - | N\A | | **Jenkins CI - release** | w | access to jenkins used for build would allow swapping published binaries |