Skip to content

doc: clarify EventEmitter error handling in threat model #61701

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
mcollina wants to merge 1 commit into
base: main
Choose a base branch
from
+12 −0
Open

doc: clarify EventEmitter error handling in threat model #61701

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 12 additions & 0 deletions SECURITY.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -335,6 +335,18 @@ the community they pose.
proper security boundaries between trusted application logic and untrusted
user input.

#### Unhandled 'error' Events on EventEmitters (CWE-248)

* EventEmitters that can emit `'error'` events require the application to
attach an `'error'` event handler. This includes HTTP streams and other
Node.js core streams. If the application fails to attach an `'error'`
handler, the EventEmitter will throw an uncaught exception, which may
crash the process.
* Crashes resulting from missing `'error'` handlers are not considered
denial-of-service vulnerabilities in Node.js. It is the application's
responsibility to properly handle errors by attaching appropriate
`'error'` event listeners to EventEmitters that may emit errors.

## Assessing experimental features reports

Experimental features are eligible for security reports just like any other
Expand Down
Loading