diff options
author | Bradley Farias <bradley.meck@gmail.com> | 2018-09-13 14:27:12 -0500 |
---|---|---|
committer | Bradley Farias <bradley.meck@gmail.com> | 2019-01-17 09:43:42 -0600 |
commit | 9d5fbeb55fb1927928237e09475d39346d9c3ad9 (patch) | |
tree | ca2f567ff647c9a1706f39e93e54caa03cd98c1d /doc/api | |
parent | 7b6e9aedaf8c9aa219ff759bed6b1680910eefe0 (diff) | |
download | android-node-v8-9d5fbeb55fb1927928237e09475d39346d9c3ad9.tar.gz android-node-v8-9d5fbeb55fb1927928237e09475d39346d9c3ad9.tar.bz2 android-node-v8-9d5fbeb55fb1927928237e09475d39346d9c3ad9.zip |
policy: manifest with subresource integrity checks
This enables code loaded via the module system to be checked for
integrity to ensure the code loaded matches expectations.
PR-URL: https://github.com/nodejs/node/pull/23834
Reviewed-By: Guy Bedford <guybedford@gmail.com>
Reviewed-By: Vladimir de Turckheim <vlad2t@hotmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Diffstat (limited to 'doc/api')
-rw-r--r-- | doc/api/cli.md | 7 | ||||
-rw-r--r-- | doc/api/errors.md | 42 | ||||
-rw-r--r-- | doc/api/index.md | 1 | ||||
-rw-r--r-- | doc/api/policy.md | 104 |
4 files changed, 154 insertions, 0 deletions
diff --git a/doc/api/cli.md b/doc/api/cli.md index 977a0fd1f5..78994f428b 100644 --- a/doc/api/cli.md +++ b/doc/api/cli.md @@ -90,6 +90,13 @@ added: v8.5.0 Enable experimental ES module support and caching modules. +### `--experimental-policy` +<!-- YAML +added: TODO +--> + +Use the specified file as a security policy. + ### `--experimental-repl-await` <!-- YAML added: v10.0.0 diff --git a/doc/api/errors.md b/doc/api/errors.md index 610060a151..bb903ed0ee 100644 --- a/doc/api/errors.md +++ b/doc/api/errors.md @@ -1380,6 +1380,39 @@ An attempt was made to open an IPC communication channel with a synchronously forked Node.js process. See the documentation for the [`child_process`][] module for more information. +<a id="ERR_MANIFEST_ASSERT_INTEGRITY"></a> +### ERR_MANIFEST_ASSERT_INTEGRITY + +An attempt was made to load a resource, but the resource did not match the +integrity defined by the policy manifest. See the documentation for [policy] +manifests for more information. + +<a id="ERR_MANIFEST_INTEGRITY_MISMATCH"></a> +### ERR_MANIFEST_INTEGRITY_MISMATCH + +An attempt was made to load a policy manifest, but the manifest had multiple +entries for a resource which did not match each other. Update the manifest +entries to match in order to resolve this error. See the documentation for +[policy] manifests for more information. + +<a id="ERR_MANIFEST_PARSE_POLICY"></a> +### ERR_MANIFEST_PARSE_POLICY + +An attempt was made to load a policy manifest, but the manifest was unable to +be parsed. See the documentation for [policy] manifests for more information. + +<a id="ERR_MANIFEST_TDZ"></a> +### ERR_MANIFEST_TDZ + +An attempt was made to read from a policy manifest, but the manifest +initialization has not yet taken place. This is likely a bug in Node.js. + +<a id="ERR_MANIFEST_UNKNOWN_ONERROR"></a> +### ERR_MANIFEST_UNKNOWN_ONERROR + +A policy manifest was loaded, but had an unknown value for its "onerror" +behavior. See the documentation for [policy] manifests for more information. + <a id="ERR_MEMORY_ALLOCATION_FAILED"></a> ### ERR_MEMORY_ALLOCATION_FAILED @@ -1590,6 +1623,13 @@ An attempt was made to operate on an already closed socket. A call was made and the UDP subsystem was not running. +<a id="ERR_SRI_PARSE"></a> +### ERR_SRI_PARSE + +A string was provided for a Subresource Integrity check, but was unable to be +parsed. Check the format of integrity attributes by looking at the +[Subresource Integrity specification][]. + <a id="ERR_STREAM_CANNOT_PIPE"></a> ### ERR_STREAM_CANNOT_PIPE @@ -2229,7 +2269,9 @@ such as `process.stdout.on('data')`. [domains]: domain.html [event emitter-based]: events.html#events_class_eventemitter [file descriptors]: https://en.wikipedia.org/wiki/File_descriptor +[policy]: policy.html [stream-based]: stream.html [syscall]: http://man7.org/linux/man-pages/man2/syscalls.2.html +[Subresource Integrity specification]: https://www.w3.org/TR/SRI/#the-integrity-attribute [try-catch]: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Statements/try...catch [vm]: vm.html diff --git a/doc/api/index.md b/doc/api/index.md index 23fe9bfa03..a1bc34e81f 100644 --- a/doc/api/index.md +++ b/doc/api/index.md @@ -39,6 +39,7 @@ * [OS](os.html) * [Path](path.html) * [Performance Hooks](perf_hooks.html) +* [Policies](policy.html) * [Process](process.html) * [Punycode](punycode.html) * [Query Strings](querystring.html) diff --git a/doc/api/policy.md b/doc/api/policy.md new file mode 100644 index 0000000000..ee8109efd6 --- /dev/null +++ b/doc/api/policy.md @@ -0,0 +1,104 @@ +# Policies + +<!--introduced_in=TODO--> +<!-- type=misc --> + +> Stability: 1 - Experimental + +<!-- name=policy --> + +Node.js contains experimental support for creating policies on loading code. + +Policies are a security feature intended to allow guarantees +about what code Node.js is able to load. The use of policies assumes +safe practices for the policy files such as ensuring that policy +files cannot be overwritten by the Node.js application by using +file permissions. + +A best practice would be to ensure that the policy manifest is read only for +the running Node.js application, and that the file cannot be changed +by the running Node.js application in any way. A typical setup would be to +create the policy file as a different user id than the one running Node.js +and granting read permissions to the user id running Node.js. + +## Enabling + +<!-- type=misc --> + +The `--experimental-policy` flag can be used to enable features for policies +when loading modules. + +Once this has been set, all modules must conform to a policy manifest file +passed to the flag: + +```sh +node --experimental-policy=policy.json app.js +``` + +The policy manifest will be used to enforce constraints on code loaded by +Node.js. + +## Features + +### Error Behavior + +When a policy check fails, Node.js by default will throw an error. +It is possible to change the error behavior to one of a few possibilities +by defining an "onerror" field in a policy manifest. The following values are +available to change the behavior: + +* `"exit"` - will exit the process immediately. + No cleanup code will be allowed to run. +* `"log"` - will log the error at the site of the failure. +* `"throw"` (default) - will throw a JS error at the site of the failure. + +```json +{ + "onerror": "log", + "resources": { + "./app/checked.js": { + "integrity": "sha384-SggXRQHwCG8g+DktYYzxkXRIkTiEYWBHqev0xnpCxYlqMBufKZHAHQM3/boDaI/0" + } + } +} +``` + +### Integrity Checks + +Policy files must use integrity checks with Subresource Integrity strings +compatible with the browser +[integrity attribute](https://www.w3.org/TR/SRI/#the-integrity-attribute) +associated with absolute URLs. + +When using `require()` all resources involved in loading are checked for +integrity if a policy manifest has been specified. If a resource does not match +the integrity listed in the manifest, an error will be thrown. + +An example policy file that would allow loading a file `checked.js`: + +```json +{ + "resources": { + "./app/checked.js": { + "integrity": "sha384-SggXRQHwCG8g+DktYYzxkXRIkTiEYWBHqev0xnpCxYlqMBufKZHAHQM3/boDaI/0" + } + } +} +``` + +Each resource listed in the policy manifest can be of one the following +formats to determine its location: + +1. A [relative url string][] to a resource from the manifest such as `./resource.js`, `../resource.js`, or `/resource.js`. +2. A complete url string to a resource such as `file:///resource.js`. + +When loading resources the entire URL must match including search parameters +and hash fragment. `./a.js?b` will not be used when attempting to load +`./a.js` and vice versa. + +In order to generate integrity strings, a script such as +`printf "sha384-$(cat checked.js | openssl dgst -sha384 -binary | base64)"` +can be used. + + +[relative url string]: https://url.spec.whatwg.org/#relative-url-with-fragment-string |