Mercurial > hg > nginx-site

changeset 2924:bd8482c5a7fe

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Added "Security" section in njs.
author Yaroslav Zhuravlev <yar@nginx.com>
date Thu, 05 Jan 2023 16:26:20 +0000
parents ef7f2666cc09
children 3be061a0941a
files xml/en/GNUmakefile xml/en/docs/njs/index.xml xml/en/docs/njs/security.xml
diffstat 3 files changed, 77 insertions(+), 1 deletions(-) [+]
line wrap: on
line diff
--- a/xml/en/GNUmakefile
+++ b/xml/en/GNUmakefile
@@ -132,6 +132,7 @@ REFS =									\
 		njs/compatibility					\
 		njs/install						\
 		njs/reference						\
+		njs/security						\
 		njs/node_modules					\
 		njs/typescript						\
 
--- a/xml/en/docs/njs/index.xml
+++ b/xml/en/docs/njs/index.xml
@@ -9,7 +9,7 @@
 <article name="njs scripting language"
         link="/en/docs/njs/index.html"
         lang="en"
-        rev="32"
+        rev="33"
         toc="no">
 
 <section id="summary">
@@ -50,6 +50,10 @@ The compliance is still <link doc="compa
 </listitem>
 
 <listitem>
+<link doc="security.xml"/>
+</listitem>
+
+<listitem>
 <link doc="compatibility.xml"/>
 </listitem>
 
new file mode 100644
--- /dev/null
+++ b/xml/en/docs/njs/security.xml
@@ -0,0 +1,71 @@
+<?xml version="1.0"?>
+
+<!--
+  Copyright (C) Nginx, Inc.
+  -->
+
+<!DOCTYPE article SYSTEM "../../../../dtd/article.dtd">
+
+<article name="Security"
+        link="/en/docs/njs/security.html"
+        lang="en"
+        rev="1"
+        toc="no">
+
+<section>
+
+<para>
+All njs security issues should be reported to
+<literal>security-alert@nginx.org</literal>.
+</para>
+
+<para>
+Patches are signed using one of the
+<link doc="../../pgp_keys.xml">PGP public keys</link>.
+</para>
+
+</section>
+
+
+<section id="considerations" name="Special considerations">
+
+<para>
+njs does not evaluate dynamic code
+and especially the code received from the network in any way.
+The only way to evaluate that code using njs
+is to configure the
+<link doc="../http/ngx_http_js_module.xml" id="js_import">js_import</link>
+directive in nginx.
+JavaScript code is loaded once during nginx start.
+</para>
+
+<para>
+In nginx/njs threat model, JavaScript code is considered a trusted source
+in the same way as <literal>nginx.conf</literal> and sites certificates.
+What this means in practice:
+
+<list type="bullet">
+
+<listitem>
+memory disclosure and other security issues
+triggered by JavaScript code modification
+are not considered security issues, but as ordinary bugs
+</listitem>
+
+<listitem>
+measures should be taking for protecting JavaScript code used by njs
+</listitem>
+
+<listitem>
+if no <link doc="../http/ngx_http_js_module.xml" id="js_import">js_import</link>
+directives are present in <literal>nginx.conf</literal>,
+nginx is safe from JavaScript-related vulnerabilities
+</listitem>
+
+</list>
+</para>
+
+</section>
+
+
+</article>