# HG changeset patch # User Yaroslav Zhuravlev # Date 1672935980 0 # Node ID bd8482c5a7fe3a5ecfa3b9565529963bb5479ff5 # Parent ef7f2666cc09606af0086455e342164adbd09358 Added "Security" section in njs. diff --git a/xml/en/GNUmakefile b/xml/en/GNUmakefile --- a/xml/en/GNUmakefile +++ b/xml/en/GNUmakefile @@ -132,6 +132,7 @@ REFS = \ njs/compatibility \ njs/install \ njs/reference \ + njs/security \ njs/node_modules \ njs/typescript \ diff --git a/xml/en/docs/njs/index.xml b/xml/en/docs/njs/index.xml --- a/xml/en/docs/njs/index.xml +++ b/xml/en/docs/njs/index.xml @@ -9,7 +9,7 @@
@@ -50,6 +50,10 @@ The compliance is still + + + diff --git a/xml/en/docs/njs/security.xml b/xml/en/docs/njs/security.xml new file mode 100644 --- /dev/null +++ b/xml/en/docs/njs/security.xml @@ -0,0 +1,71 @@ + + + + + + +
+ +
+ + +All njs security issues should be reported to +security-alert@nginx.org. + + + +Patches are signed using one of the +PGP public keys. + + +
+ + +
+ + +njs does not evaluate dynamic code +and especially the code received from the network in any way. +The only way to evaluate that code using njs +is to configure the +js_import +directive in nginx. +JavaScript code is loaded once during nginx start. + + + +In nginx/njs threat model, JavaScript code is considered a trusted source +in the same way as nginx.conf and sites certificates. +What this means in practice: + + + + +memory disclosure and other security issues +triggered by JavaScript code modification +are not considered security issues, but as ordinary bugs + + + +measures should be taking for protecting JavaScript code used by njs + + + +if no js_import +directives are present in nginx.conf, +nginx is safe from JavaScript-related vulnerabilities + + + + + +
+ + +